Author Topic: LDAP logout white screen  (Read 16859 times)

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #15 on: September 23, 2010, 06:35:17 pm »
geman
Quick answer. Try this. I haven't tested though.

   if ($user->isCompanyAdmin(owner_company()))
      {$userIsValidPassword = $user->isValidPassword($password);}
      elseif (($config_ldap_is_set === true) && $user->isValidPasswordLdap($username, $password, $config_ldap))
         {$userIsValidPassword = $user->isValidPasswordLdap($username, $password, $config_ldap);}
         else {$userIsValidPassword = $user->isValidPassword($password);}

This will allow even the LDAP users to login with their FO or LDAP passwords. Watch out for little trick. if user is not listed in the domain, the user  can be added to the domain and someone use LDAP password to login and the user doesn't know what is happening. This should be avoided.

To solve this:
1- We need to check the user account is domain or FO.
2- Modify the way the user change the password to allow the user change domain password from FO.

I hope someone help us in these two points. I will try to figure it out.

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #16 on: September 23, 2010, 07:17:35 pm »
I am sorry for my spelling.  your name is gman (not geman)
qoute from my previous post  "
To solve this:
1- We need to check the user account is domain or FO.
2- Modify the way the user change the password to allow the user change domain password from FO.

I hope someone help us in these two points. I will try to figure it out.

I think I can answer the first question

We need to add this class into User.Class.php file

   function isValidUserLdap($user, $config) {
   
      // Connecting using the configuration:
      require_once "Net/LDAP2.php";
      
      $ldap = Net_LDAP2::connect($config);

      // Testing for connection error
      if (PEAR::isError($ldap)) {
         return false;
      }
      $filter = Net_LDAP2_Filter::create($config['uid'], 'equals', $user);
      $search = $ldap->search(null, $filter, null);

      if (Net_LDAP2::isError($search)) {
         return false;
      }
      
      if ($search->count() != 1)
         {return false;}
         else {return true;}
      }

then we can modify previous authentication procedure

 if ($user->isCompanyAdmin(owner_company()))
      {$userIsValidPassword = $user->isValidPassword($password);}
      elseif (($config_ldap_is_set === true) && $user->isValidUserLdap($username,  $config_ldap))
         {$userIsValidPassword = $user->isValidPasswordLdap($username, $password, $config_ldap);}
         else {$userIsValidPassword = $user->isValidPassword($password);}

This way we know the use is domain or FO only. I will  test this class.

The second step is more challenging.

gman

  • Jr. Member
  • **
  • Posts: 69
    • View Profile
Re: LDAP logout white screen
« Reply #17 on: September 24, 2010, 08:22:56 am »
Akram,

Thanks for the information. My method does allow AD users to use either the AD or FengOffice password.

I'm curious what you mean by this statement:
Quote
Watch out for little trick. if user is not listed in the domain, the user  can be added to the domain and someone use LDAP password to login and the user doesn't know what is happening

I thought the FengOffice LDAP connector, like many other ldap connectors I have encountered, is a read only browsing  connector. Plus, in my ldap config I use a read only account to bind to AD, the account has no write or change permissions. So how would it be possible to add someone to the domain?

The only advantage for the AD user to login with their FengOffice account is for something like the WEBDAV addon, which only uses FengOffice authentication. Otherwise the idea is to have users connect to the FengOffice web interface using the AD accounts first.

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #18 on: September 24, 2010, 12:30:45 pm »
"Watch out for little trick. if user is not listed in the domain, the user  can be added to the domain and someone use LDAP password to login and the user doesn't know what is happening"

It means. If you register the user in the domain that means there is one account has two working passwords managed differently by to two separate systems. For small orginization it may not mean anything. But for others specially for FO admin and domain admins are not the same it means security problem.

