[Xerte]ConfigurationofLDAPauthenticationandthelogin_library.phpfile

Patrick Lockley Patrick.Lockley at nottingham.ac.uk
Thu May 21 14:36:59 BST 2009


It wasn't meant to replace login_library.

 

Please no one do that on a proper install.

 

It was a standalone LDAP tester, built around the toolkits code.

 

The unable to bind message is what you want though - in theory - it is
saying, this password is wrong.

 

Line 64 is what returns the entry array (the same one that you check on
line 185).

 

I've spent a while trying to replicate this, and it seems like it might
be that you've left ldap filter blank

 

Try setting 'dn' back, and changing your ldap filter to cn, or cn=

 

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 21 May 2009 13:20
To: Xerte discussion list
Subject: RE:
[Xerte]ConfigurationofLDAPauthenticationandthelogin_library.phpfile

 

Hello Pat,

 

Thanks for the script.

 

I initially commented out the first lines that set the
$xerte_toolkits_site-> values and used the file as a replacement for
login_library.php

 

This resulted in an "unable to bind" message for line 185.

 

I replaced the reference to 'dn' with sAMAccountName and then was logged
in to Xerte even though the password I supplied was incorrect, though
there was an "unable to bind" message then for line 64. I replaced the
'dn' reference again with a sAMAccountName and that ended any further
errors.

 

I then changed the $xerte_toolkits_site-> lines to echo out their
values.

All the values echoed out the matching values that are contained in the
database settings for the site.

 

I have deleted the server settings and dn values from the output below
so as not to make them public but the rest is as it was output.

 

It appears that the connection to ldap is working, the matching of the
entered username is correctly taking place and values from the LDAP
account are being returned, but that there is no check taking place of
the password, other than that one has been entered. So as long as you
enter a valid ldap account name you are in! Any ideas as to why this may
be happening will be most welcome.

 

Output starts with the value LDAP_preference, there is no value entered
in our database for LDAP_filter.

 

Kind regards

 

Johnathan

sAMAccountName
Array
(
    [count] => 0
)
 
Array
(
    [count] => 0
)
 
Array
(
    [count] => 0
)
 
Array
(
    [count] => 0
)
 
Array
(
    [count] => 1
    [0] => Array
        (
            [sn] => Array
                (
                    [count] => 1
                    [0] => Kemp
                )
 
            [0] => sn
            [givenname] => Array
                (
                    [count] => 1
                    [0] => Johnathan
                )
 
            [1] => givenname
            [count] => 2
            [dn] => CN=Johnathan Kemp, etc...        )
 
)
 

Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/> 
01785 355714

 

 

 

________________________________

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 20 May 2009 15:58
To: Xerte discussion list
Subject: RE:
[Xerte]ConfigurationofLDAPauthenticationandthelogin_library.phpfile

Hello,

 

So if you're using an LDAP password that means it's the same as we have
here, and ours works.

 

For reference - the "lighter" version is without the password.

 

I would imagine the problem has come with the changed code and how the
LDAP seach occurs.

 

I've attached an script with a few more options in.

 

Basically you'll get LDAP error messages (they are usually suppressed)
and see the array LDAP returns.

 

Pat

 

 

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 20 May 2009 15:15
To: Xerte discussion list
Subject: RE: [Xerte]
ConfigurationofLDAPauthenticationandthelogin_library.phpfile

 

Hello Pat,

 

Sorry about missing the password bit.

 

On the ldap page displayed by management.php I have

 

An ldap password

The ldap base required to find the user accounts

The ldap bind that uniquely identifies the ldap account

ldap main filter set to sAMAccountName

No value set in the ldap second filter.

 

I copied the code from your authenticate_to_host function in
login_library.php and ran the code by setting variables to provide it
with the equivalent of the inputs the function expects

 

Once the code is edited to replace line 171 

      if(@ldap_bind($ds, $entry[0]['dn'], $password)) {

 

with

     if(@ldap_bind($ds, $entry[0]['sAMAccountName'], $password)) {

 

the code then executes returning true from line 179 

 

It only returns true if the LDAP password is correct and the value for
$toolkits_username is a valid ldap sAMAccountName.

