[Xerte] Re: Bug in XOT 1.7 ldap authentication
Pat Lockley
patrick.lockley at googlemail.com
Sun Oct 23 22:02:38 BST 2011
The base dn is where to search from
The bind dn is used when authenticating an account for secure ldap
I think
On 23 Oct 2011, at 21:44, "Thomas Rochford" <thomas.rochford at cambridge-serendipity.com> wrote:
> HI,
>
>
>
> I've been able to get some more testing done on this and have now got the following information via 'echo' statements in the login scripts. (NB the actual value used by the institution has been replaced by 'zzz' and the actual username by '1234'). We're using XoT 1.7
>
>
>
> [config.php] xerte_toolkits_site->basedn: OU= Staff, OU= ZZZ_Users, DC=zzz, DC=lan; Attempting authentication ...
>
> // This shows that the basedn is being read correctly from the MySQL database before the call to 'valid_login()' from index.php.
>
>
>
> [login_library.php - valid_login()] host['ldap_basedn']: OU= Staff,OU= ZZZ_Users,DC=zzz,DC=lan; OU=ZZZ_Users,DC=zzz,DC=lan; OU=ZZZ_AdminAccounts,DC=zzz,DC=lan
>
> // However when the function is invoked the basedn has grown and now includes the bind_dn (ZZZ_AdminAccounts)
>
>
>
> [login_library.php - authenticate_to_host()] LDAP bind successful to ldap://172.16.8.47 // The script thinks it is able to bind successfully to the internal address of the ldap server on the LAN (this is all that is required at present)
>
> Search: 1234...
>
> // The string '1234' has been substituted for the actual username sought for the purposes of this email
>
> BaseDN: OU= Staff,OU= ZZZ_Users,DC=zzz,DC=lan; OU=ZZZ_Users,DC=zzz,DC=lan; OU=ZZZ_AdminAccounts,DC=zzz,DC=lan
>
> // The BaseDN has been has handed over to the function as passed, although, of course, it is still incorrect // the call is being made from the block at the end of the routine which uses parameters grabbed from the mysql database by the following call
>
> // while($host = mysql_fetch_array($ldap_hosts))
>
> // rather than reading them from the values already stored in $xerte_toolkits_site->basedn.
>
> // I'm not sure why this should be
>
>
>
> Filter: sAMAccountName=1234
>
> // ... and the Filter string is being passed correctly and has the correct field ' sAMAccountName'.
>
>
>
> [login_library.php - authenticate_to_host()] Login Failed (295) // The username *IS* visible in the Active directory tree although not in the AdminAccounts container - this is only used for the 'bind' account.
>
> // However the login is failing at this point
>
>
>
> I don't know much about Active directory but I'm not sure how well it can cope with multiple BaseDNs. Could this be why the search is failing? How/where is the bind_dn getting attached to the base_dn?
>
>
>
> Any help or suggestions would be really appreciated!
>
>
>
> Kindest Regards,
> Thomas
> _____________________________________________
> Eml: thomas.rochford at cambridge-serendipity.com
> Web: http://www.cambridge-serendipity.com/
>
> Skype: cambridge.serendipity
> Mob: 07500 669 002
> Fax: 01223 563142
> <image001.jpg> Please consider your environmental responsibility before printing this e-mail
>
>
>
>
>
>
>
> -----Original Message-----
>
> From: xerte-bounces at lists.nottingham.ac.uk [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Pat Lockley
>
> Sent: 22 September 2011 17:32
>
> To: Xerte discussion list
>
> Subject: [Xerte] Re: Bug in XOT 1.7 ldap authentication
>
>
>
> ooops, if only it didn't say eureka_site i could have blamed some one else.
>
>
>
> the ldap table should come in version 1.7?
>
>
>
> Is your install without an ldap table (as this removes the $$$ ugliness)? The installer should add one entry to the ldap table (if entered in the installer).
>
>
>
> I haven't got an ldap to test against anymore, but I would suggest altering the code within valid login so as to leave authenticate to host valid in case you switch to the ldap table (in future, assuming the same bug isn't there).
>
>
>
> Pat
>
>
>
> On Thu, Sep 22, 2011 at 5:19 PM, <C.J.Fryer at lse.ac.uk> wrote:
>
> > Hello
>
> >
>
> > I think I've found a bug in the LDAP Authentication code in Xerte
>
> > Online Toolkits version 1.7. When I try to log in with my LDAP
>
> > credentials, I get a blank screen. If I turn on error_reporting in
>
> > config.php, I see the following errors in the log:
>
> >
>
> > "PHP Warning: Missing argument 9 for authenticate_to_host(), called
>
> > in \xertenew\website_code\php\login_library.php on line 448 and
>
> > defined in \xertenew\website_code\php\login_library.php on line 270"
>
> >
>
> > "PHP Warning: Missing argument 10 for authenticate_to_host(), called
>
> > in \xertenew\website_code\php\login_library.php on line 448 and
>
> > defined in \xertenew\website_code\php\login_library.php on line 270"
>
> >
>
> > In our database, sitedetails.ldap_host contains a $$$-separated list
>
> > of directory servers, rather than anything in a table called "ldap".
>
> > So this places us in a particular branch within function valid_login().
>
> >
>
> > Line 448 of website_code\php\login_library.php is:
>
> >
>
> > $login_check =
>
> > authenticate_to_host($host[$x],$port[$x],$bind_pwd[$x],$basedn[$x],$bi
>
> > nd
>
> > _dn[$x],$username,$password,$xerte_toolkits_site)
>
> >
>
> > But the function authenticate_to_host on line 270 expects 10
>
> > arguments, and they are in a different order:
>
> >
>
> > function
>
> > authenticate_to_host($host,$port,$bind_pwd,$bind_dn,$basedn,$ldap_filt
>
> > er
>
> > ,$ldap_filter_attr,$eureka_username,$password,$eureka_site)
>
> >
>
> > I am not sure whether it would be better to modify valid_login() so it
>
> > passes the correct arguments, or authenticate_to_host() itself, so the
>
> > arguments are handled differently.
>
> >
>
> > Chris
>
> >
>
> >
>
> >
>
> > Please access the attached hyperlink for an important electronic
>
> > communications disclaimer: http://lse.ac.uk/emailDisclaimer
>
> >
>
> > _______________________________________________
>
> > Xerte mailing list
>
> > Xerte at lists.nottingham.ac.uk
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte
>
> >
>
> > This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>
> >
>
> > This message has been checked for viruses but the contents of an
>
> > attachment may still contain software viruses which could damage your computer system:
>
> > you are advised to perform your own checks. Email communications with
>
> > the University of Nottingham may be monitored as permitted by UK legislation.
>
> >
>
> >
>
>
>
> _______________________________________________
>
> Xerte mailing list
>
> Xerte at lists.nottingham.ac.uk
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte
>
> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>
>
>
> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system:
>
> you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>
> This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system: you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
>
> _______________________________________________
> Xerte mailing list
> Xerte at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte
>
> This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
>
> This message has been checked for viruses but the contents of an attachment
> may still contain software viruses which could damage your computer system:
> you are advised to perform your own checks. Email communications with the
> University of Nottingham may be monitored as permitted by UK legislation.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20111023/c8f8c0c2/attachment-0001.html>
More information about the Xerte
mailing list