Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - mmccarn

Pages: [1]
1
Feng Office 2 / LDAP Authentication in fengoffice 2.0beta2
« on: November 02, 2011, 09:38:24 am »
Attempting to use LDAP authentication in fengoffice 2.0beta 2 generates the following error in my system's '/var/log/messages':
Code: [Select]
PHP Fatal error:  Call to undefined method Contact::isValidPasswordLdap() in <FENGROOT>/application/controllers/AccessController.class.php on line 115
To fix this, I added the 'isValidPasswordLdap' function from the ldap 1.6.2 patch into <FENGROOT>/application/models/contacts/Contact.class.php, which eliminated the above error.

That is, after applying the patch described below, I can authenticate pre-created users against an LDAP server as defined in <FENGROOT>/config/ldap.config.php.

Code: [Select]
diff -u application/models/contacts/Contact.class.php.2.0beta2 application/models/contacts/Contact.class.php produces the following output:
Code: [Select]
--- application/models/contacts/Contact.class.php.2.0beta2      2011-11-02 08:18:45.000000000 -0400
+++ application/models/contacts/Contact.class.php       2011-11-02 08:22:11.000000000 -0400
@@ -461,6 +461,44 @@
                return sha1 ( $this->getSalt () . $check_password ) == $this->getToken ();
        } // isValidPassword

+        /**
+         * Check if $check_password is valid LDAP user password
+         *
+         * @param string $check_password
+         * @return boolean
+         */
+        function isValidPasswordLdap($user, $password, $config) {
+
+                // Connecting using the configuration:
+                require_once "Net/LDAP2.php";
+
+                $ldap = Net_LDAP2::connect($config);
+
+                // Testing for connection error
+                if (PEAR::isError($ldap)) {
+                    return false;
+                }
+                $filter = Net_LDAP2_Filter::create($config['uid'], 'equals', $user);
+                $search = $ldap->search(null, $filter, null);
+
+                if (Net_LDAP2::isError($search)) {
+                    return false;
+                }
+
+                if ($search->count() != 1) {
+                    return false;
+                }
+
+                // User exists so we may rebind to authenticate the password
+                $entries = $search->entries();
+                $bind_result = $ldap->bind( $entries[0]->dn(), $password);
+
+                if (PEAR::isError($bind_result)) {
+                        return false;
+                }
+                return true;
+        } // isValidPasswordLdap
+

        /**
         * Check if $twisted_token is valid for this user account

2
History
======
My mail server (Kerio) reports the availability of both CRAM-MD5 and DIGEST-MD5.  However, neither of these will work for the one Active-Directory-Integrated domain on the mail server.  (Basically, the mail server reports that these auth methods are available, but they cannot possibly work for *my* domain, even though they do work for other domains on the same server).

If I setup email accounts in Feng Office, the system hangs trying to login to the mail server, attempting to connect using Digest-MD5.  I have to re-start httpd to recover after attempting any sort of connection to my mail server.

Question
========
So - does anyone know how to modify either PEAR or Feng Office to prevent any attempt to use DIGEST-MD5 or CRAM-MD5 for email authentication?

Or - can anyone point me in the right direction?

I've tried deleting library/PEAR/Auth/SASL/CramMD5.php and library/PEAR/Auth/SASL/DigestMD5.php - this just throws 'missing file' errors.

I've tried editing library/PEAR/Auth/SASL.php to use Plain.php for 'crammd5' and 'digestmd5' auth methods - this doesn't give any errors, but it doesn't work, either.

Any help would be greatly appreciated.

Pages: [1]