Author Topic: Active Directory Integration  (Read 21583 times)

ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Active Directory Integration
« on: July 12, 2010, 11:02:00 am »
Hi

I am having an issue getting the active directory integration to work, I am using the ldap.config.php file and if I set the basedn option to my entire domain (e.g dc=domain,dc=com) it doesn't work however if I set the basedn to include the OU that I am a member of it (e.g ou=it,dc=domain,dc=com) I am able to login using my active directory credentials.  Users outside of that OU and users that I have created in Feng are not able to log on

I need it to search the entire tree not just one OU.

Also is there any way to synchronise Active Directory into Feng as I would like to be able to import AD groups to assign permissions.

Server: Windows 2003
Web: IIS
PHP: 5

markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: Active Directory Integration
« Reply #1 on: July 27, 2010, 06:21:08 pm »
I'm in the same boat. I tried using an AD group too, but it choked. We need it to try multiple OUs. This would make a great feature request, I just haven't gotten around to it.

ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Re: Active Directory Integration
« Reply #2 on: August 03, 2010, 05:15:33 am »
I would have thought this would be a standard setting, the AD integration seems a bit buggy to me.  I don't like the fact that once I enable AD I can't login using the local feng admin account I have to disable the AD integration before I can login as an admin user. 

I don't think that I am going to be able to use Feng Office because of these limitations.

markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: Active Directory Integration
« Reply #3 on: August 03, 2010, 12:01:23 pm »
Don't rush off too fast! I believe a patch will be forthcoming for having multiple OUs. I'll write it myself if I have to.

As for your other issue, see post #2 here:
http://forums.fengoffice.com/index.php?topic=2821.0

The SECOND half of that post...as there are two patches he is talking about.

markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: Active Directory Integration
« Reply #4 on: August 11, 2010, 05:20:53 pm »
Apparently this issue of only being able to use one OU has a solution. I tested the solution at this page http://forums.fengoffice.com/index.php?topic=4554.0 (connecting to AD on a different port) and it worked.

Actually I really only modified my base dn (removed the specific OUs) and tacked the new port number onto the host string and it worked. So there appears to be some flexibility as to how it is entered, as long as it is using the correct port.

HTH,
Mark

ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Re: Active Directory Integration
« Reply #5 on: August 20, 2010, 10:39:50 am »
Hi Mark

Sorry for the late response, I had no notification of new posts and had moved on to other projects, I have deleted my old ldap.config file and the new one I have is not working at all, would you mind sending me or posting a sanitized version of yours so I can see what it looks like?

Thanks
Ed

markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: Active Directory Integration
« Reply #6 on: August 20, 2010, 12:35:32 pm »
No problem. It is probably obvious, but do note that my binddn was not in the standard ou.


Quote
<?php

  /**
  * ldap.config.example.php is sample configuration file for ldap authentication.
  * Rename it in ldap.config.php and change the values acconrding to your env.
  *
  * @author Luca Corbo <luca.corbo@2bopen.org>
  */

  // The configuration array:
  $config_ldap = array (
      'binddn'    => 'cn=USER,ou=users,ou=dallas,dc=blahblahblah,dc=com',
      'bindpw'    => 'PASS',
      'basedn'    => 'dc=blahblahblah,dc=com',
      'host'      => 'blah-dc1.blahblahblah.com:3268',
      'uid'       => 'sAMAccountName' //Change in according with your settings to match the userid entry
  );
  return true;

?>

ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Re: Active Directory Integration
« Reply #7 on: August 23, 2010, 07:13:53 am »
Cheers Mark

I've used your template to recreate my ldap config but it still won't allow me to sign in using my AD credentials, is there anything else I need to do to allow ldap?  Also how do I turn on logging?  I've tried searching the forum but there seems to be an issue with the search function and it fails then returns no results.

Ed

markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: Active Directory Integration
« Reply #8 on: August 23, 2010, 11:42:52 am »
-Set debug=true in config/config.php to have a log.

-Make sure the php-ldap library is installed.

