Author Topic: LDAP logout white screen  (Read 16865 times)

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
LDAP logout white screen
« on: August 11, 2010, 04:36:05 pm »
I installed FO 1.7 and enabled LDAP function with WIndows 2003 AD. For those of you getting problem with AD these are the settings I used to get AD uses login including all the uses in any OU:

      'binddn'    => 'CN=admin_user,CN=Users,DC=domain_part1,DC=domain_part2',
      'bindpw'    => 'user_pw',
      'port'      => 3268,
      'basedn'    => 'DC=domain_part1,DC=domain_part2',
      'host'      => 'ldap://domain_ip:3268',
      'password_encoding' => 'MD5',
      'uid'       => 'sAMAccountName'

There are one problem and one issue:
1- The problem is logout ends with white screen and does not even logout the user. so it keeps use session alive even if you go to main URL.
I am using LAMP turnkeylinux.org ubuntu with samba installed and registered in DNS and AD.

2- The issue is admin account now is an AD account and for security reason it should remains FO account even if admin accounts are listed in LDAP server. This is because AD admins are often not the same of FO admins and in cases they should be the same at all.  There is a solution for this: FO should check if the user is an admin then verify accounts locally or exit; otherwise continue normal authentication check whether LDAP true or false.

markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: LDAP logout white screen
« Reply #1 on: August 11, 2010, 05:16:28 pm »
Excellent! Thank you for this solution.

I and a few others had the AD login working, but several of us were limited to one OU!

That was on this topic:
http://forums.fengoffice.com/index.php?topic=4446.0

For anyone else coming across this, I'd like to mention that this apparently works because queries to the default LDAP port of 389 check a smaller portion of Active Directory than using the Global Catalog port of 3268. New to me, but great to know.

Here are some details on Microsoft's site about the difference:
http://technet.microsoft.com/en-us/library/cc978012.aspx ("Global Catalog and LDAP Searches")

As to your other points. 1. Try enabling debugging if you haven't already:
http://www.fengoffice.com/web/wiki/doku.php/debugging#switching_debugging_mode_on_off

2. Take a look at the second part of the second post on this page:
http://forums.fengoffice.com/index.php?topic=2821.0

^^ That deals with keeping the local admin user enabled. I'm not sure if that is exactly what you were looking for because I do not quite understand your #2 point. Could you clarify?

Thank you,
Mark

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #2 on: August 14, 2010, 09:46:35 am »
Thank you markc for your response

Yes I mean solution for keeping FO admins local. I tired the solution posted in the forum but it did not do it. It basicly reroutes password check to local for all users. IT is equal to LDAP set to false.

I am still having the logout white screen it is for admin accounts only, regular users are ok.

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #3 on: August 14, 2010, 05:59:18 pm »
I just figured out how to make FO admins local only and the rest LDAP. Just use this code in Line 109 of AccessController.class.php
 
         if($config_ldap_is_set === true) {
                        if ($user->isCompanyAdmin(owner_company())) {$userIsValidPassword = $user->isValidPassword($password);}
                    else {$userIsValidPassword = $user->isValidPasswordLdap($username, $password, $config_ldap);}
                        } else {
                          $userIsValidPassword = $user->isValidPassword($password);
                        }

I test it and works fine. I ama  VB programmer not PHP one. FO seems to have lots of handy classes.

 Thanks FO team.

I just wish that FO team document these classes so someone can use them or produce a web service to enhance FO. FO is in real need of a web service and plugin system and more devs documentation.

cabeza

  • Administrator
  • Hero Member
  • *****
  • Posts: 1004
    • View Profile
    • Feng Office
Re: LDAP logout white screen
« Reply #4 on: August 16, 2010, 10:34:55 am »
I just wish that FO team document these classes so someone can use them or produce a web service to enhance FO. FO is in real need of a web service and plugin system and more devs documentation.

We are aware, and starting to work on it. Help is welcome :) !

markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: LDAP logout white screen
« Reply #5 on: August 16, 2010, 11:38:43 am »
Thank you markc for your response

Yes I mean solution for keeping FO admins local. I tired the solution posted in the forum but it did not do it. It basicly reroutes password check to local for all users. IT is equal to LDAP set to false.

