Authentication_by_LDAP (Windows Active Directory)

[mainbuzzb]

Hi all!

I would like to authenticate by using ADS from Windows Domaincontroller to use NConf...
Is this possible? But I don't understand the Information I should fill in the authentication.php

Current settings:

define('LDAP_SERVER', "ldaps://DC-Server.our.domain");
define('LDAP_PORT', "389");
define('BASE_DN', "uid=<username>(????),ou=server-de,dc=dc-server,dc=our,dc=domain"); => what is uid for?
define('USER_REPLACEMENT', "<username>(????)"); => what should I set this?
define('GROUP_DN', "OU=Server,OU=Groups,OU=server-de,DC=dc-server,DC=our,DC=domain");
define('ADMIN_GROUP', "cn=SERVERNAME.NCONF.ADMINS");
define('USER_GROUP', "cn=sysadmin");

Could anybody help please.

Thanks @ all

mainbuzzb

[agargiulo]

Hi.

I must admit, we have never tried authenticating NConf with MS AD.
The "ldap" authentication module is intended for a pam_ldap / nss_ldap compliant structure (DIT) as used for Unix systems. The structure should consist of two different trees, one for users and one for groups:

uid=john,ou=People,dc=mydomain,dc=com
ou=Group,dc=mydomain,dc=com

I guess if your AD meets these requirements and if it is LDAPv3 compliant, then authentication should work. But it has never been tested by us. I'm not sure how the user / group matching is done in AD.

The "<username>" is a placeholder, it's what NConf will replace with the username that you enter when you authenticate. You should leave it as default, just make sure the placeholder is in the proper position within the user dn:

uid=<username>,ou=People,dc=mydomain,dc=com ("<username>" will be replaced by "john")

[mainbuzzb]

Hi,

thanks for help, I now understand the <username> and for so far it works...
but:

I test with following function in a little script, so I could see what happens:

********************************************************************************************************************************************************************
//Search the directory
$sr = ldap_search($ldapconn,"CN=NCONF.ADMINS,OU=Server,OU=Groups,OU=DE-SITE,DC=my,DC=dom,DC=com", "(CN=USERNAME)")
or die ("ldap search failed ");

//Create result set
$entries = ldap_get_entries($ldapconn, $sr)
or die("function get_entries failed");

//Sort and print
echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";

for ($i=0; $i < $entries["count"]; $i++)
{
echo $entries[$i]["displayname"][0]."<br />";
}

//never forget to unbind!
ldap_unbind($ldapconn);
********************************************************************************************************************************************************************

But get :

***********************
User count: 0

Users:
**********************



If I go to my shell directly and send following command:

*********************************************************************************************************************************************************************************************************
ldapsearch -x -b "CN=NCONF.ADMINS,OU=Server,OU=Groups,OU=DE-SITE,DC=my,DC=dom,DC=com" -h ldapserver -D "domainname\username" -W | grep -i "CN=USERNAME"
*********************************************************************************************************************************************************************************************************



I get:
****************************************************************************************************************************
member: CN=USERNAME,OU=TEST_FOLDER,OU=Support,OU=Users,OU=DE-SITE,DC=my,DC=dom,DC=com
****************************************************************************************************************************



So it looks greate from the same linux box (CentOS5.3_Final), so what do I have to do to make your greate script going?

Thank you in advanced, for your hand!

greetz
mainbuzzb

[mainbuzzb]

Hi,

ok now it is solved, using ADS LAP from Windows works.
I ask a Nagios Consultant which is working for us last weeks, and he was so kindly to check it out, and he gives me a solution.
He tolds me that it's not so flexible because of some new LDAP options, but for us it will work, maybe you could take it and improve it,
so that it is more flexible and not so statically in case of USERS_DN. I will only post the changes he has made:

authentication.php:

Code: Select all

...

define('BASE_DN',          "<username>@my.domain.com");
define('USERS_DN',         "OU=TEST_ROOM,OU=Support,OU=Users,OU=DE-Site,DC=my,DC=domain,DC=com");
define('USER_REPLACEMENT', "<username>");
define('GROUP_DN',         "OU=Server,OU=Groups,OU=DE-Site,DC=my,DC=domain,DC=com");
define('ADMIN_GROUP',      "CN=NCONF.ADMINS");
define('USER_GROUP',       "CN=NCONF.USERS");

...

login_check.php:

Code: Select all

...

if($ldap_response) {
            # If user login was successfull, look for group
            # admins are in group : ADMIN_GROUP
            # normal nconf user are in group : USER_GROUP
            # all other do not have access

           $userfilter = "(userPrincipalName=".$ldap_user_dn.")";
           $userattrs = ldap_search($ldapconnection, USERS_DN, $userfilter);
           $userattrsresult = ldap_get_entries($ldapconnection, $userattrs);
           $userDistinguishedName = $userattrsresult[0]["distinguishedname"][0];
...schnip


         //$Admin_user_array = $results[0]["memberuid"];
            $Admin_user_array = $results[0]["member"];

...schnip


         //$Basic_user_array = $results[0]["memberuid"];
            $Basic_user_array = $results[0]["member"];

...schnip

            #Check if user is in Basic userlist
            #or in Admin userlist
            if (in_array($userDistinguishedName, $Admin_user_array) ){
                $_SESSION['group'] = GROUP_ADMIN;
                message($info, $_SESSION["group"].' access granted', "yes");
            }elseif (in_array($userDistinguishedName, $Basic_user_array) ){
                $_SESSION['group'] = GROUP_USER;
                message($info, $_SESSION["group"].' access granted', "yes");

...schnap

I think that's it...

Maybe you can use it to develop a more flexible code and let users choose if they use openLDAP or ADS LDAP, hope it would be helpfull
and want to say thank you for your greate work!

greetz
mainbuzzb

Hi.

I must admit, we have never tried authenticating NConf with MS AD.
The "ldap" authentication module is intended for a pam_ldap / nss_ldap compliant structure (DIT) as used for Unix systems. The structure should consist of two different trees, one for users and one for groups:

uid=john,ou=People,dc=mydomain,dc=com
ou=Group,dc=mydomain,dc=com

I guess if your AD meets these requirements and if it is LDAPv3 compliant, then authentication should work. But it has never been tested by us. I'm not sure how the user / group matching is done in AD.

The "<username>" is a placeholder, it's what NConf will replace with the username that you enter when you authenticate. You should leave it as default, just make sure the placeholder is in the proper position within the user dn:

uid=<username>,ou=People,dc=mydomain,dc=com ("<username>" will be replaced by "john")

[agargiulo]

Thank you for your input. We will analyze the changes and if possible try to integrate them into NConf.
I cannot tell how soon this can be realized. It has been added to the queue.

Thx, Angelo

[fgander]

We have implemented active directory authentication.

If there is someone who wants to test it, please send a message!

Regards Fabian