HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


ldap with Active Directory

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#47647 (In Topic #10395)
Avatar

Honoured member

Hello there,

I'm currently configurating my ocportal on my work, I noticed it could communicate with the
AD but how can I be sure it works? That it checks the AD if that user exists there?

I did some searches here but didn't find any results.

Could someone help me with this?

ps. is it possible to use the AD groups in here too or Im I asking to much ;-)
Back to the top
 
Posted
Rating:
#47666
Avatar

Hi,

Check out the configuration. Hopefully that lays it all out. Essentially you configure LDAP, turn it on, and tell it you only want to use LDAP users. That should then do what you want. Groups work too. Tutorial.

Be a little bit aware we haven't tested it in a few years (it's not something many users have wanted in the past). But just report if there are any problems and we'll get them fixed!


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#47701
Avatar

Honoured member

Hi Chris,

It seems it can communicat with the AD but when I login with a account I get the message Invalid password.
I'm ensure that I enter the right password.


ps. I'm not even sure if there is running an ldap or dont you need that if you have AD?
When I go to security -> LDAP I get this: LDAP: Partial results and referral received


Last edit: by boomerirc
Back to the top
 
Posted
Rating:
#47704
Avatar

Microsoft don't really mention it, but Active Directory is built on top of LDAP.

I'm afraid my knowledge of LDAP/AD is limited just to the basic configuration so I can't help a lot here. I can say the code is in the sources/ocf_ldap.php file. Search for 'cn=Users' and you'll see lots of references.

I think at least some of the 'directory' you mentioned above forms part of the configured 'base DN'. I'd be surprised if the users aren't filed under a cn of 'Users', but I did only test on one server.

I can say LDAP is a seriously weird technology. Active Directory might pretend it is a tree structure but it's also like a database, and CN's are a weird combination between keys and tree paths.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#47706
Avatar

Honoured member

Hmm oké, then I have to look some on google etc.

ps. I get the whole Group list which is under the Gebruikers/X (I changed the "Users, Builtin" to "Gebruikers")
Now I have to find out the way so the user accounts will be working too.
Back to the top
 
Posted
Rating:
#47708
Avatar

Honoured member

Could you tell me which function will check the username with password?
Back to the top
 
Posted
Rating:
#47709
Avatar

ocf_ldap_authorise_login.

It doesn't directly check the password - it asks LDAP to do it ('bind' in LDAP terminology essentially means 'log in').


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#47710
Avatar

Honoured member

In that function you are reffering to the username that was just insert by the form, it seems
you need an account that is autorized to bind with ldap (eg. a admin account not the user account)

The variables that are given $cn hold the username and $password (should) hold the password but it seems it holds only
the character ! (I guess the $cn and $password should be the username + password entered throught the configuration)

I just entered my admin account + password there and now it say's the user doesn't exists (I guess that is something
goods from here)


ps. I don't want to take your time to setup a server to test this all. (You don't need to.)
Back to the top
 
Posted
Rating:
#47711
Avatar

Try changing this line of sources/forum/ocf.php:

Code

         $test_auth=ocf_ldap_authorise_login($username,$password_hashed);
to:

Code

         $test_auth=ocf_ldap_authorise_login($username,$password_raw);

As for the binding, it should work for any user. Some LDAP servers even allow something called 'anonymous binding', where it doesn't even need any credentials to access it. I just checked around for some code examples and they all seem to do it the same way. Could there be some kind of option on the AD server about this, or maybe it's just the above bug was the real cause?

A good way to debug through the code is to replace '@ldap_bind' with 'ldap_bind'. Then you'll see any error messages come through. We put the "@" there because OpenLDAP (not Active Directory) threw out irrelevant error messages.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#47725
Avatar

Honoured member

Oké I tried that without the @ I get this error:

Code

PHP WARNING [2] ldap_bind() [[url="http://gmXXXXX/site/function.ldap-bind"]function.ldap-bind[/url]]: Unable to bind to server: Invalid credentials (version: 4.1.5, PHP version: 5.2.8, URL: /site/index.php?page=login&type=login)

PS. When I put the domain before the username (domain\loginname) it doesn't give this error.