I am still having the logout white screen it is for admin accounts only, regular users are ok.

I don't think it is quite the same as setting ldap to false, since I am able to log in with ldap users/passwords just fine the patch I mentioned. It always takes me a minute to walk through the patch and remember the exact logic, but basically it only checks to make sure the local FO user exists and then it doesn't actually try local login unless ldap login fails.

In my environment the only user that is local to FO but is not in ldap is the admin user, so that patch basically just turns the local admin user back on for me. It is true that all of my ldap users are also local FO users but it doesn't bother me because I had FO set random passwords, no one knows what they are, and ldap is being checked first.

I am glad you found a solution too though! Hopefully someone else who needs the same thing will come across it. :)

Mark

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #6 on: August 16, 2010, 08:05:51 pm »
markc, I see how your setup is working. I mean the patch so local FO and LDAP working at the same time. But what  If admins are only local. In your situation if LDAP fails, you can check against local. However,  if LDAP admin is just a normal user of FO and FO admin is another guy. LDAP admin can gain access as an FO admin easily by just adding the same FO admin user name into the LDAP. I see this a security problem.
On the other hand, it is going to be interesting to combine my approach and yours so you can check normal users/passwords against  LDAP first then local and FO admins are only local. I will try to do that.

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #7 on: August 17, 2010, 11:21:16 am »
The code for making FO
1- admins only local
2- If LDAP fails due to configuration, connection or bad password/user the check local FO users

         if ($user->isCompanyAdmin(owner_company())) {
            $userIsValidPassword = $user->isValidPassword($password);
         }  else {
            if  (($config_ldap_is_set === true)  && ($user->isValidPasswordLdap($username, $password, $config_ldap)))  {
               $userIsValidPassword = $user->isValidPasswordLdap($username, $password, $config_ldap);
            } else {
               $userIsValidPassword = $user->isValidPassword($password);
            }
          }





markc

  • Freshman
  • *
  • Posts: 47
    • View Profile
Re: LDAP logout white screen
« Reply #8 on: August 17, 2010, 02:07:16 pm »
markc, I see how your setup is working. I mean the patch so local FO and LDAP working at the same time. But what  If admins are only local. In your situation if LDAP fails, you can check against local. However,  if LDAP admin is just a normal user of FO and FO admin is another guy. LDAP admin can gain access as an FO admin easily by just adding the same FO admin user name into the LDAP. I see this a security problem.
On the other hand, it is going to be interesting to combine my approach and yours so you can check normal users/passwords against  LDAP first then local and FO admins are only local. I will try to do that.

Ahhh. Now it clicks and I hope the devs do give this a bit of thought...

You don't want a username to be allowed to be an FO admin if they exist in AD/LDAP. I can see your concern. If I created an 'admin' account in AD I could override the one in FO. In my situation I don't care because our company is so small that I am one of only two people who could do this, but I could see it as an issue in larger companies...especially if you've got FO set to be looking through the entire user structure! I may try out your patch anyway though.

Thank you,
Mark

ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Re: LDAP logout white screen
« Reply #9 on: August 27, 2010, 07:26:39 am »
I installed FO 1.7 and enabled LDAP function with WIndows 2003 AD. For those of you getting problem with AD these are the settings I used to get AD uses login including all the uses in any OU:

      'binddn'    => 'CN=admin_user,CN=Users,DC=domain_part1,DC=domain_part2',
      'bindpw'    => 'user_pw',
      'port'      => 3268,
      'basedn'    => 'DC=domain_part1,DC=domain_part2',
      'host'      => 'ldap://domain_ip:3268',
      'password_encoding' => 'MD5',
      'uid'       => 'sAMAccountName'


Hi Akram

I'm curious about your LDAP settings, I don't seem to be able to get sign on using LDAP to work at all, I have tried your config and logging in using an LDAP user does not work for me.  Were you having to create the user in Feng first or have you managed to get Feng to recognise an LDAP user?

