Hi all!
I would like to authenticate by using ADS from Windows Domaincontroller to use NConf...
Is this possible? But I don't understand the Information I should fill in the authentication.php
Current settings:
define('LDAP_SERVER', "ldaps://DC-Server.our.domain");
define('LDAP_PORT', "389");
define('BASE_DN', "uid=<username>(????),ou=server-de,dc=dc-server,dc=our,dc=domain"); => what is uid for?
define('USER_REPLACEMENT', "<username>(????)"); => what should I set this?
define('GROUP_DN', "OU=Server,OU=Groups,OU=server-de,DC=dc-server,DC=our,DC=domain");
define('ADMIN_GROUP', "cn=SERVERNAME.NCONF.ADMINS");
define('USER_GROUP', "cn=sysadmin");
Could anybody help please.
Thanks @ all
mainbuzzb
Authentication_by_LDAP (Windows Active Directory)
- agargiulo
- NConf developer
- Posts: 725
- Joined: Fri Mar 06, 2009 17:50
- Location: Zurich, Switzerland
- Contact:
Re: Authentication_by_LDAP (Windows Active Directory)
Hi.
I must admit, we have never tried authenticating NConf with MS AD.
The "ldap" authentication module is intended for a pam_ldap / nss_ldap compliant structure (DIT) as used for Unix systems. The structure should consist of two different trees, one for users and one for groups:
uid=john,ou=People,dc=mydomain,dc=com
ou=Group,dc=mydomain,dc=com
I guess if your AD meets these requirements and if it is LDAPv3 compliant, then authentication should work. But it has never been tested by us. I'm not sure how the user / group matching is done in AD.
The "<username>" is a placeholder, it's what NConf will replace with the username that you enter when you authenticate. You should leave it as default, just make sure the placeholder is in the proper position within the user dn:
uid=<username>,ou=People,dc=mydomain,dc=com ("<username>" will be replaced by "john")
I must admit, we have never tried authenticating NConf with MS AD.
The "ldap" authentication module is intended for a pam_ldap / nss_ldap compliant structure (DIT) as used for Unix systems. The structure should consist of two different trees, one for users and one for groups:
uid=john,ou=People,dc=mydomain,dc=com
ou=Group,dc=mydomain,dc=com
I guess if your AD meets these requirements and if it is LDAPv3 compliant, then authentication should work. But it has never been tested by us. I'm not sure how the user / group matching is done in AD.
The "<username>" is a placeholder, it's what NConf will replace with the username that you enter when you authenticate. You should leave it as default, just make sure the placeholder is in the proper position within the user dn:
uid=<username>,ou=People,dc=mydomain,dc=com ("<username>" will be replaced by "john")
A.G. - NConf developer - http://www.nconf.org
If you like NConf,
rate it here: https://sourceforge.net/projects/nconf/reviews/
or here: http://exchange.nagios.org/directory/Ad ... nf/details
If you like NConf,
rate it here: https://sourceforge.net/projects/nconf/reviews/
or here: http://exchange.nagios.org/directory/Ad ... nf/details
Re: Authentication_by_LDAP (Windows Active Directory)
Hi,
thanks for help, I now understand the <username> and for so far it works...
but:
I test with following function in a little script, so I could see what happens:
********************************************************************************************************************************************************************
//Search the directory
$sr = ldap_search($ldapconn,"CN=NCONF.ADMINS,OU=Server,OU=Groups,OU=DE-SITE,DC=my,DC=dom,DC=com", "(CN=USERNAME)")
or die ("ldap search failed ");
//Create result set
$entries = ldap_get_entries($ldapconn, $sr)
or die("function get_entries failed");
//Sort and print
echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";
for ($i=0; $i < $entries["count"]; $i++)
{
echo $entries[$i]["displayname"][0]."<br />";
}
//never forget to unbind!
ldap_unbind($ldapconn);
********************************************************************************************************************************************************************
But get :
***********************
User count: 0
Users:
**********************
If I go to my shell directly and send following command:
*********************************************************************************************************************************************************************************************************
ldapsearch -x -b "CN=NCONF.ADMINS,OU=Server,OU=Groups,OU=DE-SITE,DC=my,DC=dom,DC=com" -h ldapserver -D "domainname\username" -W | grep -i "CN=USERNAME"
*********************************************************************************************************************************************************************************************************
I get:
****************************************************************************************************************************
member: CN=USERNAME,OU=TEST_FOLDER,OU=Support,OU=Users,OU=DE-SITE,DC=my,DC=dom,DC=com
****************************************************************************************************************************
So it looks greate from the same linux box (CentOS5.3_Final), so what do I have to do to make your greate script going?
Thank you in advanced, for your hand!
greetz
mainbuzzb
thanks for help, I now understand the <username> and for so far it works...
but:
I test with following function in a little script, so I could see what happens:
********************************************************************************************************************************************************************
//Search the directory
$sr = ldap_search($ldapconn,"CN=NCONF.ADMINS,OU=Server,OU=Groups,OU=DE-SITE,DC=my,DC=dom,DC=com", "(CN=USERNAME)")
or die ("ldap search failed ");
//Create result set
$entries = ldap_get_entries($ldapconn, $sr)
or die("function get_entries failed");
//Sort and print
echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";
for ($i=0; $i < $entries["count"]; $i++)
{
echo $entries[$i]["displayname"][0]."<br />";
}
//never forget to unbind!
ldap_unbind($ldapconn);
********************************************************************************************************************************************************************
But get :
***********************
User count: 0
Users:
**********************
If I go to my shell directly and send following command:
*********************************************************************************************************************************************************************************************************
ldapsearch -x -b "CN=NCONF.ADMINS,OU=Server,OU=Groups,OU=DE-SITE,DC=my,DC=dom,DC=com" -h ldapserver -D "domainname\username" -W | grep -i "CN=USERNAME"
*********************************************************************************************************************************************************************************************************
I get:
****************************************************************************************************************************
member: CN=USERNAME,OU=TEST_FOLDER,OU=Support,OU=Users,OU=DE-SITE,DC=my,DC=dom,DC=com
****************************************************************************************************************************
So it looks greate from the same linux box (CentOS5.3_Final), so what do I have to do to make your greate script going?