-edit-

I deleted another @ and I get this error from there:

Code

PHP WARNING [2] ldap_list() [[url="http://gmXXXXX/site/function.ldap-list"]function.ldap-list[/url]]: Search: Bad search filter (version: 4.1.5, PHP version: 5.2.8, URL: /site/index.php?page=login&type=login)


Last edit: by boomerirc
Back to the top
 
Posted
Rating:
#47726
Avatar

Oh, that's interesting - and good job working that out, it doesn't seem an obvious thing to try!

I am wondering if the AD server is not on the same domain as the users. My knowledge of Windows networks is a bit patchy though, I think you know more than I do.

It should be fairly easy to change the code to add in "domain\". to the authorisation command(s).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#47727
Avatar

boomerirc said

I deleted another @ and I get this error from there:

Code

PHP WARNING [2] ldap_list() [[url="http://gmXXXXX/site/function.ldap-list"]function.ldap-list[/url]]: Search: Bad search filter (version: 4.1.5, PHP version: 5.2.8, URL: /site/index.php?page=login&type=login)

I am guessing this bit needs the username to not have a slash in: 'cn='.utf8_encode(str_replace(',','',$cn)).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#47729
Avatar

Honoured member

Hey there Chris,

I think I don't know much more then you do (I still need to get the lessons of win2k3 on school) but I'm going
forwards with the script :)

Now I get the following error:

Code

A parameter, SHOW_BOTTOM, is referenced in the template, FOOTER, but not passed
Back to the top
 
Posted
Rating:
#47730
Avatar

Honoured member

Hi Chris,

I resolved that one.

I deleted a line from source/forum/ocf.php

Code

$tpl->attach(do_template('FOOTER',array('_GUID'=>'29c1290997dc46871b8035ad5b4c8535','BOTTOM'=>'')));

That one I deleted and it works fine, it even find my email from the AD :).

-Edit-

When I don't fill in the age I get a error about missing parameters "dob_day" when I do fill in it works fine and
I get the message that cookies must be enabled etc. :cool:


Last edit: by boomerirc
Back to the top
 
Posted
Rating:
#47731
Avatar

Honoured member

Oké another thing, maby you can help me with this one also.

Code

PHP NOTICE [8] Undefined index: g_name_trans (version: 4.1.5, PHP version: 5.2.8, URL: /site/index.php?page=groups)
Back to the top
 
Posted
Rating:
#47732
Avatar

Check your mail (wherever the site-address of your website goes to) :).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#47734
Avatar

Honoured member

Hi Chris,

Thanks for that, didn't noticed your mail :) (I forgot you get my Call stacks)

I only have just 1 problem. When a new user login's and want to make the profile
the date of birth isn't Required, when don't fill it in you get a error:

Code

A critical parameter, dob_day, was missing
Back to the top
 
Posted
Rating:
#47735
Avatar

This will be fixed in the next patch release. It's a bit of a tricky one.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#47736
Avatar

Honoured member

Currently I'm trying to get the groups the user is in, only as you probably have seen in your mail I get
a mysql error there :p

Code

Unfortunately a query has failed [SELECT g.*,t1.text_original AS g__name,t2.text_original AS g__title FROM ocp4_f_groups g LEFT JOIN ocp4_translate t1 ON g.g_name=t1.id LEFT JOIN ocp4_translate t2 ON g.g_title=t2.id WHERE g.id=] [[b]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1[/b]] (version: 4.1.5, PHP version: 5.2.8, URL: /data/iframe.php?zone=site&wide_high=1&page=members&type=misc)
Back to the top
 
Posted
Rating:
#47738
Avatar

I'll need to see the stack trace for this. I'm not seeing any errors from your site at the moment as it's gone past the daily limit (we used to get a problem where a site might get corrupted somehow and send us 10,000 emails a day - so we put a throttle in).


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Expand