It will return true if the value for $password is "" a wrong password or
the correct password.

 

Is there any way I could be running the "lighter version" without
realising it?

 

Kind regards

 

Johnathan

 

Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/> 
01785 355714

 

 

 

________________________________

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 20 May 2009 13:36
To: Xerte discussion list
Subject: RE: [Xerte] Configuration
ofLDAPauthenticationandthelogin_library.phpfile

Thank you Monaco

 

Are you using an LDAP password for the host, or the "lighter" version?

 

Yours

 

Terry

 

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 20 May 2009 09:24
To: Xerte discussion list
Subject: RE: [Xerte] Configuration
ofLDAPauthenticationandthelogin_library.php file

 

OK the results of the Monaco jury are

 

No user name / No password = please enter your username and password

Username wrong / password wrong = sorry that password combination was
not correct

Username right / no password = please enter your password

Username right / wrong password = successful log in

 

Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/> 
01785 355714

 

 

 

________________________________

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 19 May 2009 13:45
To: Xerte discussion list
Subject: RE: [Xerte] Configuration of
LDAPauthenticationandthelogin_library.php file

Are supplying an LDAP password?

 

Try the following combos

 

No user name / No password

Username wrong / password wrong

Username right / no password

 

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 19 May 2009 13:45
To: Xerte discussion list
Subject: RE: [Xerte] Configuration of LDAP
authenticationandthelogin_library.php file

 

Hello Pat,

 

Many thanks for your detailed reply. I will work through it and your
reply about Xerte setup after lunch.

 

I should just add that it appears with respect to my having a working
LDAP login that I spoke to soon :-(

 

With the original version of the login_library.php file I could not log
in at all.

 

When I changed it to use the sAMAccountName (the field that contains the
user name we use to login on our network) I was able to log on to my
Toolkits site. However it appears that the password is being ignored. As
long as a valid sAMAccountName is entered then you are in - whatever
password you use.

 

There is also an issue with the length of the user name accepted in the
login box, as the current settings are to small. I think this has
already been raised by someone else.

 

Any thoughts would be most appreciated.

 

Kind regards

 

Johnathan

 

 

Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/> 
01785 355714

 

 

 

________________________________

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Patrick
Lockley
Sent: 19 May 2009 13:29
To: Xerte discussion list
Subject: RE: [Xerte] Configuration of LDAP authentication
andthelogin_library.php file

Hello

 

Ignore the installer on that front. I need to change a line.

 

You need to separate the hosts with $$$ as the delimiter.

 

As a caveat this is new territory for an install. We've done a proof of
concept using two LDAP strings here, but never three. It should be
scalable, but there is also the situation at present that certain
features (peer review, lockfile emails when a shared template editor
window closes) are not guaranteed to work (early assumptions in the code
limit it).

 

I have been debating whether or not to store an email in the
logindetails table - but this requires altering that table and I am a
bit reluctant to do this before we release version 1.5. It is an
omission on my part, but it's one of those problems when developing open
source is how to keep the system relatively stable.

 

If you have a PHP developer person I would suspect these modifications
would take under an hour or so to make (I could tell you precisely what
to change). But you would have a slightly custom install for a few files
(index.php, website_code/php/peer/peer_review.php and
website_code/php/versioncontrol/template_close.php) and a slightly
different login_details table.

 

So for the LDAP

 

I would do 

 

Host1$$$Host2$$$Host3 for hosts

Port1$$$Port2$$$Port3 for ports

And so on for each variable for the LDAP settings (bind dn, basedn,
password).

 

Reiterating my lack of LDAP knowledge - I don't understand this to any
great level - sAMAccountName - appears to be a good default academic
value for searching. The case sensitivity issues has occurred before
with one install. Maybe I could resolve this with a PHP string function
of some nature.