Thank you in advanced, for your hand!
greetz
mainbuzzb
Re: Authentication_by_LDAP (Windows Active Directory)
Hi,
ok now it is solved, using ADS LAP from Windows works.
I ask a Nagios Consultant which is working for us last weeks, and he was so kindly to check it out, and he gives me a solution.
He tolds me that it's not so flexible because of some new LDAP options, but for us it will work, maybe you could take it and improve it,
so that it is more flexible and not so statically in case of USERS_DN. I will only post the changes he has made:
authentication.php:
login_check.php:
I think that's it...
Maybe you can use it to develop a more flexible code and let users choose if they use openLDAP or ADS LDAP, hope it would be helpfull
and want to say thank you for your greate work!
greetz
mainbuzzb
ok now it is solved, using ADS LAP from Windows works.
I ask a Nagios Consultant which is working for us last weeks, and he was so kindly to check it out, and he gives me a solution.
He tolds me that it's not so flexible because of some new LDAP options, but for us it will work, maybe you could take it and improve it,
so that it is more flexible and not so statically in case of USERS_DN. I will only post the changes he has made:
authentication.php:
Code: Select all
...
define('BASE_DN', "<username>@my.domain.com");
define('USERS_DN', "OU=TEST_ROOM,OU=Support,OU=Users,OU=DE-Site,DC=my,DC=domain,DC=com");
define('USER_REPLACEMENT', "<username>");
define('GROUP_DN', "OU=Server,OU=Groups,OU=DE-Site,DC=my,DC=domain,DC=com");
define('ADMIN_GROUP', "CN=NCONF.ADMINS");
define('USER_GROUP', "CN=NCONF.USERS");
...
Code: Select all
...
if($ldap_response) {
# If user login was successfull, look for group
# admins are in group : ADMIN_GROUP
# normal nconf user are in group : USER_GROUP
# all other do not have access
$userfilter = "(userPrincipalName=".$ldap_user_dn.")";
$userattrs = ldap_search($ldapconnection, USERS_DN, $userfilter);
$userattrsresult = ldap_get_entries($ldapconnection, $userattrs);
$userDistinguishedName = $userattrsresult[0]["distinguishedname"][0];
...schnip
//$Admin_user_array = $results[0]["memberuid"];
$Admin_user_array = $results[0]["member"];
...schnip
//$Basic_user_array = $results[0]["memberuid"];
$Basic_user_array = $results[0]["member"];
...schnip
#Check if user is in Basic userlist
#or in Admin userlist
if (in_array($userDistinguishedName, $Admin_user_array) ){
$_SESSION['group'] = GROUP_ADMIN;
message($info, $_SESSION["group"].' access granted', "yes");
}elseif (in_array($userDistinguishedName, $Basic_user_array) ){
$_SESSION['group'] = GROUP_USER;
message($info, $_SESSION["group"].' access granted', "yes");
...schnap
I think that's it...
Maybe you can use it to develop a more flexible code and let users choose if they use openLDAP or ADS LDAP, hope it would be helpfull
and want to say thank you for your greate work!
greetz
mainbuzzb
agargiulo wrote:Hi.
I must admit, we have never tried authenticating NConf with MS AD.
The "ldap" authentication module is intended for a pam_ldap / nss_ldap compliant structure (DIT) as used for Unix systems. The structure should consist of two different trees, one for users and one for groups:
uid=john,ou=People,dc=mydomain,dc=com
ou=Group,dc=mydomain,dc=com
I guess if your AD meets these requirements and if it is LDAPv3 compliant, then authentication should work. But it has never been tested by us. I'm not sure how the user / group matching is done in AD.
The "<username>" is a placeholder, it's what NConf will replace with the username that you enter when you authenticate. You should leave it as default, just make sure the placeholder is in the proper position within the user dn:
uid=<username>,ou=People,dc=mydomain,dc=com ("<username>" will be replaced by "john")
- agargiulo
- NConf developer
- Posts: 725
- Joined: Fri Mar 06, 2009 17:50
- Location: Zurich, Switzerland
- Contact:
Re: Authentication_by_LDAP (Windows Active Directory)
Thank you for your input. We will analyze the changes and if possible try to integrate them into NConf.
I cannot tell how soon this can be realized. It has been added to the queue.
Thx, Angelo
I cannot tell how soon this can be realized. It has been added to the queue.
Thx, Angelo
A.G. - NConf developer - http://www.nconf.org
If you like NConf,
rate it here: https://sourceforge.net/projects/nconf/reviews/
or here: http://exchange.nagios.org/directory/Ad ... nf/details
If you like NConf,
rate it here: https://sourceforge.net/projects/nconf/reviews/
or here: http://exchange.nagios.org/directory/Ad ... nf/details
- fgander
- NConf developer
- Posts: 308
- Joined: Mon Mar 16, 2009 14:23
- Location: Bern, Switzerland
- Contact:
Re: Authentication_by_LDAP (Windows Active Directory)
We have implemented active directory authentication.
If there is someone who wants to test it, please send a message!
Regards Fabian
If there is someone who wants to test it, please send a message!
Regards Fabian