[Xerte-dev] LDAP authentication problems at EFC Resolved

Thomas Rochford thomas.rochford at jiscadvance.ac.uk
Thu May 17 12:29:49 BST 2012 

Hi Everyone,
 
I thought I'ld drop a line to this list to report my success at Epping
forest College yesterday in getting LDAP authentication to work properly. As
Ron and Pat are aware this has been ongoing for some time but yesterday I
got 1.7 to handle AD authentication, after addressing two issues.
 
The first was a possible misunderstanding on my part about the LDAP filter
entry. I'm still not clear where this is actually set! The Management page
shows
 
LDAP Main filter: sAMAccountName=
LDAP Second filter: cn=
 
The LDAP Table in the database shows
ldap_id  1 
ldap_knownname    
ldap_host  172.16.8.47 
ldap_port    
ldap_username  XXXXXXX 
ldap_password  XXXXXXX 
ldap_basedn  OU= EFC_Users, DC=efc, DC=lan 
ldap_filter  sAMAccountName, objectclass, cn 
ldap_filter_attr  sAMAccountName
 
The SITEDETAILS Table shows
ldap_host  172.16.8.47 
ldap_port    
bind_pwd  XXXXXXX 
basedn  OU= EFC_Users, DC=efc, DC=lan 
bind_dn  XXXXXXX (just a user name; not fully qualified - that didn't work
at all) 
LDAP_preference  sAMAccountName= 
LDAP_filter  cn=
 
So it looks as though the ldap_filter_attr field and the ldap_filter fields
may be mapping to the wrong variables in the source code, depending on where
it's reading it's data from. I know I had to change them in the database as
well as the Management page.
 
The second issue was actually in the code in login_library.php. Sorting out
the above issue enabled the software to locate the user in AD, however it
was then unable to verify the password. The supplied code read as follows at
the entry point to the authenticate_to_host() function where I had to
replace this line:
 
$ldap_search_attr = array('firstname' => 'givenname', 'lastname' => 'sn');
 
With 
 
$ldap_search_attr = array("sAMAccountName","objectclass","cn");
 
That then worked straightaway. Maybe, I didn't even need to change the
database entries?
 
I know the same line is used elsewhere in the code, but this was the one I
had to change at EFC.
 
I'm not quite sure what the current state of play is within the SVN as the
login_library.php appears to be devoid of any code as at revision 350? Or am
I missing something here?
 
Kindest regards, Thomas 
 
 
 
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20120517/b4231b16/attachment.html>

More information about the Xerte-dev mailing list