 

I've had two people feedback on LDAP so far (hence number of
login_library bug fixes) but I am not sure how best to proceed. I have
been mulling over making a post installer test suite - including an LDAP
page to help people work out why their settings don't like the code. We
also have the issue that we can't predict how IT literate people
installing the code are. I think the installer does a pretty good job at
the moment, though I could see scope for it providing more support - but
these things all take time. It's also very likely a lot of people
installing the code won't care for LDAP as they'll be authenticating to
something else.

 

 

I am not aware of what the LDAP filters do, but the code needs them and
they are used in the LDAP filter function, so I called them LDAP filter
1 and LDAP filter 2. Not the most original or informative, but again, I
plead ignorance on this front. 

 

I could see a case that the LDAP function "learns", or maybe just uses
an if not statement on the givenName attribute. My worry would be how
many "given names" are there - what do our non-English (apologies for
taxonomy) LDAP usernames appear as? 

I don't think you've misunderstood anything either - we are just at the
very edge of the code here and I am grateful for your feedback.

 

I hope this helps.

 

Pat

 

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Johnathan
Kemp
Sent: 19 May 2009 12:55
To: xerte at lists.nottingham.ac.uk
Subject: [Xerte] Configuration of LDAP authentication and
thelogin_library.php file

 

Hello Xerte Team,

 

I now have a Xerte On-line Toolkits site that I can log on to using
LDAP, but I had some fun getting it set up and would like to clarify a
couple of things.

 

In the site setup I have set up a single ldap host, however I would like
to have three, would the correct syntax be

 

999.999.999.999\n999.999.999.999\n999.999.999.999 

 

for this, using the \n as a separator of the IP addresses, rather than a
";" ?

 

Is it possible to specify more than one ldap base and if so would it be
correct to use "\n" as the separator between bases?

 

Is there somewhere in the setup that is intended to specify the LDAP
field that will be used in the login process, so that when a username is
entered in the login form it is matched to the correct LDAP field when
checking the user name and password against LDAP? I set "The first LDAP
filter is" box to sAMAccountName but found that the login_library.php
file was using the "dn" field to match against. It was only after
working my way back through the Xerte code that I found out why I could
not log on. I had to edit lines 48 and 171 of login_library.php to use
sAMAccountName rather than dn. Similarly lines 8 and 131 refer to
"givenname" whereas our LDAP field is "givenName" so I had to edit these
as well.

 

I have to admit I am not sure what your intended use is for the fields
in the set up "The first LDAP filter" and "The second LDAP filter".

 

How practical would it be to include in the LDAP set up fields for the
LDAP values that will be

a) matched to the user id entered at login

b) used to gather the user first name

c) used to gather the user last name

 

So that discrepancies between different systems can be accommodated
without the need to edit code?

 

Or have I misunderstood something?

 

Kind regards

 

Johnathan

Johnathan Kemp
IT Dev. Manager
Connexions Staffordshire
www.cxstaffs.co.uk <http://www.cxstaffs.co.uk/> 
01785 355714

 

 

________________________________

This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX

________________________________

This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX

________________________________

This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX

________________________________

This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX

________________________________

This email and any files transmitted with it are confidential and are
intended solely for the use of the individual(s) or entity(s) to whom
they are addressed. All messages are monitored for virus, high risk
files and inappropriate content. As a result users should be aware that
this mail maybe accessed, read and the right is reserved to reject,
return, remove attachments or delete if considered to be inappropriate
or unsuitable. Liability cannot be accepted for any loss or damage
arising from this email (or any attachments) or from scripts or any
virus transmitted. This communication represents the originator's
personal views and opinions, which do not necessarily reflect those of
Connexions Staffordshire. If you are not the original recipient or the
person responsible for delivering the email to the intended recipient,
be advised that you have received this email in error, and that any use,
dissemination, forwarding, printing, or copying of this email is
strictly prohibited. If you received this email in error, please
immediately reply to the sender or notify postmaster at cxstaffs.co.uk
Connexions Staffordshire Limited is registered in England No.4355170
Registered office: Foregate House, 70 Foregate Street, Stafford,
Staffordshire, ST16 2PX

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20090521/86b76724/attachment.html


More information about the Xerte mailing list