-Remember that to log in as an LDAP user, that same user must exist as a local user in FO. I usually just create the new account with the random password option and set it not to email it to the user; so the local password remains unknown and unused.

hth,
Mark

ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Re: Active Directory Integration
« Reply #9 on: August 23, 2010, 11:50:52 am »
If you've created the user as a local user already doesn't that defeat the object of using LDAP?  I am pretty sure (not 100%) that when I set this up last month I did not set up my user account before logging in. 

In every other system I've set up where you enable LDAP it removes the need to create local user accounts.  I have 150 users, I don't particularly want to have to create 150 user accounts on Feng...

Thanks for your help getting this set up but as I've said previously the LDAP set up on Feng seems really buggy, which is a shame because it is a great product.

markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: Active Directory Integration
« Reply #10 on: August 23, 2010, 12:34:20 pm »
I've just pulled up the MySQL db for my test FO instance. If I change my local username there to something that does not exist I can no longer log in regardless of the fact the nothing has changed in LDAP.

I'm not a dev...but I suspect this is because LDAP is a recent addition to this project and at the end of the day it consists of nothing more than a few new functions to bind to LDAP to check the password. I tried modifying the functions and a few others and all I could get was newer and more exciting errors (which tells me I was in the right place, but that it isn't that simple).

When you try to set permissions on a workspace for user 'bob', or assign a task or milestone to him, or update the "last changed at/by" timestamp on a file when he edits it, all of those functions are still using the usernames and numbers from MySQL.

Unfortunately the ideal scenario in which FO keeps its data in MySQL for a list of nameless users that it trusts LDAP to provide seems like quite an undertaking and not something to expect in the short term.

If it helps any, /fengoffice/console.php lets you add local users at the command line. I used a slightly modified version of that script and an export of my AD data to create the local users and it has been perfectly seamless ever since.

hth,
Mark
« Last Edit: August 23, 2010, 12:36:01 pm by markc »

ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Re: Active Directory Integration
« Reply #11 on: August 23, 2010, 12:38:45 pm »
Waay to much hassle for something which at the moment is a hobby project, what I can't understand is how I had it working last month but now can't get it to work at all...this is a new installation and I obviously deleted my old ldap config file which I am beginning to regret!  The config file you posted should work but the problem I have now is that the logging doesn't appear to be working, where would the log file appear if it is created?

The guy on the other post seems to have got it working as it should do, I may have to re-read his post and see if I can spot what he did. 

rokoboko

  • Newbie
  • *
  • Posts: 1
    • View Profile
    • Email
Re: Active Directory Integration
« Reply #12 on: February 16, 2011, 12:49:08 pm »
To make Feng Office version 1.7.3.1 on FreeBSD work with Active directory I have to add an 'options' to the configuration.

<?php

  /**
  * ldap.config.example.php is sample configuration file for ldap authentication.
  * Rename it in ldap.config.php and change the values acconrding to your env.
  *
  * @author Luca Corbo <luca.corbo@2bopen.org>
  */

  // The configuration array:
  $config_ldap = array (
      'binddn'    => 'cn=admin,ou=users,dc=example,dc=org',
      'bindpw'    => 'password',
      'basedn'    => 'dc=example,dc=org',
      'host'      => 'ldap.example.org',
      'options'   => array('LDAP_OPT_REFERRALS' => 0),
      'uid'       => 'uid' //Change in according with your settings to match the userid entry
  );
  return true;

?>

franponce87

  • Administrator
  • Hero Member
  • *****
  • Posts: 1819
    • View Profile
    • Email
Re: Active Directory Integration
« Reply #13 on: February 16, 2011, 01:03:09 pm »
Hi rokoboko, welcome to Feng Office Forums!
Thanks for your tip, I am sure several users will find it useful in the future.

Best regards,
Francisco
Would you like to install Feng Office Professional or Enterprise Edition in your servers? No problem! Read this article!

mmccarn

  • Freshman
  • *
  • Posts: 33
    • View Profile
Re: Active Directory Integration
« Reply #14 on: February 27, 2011, 01:25:31 pm »
-Remember that to log in as an LDAP user, that same user must exist as a local user in FO. I usually just create the new account with the random password option and set it not to email it to the user; so the local password remains unknown and unused.

The instructions from this topic worked perfectly for me to enable auto creation of users from Active Directory.