Authentication_by_LDAP (Windows Active Directory)

Support requests, bug reports, questions etc.

Authentication_by_LDAP (Windows Active Directory)

Postby mainbuzzb » Mon Aug 10, 2009 09:35

Hi all!

I would like to authenticate by using ADS from Windows Domaincontroller to use NConf...
Is this possible? But I don't understand the Information I should fill in the authentication.php

Current settings:

define('LDAP_SERVER', "ldaps://DC-Server.our.domain");
define('LDAP_PORT', "389");
define('BASE_DN', "uid=<username>(????),ou=server-de,dc=dc-server,dc=our,dc=domain"); => what is uid for?
define('USER_REPLACEMENT', "<username>(????)"); => what should I set this?
define('GROUP_DN', "OU=Server,OU=Groups,OU=server-de,DC=dc-server,DC=our,DC=domain");
define('ADMIN_GROUP', "cn=SERVERNAME.NCONF.ADMINS");
define('USER_GROUP', "cn=sysadmin");

Could anybody help please.

Thanks @ all

mainbuzzb
mainbuzzb
starter
starter
 
Posts: 3
Joined: Fri Aug 07, 2009 20:32

Re: Authentication_by_LDAP (Windows Active Directory)

Postby agargiulo » Mon Aug 10, 2009 17:54

Hi.

I must admit, we have never tried authenticating NConf with MS AD.
The "ldap" authentication module is intended for a pam_ldap / nss_ldap compliant structure (DIT) as used for Unix systems. The structure should consist of two different trees, one for users and one for groups:

uid=john,ou=People,dc=mydomain,dc=com
ou=Group,dc=mydomain,dc=com

I guess if your AD meets these requirements and if it is LDAPv3 compliant, then authentication should work. But it has never been tested by us. I'm not sure how the user / group matching is done in AD.

The "<username>" is a placeholder, it's what NConf will replace with the username that you enter when you authenticate. You should leave it as default, just make sure the placeholder is in the proper position within the user dn:

uid=<username>,ou=People,dc=mydomain,dc=com ("<username>" will be replaced by "john")
User avatar
agargiulo
NConf developer
NConf developer
 
Posts: 725
Joined: Fri Mar 06, 2009 17:50
Location: Zurich, Switzerland

Re: Authentication_by_LDAP (Windows Active Directory)

Postby mainbuzzb » Tue Aug 11, 2009 03:06

Hi,

thanks for help, I now understand the <username> and for so far it works...
but:

I test with following function in a little script, so I could see what happens:

********************************************************************************************************************************************************************
//Search the directory
$sr = ldap_search($ldapconn,"CN=NCONF.ADMINS,OU=Server,OU=Groups,OU=DE-SITE,DC=my,DC=dom,DC=com", "(CN=USERNAME)")
or die ("ldap search failed ");

//Create result set
$entries = ldap_get_entries($ldapconn, $sr)
or die("function get_entries failed");

//Sort and print
echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";

for ($i=0; $i < $entries["count"]; $i++)
{
echo $entries[$i]["displayname"][0]."<br />";
}

//never forget to unbind!
ldap_unbind($ldapconn);
********************************************************************************************************************************************************************

But get :

***********************
User count: 0

Users:
**********************



If I go to my shell directly and send following command:

*********************************************************************************************************************************************************************************************************
ldapsearch -x -b "CN=NCONF.ADMINS,OU=Server,OU=Groups,OU=DE-SITE,DC=my,DC=dom,DC=com" -h ldapserver -D "domainname\username" -W | grep -i "CN=USERNAME"
*********************************************************************************************************************************************************************************************************



I get:
****************************************************************************************************************************
member: CN=USERNAME,OU=TEST_FOLDER,OU=Support,OU=Users,OU=DE-SITE,DC=my,DC=dom,DC=com
****************************************************************************************************************************



So it looks greate from the same linux box (CentOS5.3_Final), so what do I have to do to make your greate script going?