Net/LDAP2 is a very large scale class. It allows you to totally manage any LDAP.
I started to write a class for changing LDAP password this what I have figured out so far:

   function changeUserPWLdap($user, $password, $config) {
   
      // Connecting using the configuration:
      require_once "Net/LDAP2.php";
      
      $ldap = Net_LDAP2::connect($config);

      // Testing for connection error
      if (PEAR::isError($ldap))
         {return false;}
         
      $filter = Net_LDAP2_Filter::create($config['uid'], 'equals', $user);
      $search = $ldap->search(null, $filter, null);

      if (Net_LDAP2::isError($search))
         {return false;}
      
      if ($search->count() != 1)
         {return false;}
         
      $userEntries = $search->entries();
      
      $userEntry = $userEntry->replace( array( 'userPassword'   => $password));
      $userEntry->update();
      if( Net_LDAP2::isError($userEntry->upate()) )
         {return false;}
        return true;
           
      }

I ma still searching on how to do it. once this function is done. We can use it with the function I made isValidUserLdap to check in the process of changing password. We insert the code before changing password take place:
if isValidUserLdap then we fire changeUserPWLdap and quite otherwise we continue for local password. I need help.  Help  will be appreciated.

ed.aldridge

  • Freshman
  • *
  • Posts: 16
    • View Profile
Re: LDAP logout white screen
« Reply #19 on: September 27, 2010, 07:00:44 am »
Are you aware of any way to get Feng to automatically create a new user when an AD authenticated user logs in so that accounts don't have to be created manually on FO first?

Akram

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #20 on: September 27, 2010, 07:36:05 pm »
INet/LDAP2 is totally new to me. But it can be done through Net/LDAP2.

We have to build two or there functions using Net/LDAP2.
You can visit
http://pear.php.net/package/Net_LDAP2/docs/latest/li_Net_LDAP2.html to see more on this

sasuke

  • Newbie
  • *
  • Posts: 1
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #21 on: November 25, 2010, 12:19:14 pm »
Hi!!

I have problems with ldap configuration in my Feng Office. I configured ldap.config.php witch this parameters:
<?php

  /**
  * ldap.config.example.php is sample configuration file for ldap authentication.
  * Rename it in ldap.config.php and change the values acconrding to your env.
  *
  * @author Luca Corbo <luca.corbo@2bopen.org>
  */

  // The configuration array:
  $config_ldap = array (
      'binddn'    => 'cn=admin,dc=dd,dc=es',
      'bindpw'    => 'mypassword',
      'basedn'    => 'ou=People,dc=dd,dc=es',
      'host'      => 'localhost',
      'uid'       => 'uid' //Change in according with your settings to match the userid entry
      'starttls'  => false,
      'password_encoding'=>'MD5',
      'port'      => 389,
      'version' => 3,
  );
  return true;

?>

php5-ldap, php5-mysql are install.

And I entry on my website and I introduce de user name and password, feng office said me "user or password is not correct". The location of the people information is in ou=People, and the variable for there id is uid. I think it's all correctly but I have problem to connect.

Another things it's when active ldap.config.php I can't entry with user admin... it's very strange.

Thanks for help me and sorry with my bad english  :P

CheezItMan

  • Freshman
  • *
  • Posts: 11
    • View Profile
    • Email
Re: LDAP logout white screen
« Reply #22 on: April 18, 2011, 08:22:39 am »
Just checking if you had any luck with that creation script?

@Akram - thanks dude - your post really helped.

@Ed,
I have just gone through this on my 2003 AD controller. I used adsiedit.msc to help make sense of the dn/cn/ou business which helped as I was using Akram's Bind statement and CN only works on the system Users Ou, you need to use OU for ones you've made yourself.

I'm using the normal ldap port (389) and user searching in OU's below my main company OU (ie user in nested OU's) works fine.

In answer to your question (apologies for rambling), yes you need to have created the users in FO already before you can then authenticate them against AD/LDAP. If I get a moment, I'll write a sync script to bulk create users in a group from AD (ie FengUsers) which would be useful for this/me.

Good luck!