AuthenticationPluginLdap and

Daniel Park
Joined: 01 Jul 2009

AuthenticationPluginLdap and

Posted:02 Jul 2009 (00:17 UTC)
Not sure if this is the correct place to post but here goes.

I have seen a couple of posts about getting BitWeaver to authenticate against Active Directory. I have successfully manage to get this to work with a few modifications to AuthenticationPluginLdap. BTW I'm using the latest version pulled from CVS last week.

In function validate

After the block starting with:
if ( $this->mConfigreqcert>'reqcert' ) {

I added the following:
// added this as the correct name is start_tls and when tls is unchecked is null
if ( is_null($this->mConfigtls>'tls') == true) {
$this->mConfigstart_tls>'start_tls' = false;
}
else {
$this->mConfigstart_tls>'start_tls' = true;
}

// added this as when referrals is unchecked is null
if ( is_null($this->mConfigreferrals>'referrals') == true) {
$this->mConfigreferrals>'referrals' = false;
}
else {
$this->mConfigreferrals>'referrals' = true;
}

// added this to pull all properties from Active Directory
$this->mConfigattributes>'attributes' = (array) null;

I replaced the line:
$attributes = $a->getAuthData('attributes');

with:
$attributes = $a->getAuthData();

I replaced the lines:
$this->mInfo"login" = $attributes[ $this->mConfiguserattr>'userattr' ]0;
$this->mInfo"email" = $attributes[ $this->mConfigemail>'email' ]0;
$this->mInfo"real_name" = empty($attributes[$this->mConfigname>'name']0) ? $this->mInfo"login" : $attributes[$this->mConfigname>'name']0;

with these:
$this->mInfo"login" = $attributes[ $this->mConfiguserattr>'userattr' ];
$this->mInfo"email" = $attributes[ $this->mConfigemail>'email' ];
$this->mInfo"real_name" = empty($attributes[$this->mConfigname>'name']) ? $this->mInfo"login" : $attributes[$this->mConfigname>'name'];

In function getSettings

rename 'users_ldap_useroc' to 'users_ldap_userfilter' and changed the 'default' to '(objectClass=inetOrgPerson)'
rename 'users_ldap_groupoc' to 'users_ldap_groupfilter' and changed the 'default' to '(objectClass=groupOfUniqueNames)'

changed the type of 'users_ldap_memberisdn' to 'checkbox' and 'default' to 'n'

I guess it would help if I gave the settings that I used as well.

LDAP Host - someserver
LDAP Port - 389
Use Start-TLS? - unchecked
Skip the SSL Cert validation? - checked
Use Referrals? - unchecked
LDAP Base DN - dc=example,dc=com
LDAP User DN - ou=users
LDAP User Attribute - sAMAccountName
LDAP User E-Mail Address - mail
LDAP User Display Name - displayName
LDAP User OC - (objectClass=user)
LDAP Group DN - ou=somegroup
LDAP Group Atribte - sAMAccountName
LDAP Group OC - (objectClass=group)
LDAP Member Attribute - member
LDAP Member Is DN - checked
LDAP Bind DN - cn=some user,ou=somegroup,ou=users,dc=example,dc=com
LDAP Bind Pwd - secret
LDAP Scope to use when searching for users - sub

I have replaced some of these with dummy values.

I did notice that if a checkbox is unchecked then the value is set to null rather than false, and that the start_ is being stripped of start_tls.

Hope this helps someone somewhere.

Sorry for the long post.
Lester Caine
Joined: 24 Apr 2004

Re: AuthenticationPluginLdap and

Posted:02 Jul 2009 (17:23 UTC)
Daniel - send me a copy and I'll merge it with the CVS copy
Tochinet
Joined: 26 May 2010

Re: AuthenticationPluginLdap and

Posted:08 Jun 2010 (06:12 UTC)
Is there a document that explains (in simple terms) how to integrate with an LDAP / AD authentication method ?

I assume that the discussin above has been integrated in 2.7.1 ?
Lester Caine
Joined: 24 Apr 2004

Re: AuthenticationPluginLdap and

Posted:09 Jun 2010 (17:08 UTC)
Tochinet the only documentation is in the wiki. I have ldap autentication working, but it needs some manual assistance to mirror information back into the bw database for new users created in ldap. It does need a little more work especially for the AD veariations.

AuthenticationPluginLdap
Tochinet
Joined: 26 May 2010

Re: AuthenticationPluginLdap and

Posted:11 Jun 2010 (07:13 UTC)
Thanks Lester,

I was stopped at the PEAR installation at the moment (proxy issues it seems). I'll first have to clear that out.

In the meantime, can you confirm the following :
- the "LDAP is broken in 2.6" remark does not apply to 2.7
- the first article in this thread, talking about a needed change in the 'validate' function has been integrated in 2.7 already.
Lester Caine
Joined: 24 Apr 2004

Re: AuthenticationPluginLdap and

Posted:15 Jun 2010 (10:47 UTC)
LDAP was been running with 2.7 so I think all that was wrong has been fixed, but it does still need some heavier testing.

With regards PEAR ... I still use my own copy of the PEAR files rather than trying to run pear update ;)
Faye Mitchell
Joined: 23 Aug 2010

Re: AuthenticationPluginLdap and

Posted:23 Aug 2010 (20:25 UTC)
I was wondering if anybody could help me with debugging an LDAP setup on bitweaver? Is there anywhere that I can see what the local error messages returned by the LDAP authentication mechanism (I don't have access to the LDAP server).

I'm trying to authenticate against an AD server and it's bombing out someplace and I'd like to be able to see where the problem is without having to hack the authentication code if it's at all possible. I've already discovered one oddity in that bitweaver only seems to be storing the first letter of the bind password.

I'm using v2.7 & 2.8 of bitweaver and I've had little joy on either.

Thanks

Faye