[Xerte] Re: Bug in XOT 1.7 ldap authentication

Thomas Rochford thomas.rochford at cambridge-serendipity.com
Sun Oct 23 21:44:01 BST 2011


HI,

 

I've been able to get some more testing done on this and have now got the
following information via 'echo' statements in the login scripts. (NB the
actual value used by the institution has been replaced by 'zzz' and the
actual username by '1234'). We're using XoT 1.7

 

[config.php] xerte_toolkits_site->basedn: OU= Staff, OU= ZZZ_Users, DC=zzz,
DC=lan; Attempting authentication ...

// This shows that the basedn is being read correctly from the MySQL
database before the call to 'valid_login()' from index.php.

 

[login_library.php - valid_login()] host['ldap_basedn']: OU= Staff,OU=
ZZZ_Users,DC=zzz,DC=lan; OU=ZZZ_Users,DC=zzz,DC=lan;
OU=ZZZ_AdminAccounts,DC=zzz,DC=lan

// However when the function is invoked the basedn has grown and now
includes the bind_dn (ZZZ_AdminAccounts)

 

[login_library.php - authenticate_to_host()] LDAP bind successful to
ldap://172.16.8.47 // The script thinks it is able to bind successfully to
the internal address of the ldap server on the LAN (this is all that is
required at present)

     Search: 1234...

// The string '1234' has been substituted for the actual username sought for
the purposes of this email

     BaseDN: OU= Staff,OU= ZZZ_Users,DC=zzz,DC=lan;
OU=ZZZ_Users,DC=zzz,DC=lan; OU=ZZZ_AdminAccounts,DC=zzz,DC=lan

// The BaseDN has been has handed over to the function as passed, although,
of course, it is still incorrect // the call is being made from the block at
the end of the routine which uses parameters grabbed from the mysql database
by the following call

//            while($host = mysql_fetch_array($ldap_hosts))

// rather than reading them from the values already stored in
$xerte_toolkits_site->basedn.

// I'm not sure why this should be

 

     Filter: sAMAccountName=1234

// ... and the Filter string is being passed correctly and has the correct
field ' sAMAccountName'.

 

[login_library.php - authenticate_to_host()] Login Failed (295) // The
username *IS* visible in the Active directory tree although not in the
AdminAccounts container - this is only used for the 'bind' account.

// However the login is failing at this point

 

I don't know much about Active directory but I'm not sure how well it can
cope with multiple BaseDNs. Could this be why the search is failing?
How/where is the bind_dn getting attached to the base_dn? 

 

Any help or suggestions would be really appreciated!

 

Kindest Regards,
Thomas
_____________________________________________
Eml:  <mailto:thomas.rochford at cambridge-serendipity.com>
thomas.rochford at cambridge-serendipity.com
Web:  <http://www.cambridge-serendipity.com/>
http://www.cambridge-serendipity.com/

Skype: cambridge.serendipity
Mob: 07500 669 002
Fax: 01223 563142 
Description: cid:image002.jpg at 01C8A62B.F6CF3B80 Please consider your
environmental responsibility before printing this e-mail

 

 

 

-----Original Message-----

From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Pat Lockley

Sent: 22 September 2011 17:32

To: Xerte discussion list

Subject: [Xerte] Re: Bug in XOT 1.7 ldap authentication

 

ooops, if only it didn't say eureka_site i could have blamed some one else.

 

the ldap table should come in version 1.7?

 

Is your install without an ldap table (as this removes the $$$ ugliness)?
The installer should add one entry to the ldap table (if entered in the
installer).

 

I haven't got an ldap to test against anymore, but I would suggest altering
the code within valid login so as to leave authenticate to host valid in
case you switch to the ldap table (in future, assuming the same bug isn't
there).

 

Pat

 

On Thu, Sep 22, 2011 at 5:19 PM,  <C.J.Fryer at lse.ac.uk> wrote:

> Hello

> 

> I think I've found a bug in the LDAP Authentication code in Xerte 

> Online Toolkits version 1.7.  When I try to log in with my LDAP 

> credentials, I get a blank screen.  If I turn on error_reporting in 

> config.php, I see the following errors in the log:

> 

> "PHP Warning:  Missing argument 9 for authenticate_to_host(), called 

> in \xertenew\website_code\php\login_library.php on line 448 and 

> defined in \xertenew\website_code\php\login_library.php on line 270"

> 

> "PHP Warning:  Missing argument 10 for authenticate_to_host(), called 

> in \xertenew\website_code\php\login_library.php on line 448 and 

> defined in \xertenew\website_code\php\login_library.php on line 270"

> 

> In our database, sitedetails.ldap_host contains a $$$-separated list 

> of directory servers, rather than anything in a table called "ldap".  

> So this places us in a particular branch within function valid_login().

> 

> Line 448 of website_code\php\login_library.php is:

> 

> $login_check =

> authenticate_to_host($host[$x],$port[$x],$bind_pwd[$x],$basedn[$x],$bi

> nd

> _dn[$x],$username,$password,$xerte_toolkits_site)

> 

> But the function authenticate_to_host on line 270 expects 10 

> arguments, and they are in a different order:

> 

> function

> authenticate_to_host($host,$port,$bind_pwd,$bind_dn,$basedn,$ldap_filt

> er

> ,$ldap_filter_attr,$eureka_username,$password,$eureka_site)

> 

> I am not sure whether it would be better to modify valid_login() so it 

> passes the correct arguments, or authenticate_to_host() itself, so the 

> arguments are handled differently.

> 

> Chris

> 

> 

> 

> Please access the attached hyperlink for an important electronic 

> communications disclaimer: http://lse.ac.uk/emailDisclaimer

> 

> _______________________________________________

> Xerte mailing list

> Xerte at lists.nottingham.ac.uk

> http://lists.nottingham.ac.uk/mailman/listinfo/xerte

> 

> This message and any attachment are intended solely for the addressee and
may contain confidential information. If you have received this message in
error, please send it back to me, and immediately delete it.   Please do not
use, copy or disclose the information contained in this message or in any
attachment.  Any views or opinions expressed by the author of this email do
not necessarily reflect the views of the University of Nottingham.

> 

> This message has been checked for viruses but the contents of an 

> attachment may still contain software viruses which could damage your
computer system:

> you are advised to perform your own checks. Email communications with 

> the University of Nottingham may be monitored as permitted by UK
legislation.

> 

> 

 

_______________________________________________

Xerte mailing list

Xerte at lists.nottingham.ac.uk

http://lists.nottingham.ac.uk/mailman/listinfo/xerte

This message and any attachment are intended solely for the addressee and
may contain confidential information. If you have received this message in
error, please send it back to me, and immediately delete it.   Please do not
use, copy or disclose the information contained in this message or in any
attachment.  Any views or opinions expressed by the author of this email do
not necessarily reflect the views of the University of Nottingham.

 

This message has been checked for viruses but the contents of an attachment
may still contain software viruses which could damage your computer system:

you are advised to perform your own checks. Email communications with the
University of Nottingham may be monitored as permitted by UK legislation.

 

 

 

 

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20111023/6aaebd79/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 843 bytes
Desc: not available
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20111023/6aaebd79/attachment-0001.jpg>


More information about the Xerte mailing list