Thank you in advanced, for your hand!

greetz
mainbuzzb
mainbuzzb
starter
starter
 
Posts: 3
Joined: Fri Aug 07, 2009 20:32

Re: Authentication_by_LDAP (Windows Active Directory)

Postby mainbuzzb » Tue Aug 11, 2009 21:34

Hi,

ok now it is solved, using ADS LAP from Windows works.
I ask a Nagios Consultant which is working for us last weeks, and he was so kindly to check it out, and he gives me a solution.
He tolds me that it's not so flexible because of some new LDAP options, but for us it will work, maybe you could take it and improve it,
so that it is more flexible and not so statically in case of USERS_DN. I will only post the changes he has made:

authentication.php:
Code: Select all

...

define('BASE_DN',          "<username>@my.domain.com");
define('USERS_DN',         "OU=TEST_ROOM,OU=Support,OU=Users,OU=DE-Site,DC=my,DC=domain,DC=com");
define('USER_REPLACEMENT', "<username>");
define('GROUP_DN',         "OU=Server,OU=Groups,OU=DE-Site,DC=my,DC=domain,DC=com");
define('ADMIN_GROUP',      "CN=NCONF.ADMINS");
define('USER_GROUP',       "CN=NCONF.USERS");

...



login_check.php:

Code: Select all

...

if($ldap_response) {
            # If user login was successfull, look for group
            # admins are in group : ADMIN_GROUP
            # normal nconf user are in group : USER_GROUP
            # all other do not have access

           $userfilter = "(userPrincipalName=".$ldap_user_dn.")";
           $userattrs = ldap_search($ldapconnection, USERS_DN, $userfilter);
           $userattrsresult = ldap_get_entries($ldapconnection, $userattrs);
           $userDistinguishedName = $userattrsresult[0]["distinguishedname"][0];
...schnip


         //$Admin_user_array = $results[0]["memberuid"];
            $Admin_user_array = $results[0]["member"];

...schnip


         //$Basic_user_array = $results[0]["memberuid"];
            $Basic_user_array = $results[0]["member"];

...schnip

            #Check if user is in Basic userlist
            #or in Admin userlist
            if (in_array($userDistinguishedName, $Admin_user_array) ){
                $_SESSION['group'] = GROUP_ADMIN;
                message($info, $_SESSION["group"].' access granted', "yes");
            }elseif (in_array($userDistinguishedName, $Basic_user_array) ){
                $_SESSION['group'] = GROUP_USER;
                message($info, $_SESSION["group"].' access granted', "yes");

...schnap




I think that's it...

Maybe you can use it to develop a more flexible code and let users choose if they use openLDAP or ADS LDAP, hope it would be helpfull
and want to say thank you for your greate work!

greetz
mainbuzzb


agargiulo wrote:Hi.

I must admit, we have never tried authenticating NConf with MS AD.
The "ldap" authentication module is intended for a pam_ldap / nss_ldap compliant structure (DIT) as used for Unix systems. The structure should consist of two different trees, one for users and one for groups:

uid=john,ou=People,dc=mydomain,dc=com
ou=Group,dc=mydomain,dc=com

I guess if your AD meets these requirements and if it is LDAPv3 compliant, then authentication should work. But it has never been tested by us. I'm not sure how the user / group matching is done in AD.

The "<username>" is a placeholder, it's what NConf will replace with the username that you enter when you authenticate. You should leave it as default, just make sure the placeholder is in the proper position within the user dn:

uid=<username>,ou=People,dc=mydomain,dc=com ("<username>" will be replaced by "john")
mainbuzzb
starter
starter
 
Posts: 3
Joined: Fri Aug 07, 2009 20:32

Re: Authentication_by_LDAP (Windows Active Directory)

Postby agargiulo » Mon Sep 07, 2009 17:02

Thank you for your input. We will analyze the changes and if possible try to integrate them into NConf.
I cannot tell how soon this can be realized. It has been added to the queue.

Thx, Angelo
User avatar
agargiulo
NConf developer
NConf developer
 
Posts: 725
Joined: Fri Mar 06, 2009 17:50
Location: Zurich, Switzerland

Re: Authentication_by_LDAP (Windows Active Directory)

Postby fgander » Tue Nov 30, 2010 14:00

We have implemented active directory authentication.

If there is someone who wants to test it, please send a message!

Regards Fabian
F.G. - NConf developer
http://www.nconf.org
Image
Follow NConf on Twitter!
User avatar
fgander
NConf developer
NConf developer
 
Posts: 308
Joined: Mon Mar 16, 2009 14:23
Location: Bern, Switzerland


Return to Support (NConf 1.2.5)

Who is online

Users browsing this forum: No registered users and 1 guest

cron