Hope you can help!
Ed

martinpluss

  • Newbie
  • *
  • Posts: 12
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #10 on: September 05, 2010, 08:45:45 pm »
@Akram - thanks dude - your post really helped.

@Ed,
I have just gone through this on my 2003 AD controller. I used adsiedit.msc to help make sense of the dn/cn/ou business which helped as I was using Akram's Bind statement and CN only works on the system Users Ou, you need to use OU for ones you've made yourself.

I'm using the normal ldap port (389) and user searching in OU's below my main company OU (ie user in nested OU's) works fine.

In answer to your question (apologies for rambling), yes you need to have created the users in FO already before you can then authenticate them against AD/LDAP. If I get a moment, I'll write a sync script to bulk create users in a group from AD (ie FengUsers) which would be useful for this/me.

Good luck!


ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Re: LDAP logout white screen
« Reply #11 on: September 08, 2010, 07:10:18 am »
Hi Martin

Thanks for the clarification, how does Feng synchronise with AD if the user has to be created locally first?  I don't understand how Feng uses AD credentials rather than local....

A script to sync AD would be a great help, ever better would be proper authentication in Feng with AD so that user accounts can be created by AD users without having to create them locally or do bulk imports.  I know it can be done as I have had contact from Feng confirming it, it appears that they have just not added it to the community edition....

Thanks for your post and I would be grateful if you could keep me updated on your attempts to create an import script.
Ed

gman

  • Jr. Member
  • **
  • Posts: 69
    • View Profile
Re: LDAP logout white screen
« Reply #12 on: September 23, 2010, 01:03:12 pm »
Great set of instructions. I was finally able to get AD authentication working and have the ability to login with the non AD / FengOffice user admin account.  The port 3268 tip made a big difference. There are some other systems I use that I had been using port 389 which restricted AD logins. Glad to know that using port 3268 solves this issue.

One questions, what would it take to allow both AD and FengOffice authentication? We may have users outside AD who are not going to be admins that may be in the system. We woudl need authentication for these users.
« Last Edit: September 23, 2010, 01:08:42 pm by gman »

gman

  • Jr. Member
  • **
  • Posts: 69
    • View Profile
Re: LDAP logout white screen
« Reply #13 on: September 23, 2010, 01:37:57 pm »
I had asked:

One questions, what would it take to allow both AD and FengOffice authentication? We may have users outside AD who are not going to be admins that may be in the system. We woudl need authentication for these users.

The answer:

The following modification allows me to chain the authentication.

First try as FengOffice user admin
Second try as AD user
Third try as FengOffice user

if($config_ldap_is_set === true) {
   if ($user->isCompanyAdmin(owner_company())) {$userIsValidPassword = $user->isValidPassword($password);}
   elseif ($user->isValidPasswordLdap($username, $password, $config_ldap)) {$userIsValidPassword = $user->isValidPasswordLdap($username, $password, $config_ldap);}
   else {$userIsValidPassword = $user->isValidPassword($password);}
} else {
   $userIsValidPassword = $user->isValidPassword($password);
}

I tried writing this other ways but kept getting the white screen. The code as I have it does not give the white screen. It has been tested successfully with both AD users and FengOffice users.

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #14 on: September 23, 2010, 06:35:17 pm »
geman
Quick answer. Try this. I haven't tested though.

   if ($user->isCompanyAdmin(owner_company()))
      {$userIsValidPassword = $user->isValidPassword($password);}
      elseif (($config_ldap_is_set === true) && $user->isValidPasswordLdap($username, $password, $config_ldap))
         {$userIsValidPassword = $user->isValidPasswordLdap($username, $password, $config_ldap);}
         else {$userIsValidPassword = $user->isValidPassword($password);}

This will allow even the LDAP users to login with their FO or LDAP passwords. Watch out for little trick. if user is not listed in the domain, the user  can be added to the domain and someone use LDAP password to login and the user doesn't know what is happening. This should be avoided.

To solve this:
1- We need to check the user account is domain or FO.
2- Modify the way the user change the password to allow the user change domain password from FO.

I hope someone help us in these two points. I will try to figure it out.