LDAP Authentification : changes

Request new features for NConf

LDAP Authentification : changes

Postby Guest » Thu Aug 18, 2011 15:46

Hello,

I use the LDAP authentification for NConf and i had a problem with the section "AUTH_TYPE == "ldap" on page include /login_check.php.

The actual use of "uid" and the fixed name of group search "memberuid" (ex : in this file : $Basic_user_array = $results[0]["memberuid"];) don't work with my ldap tree. However, i've found a solution for make make the authentification possible with UID as currently or with the user's DN.

For solved the problem, i've add a search with an UID filter for get the DN of user, and i have added two new constant in config file for choice the name of "member attribute" and the type of search for the members groups (UID or DN).

After, a test based on the type of search (UID or DN) is used for test if the user is a member of the admin group or basic group.


My changes :

* On the config/Authentification.php

I've add two Define, and i commented unused method :
Code: Select all
# UID METHOD
#define('BASE_DN',          "uid=<username>,ou=people,dc=enterprise,dc=fr");
#define('SEARCH_TYPE',      "UID");
#define('MEMBER_ATT',       "memberuid");

# DN METHOD
define('BASE_DN',          "ou=people,dc=enterprise,dc=fr");
define('SEARCH_TYPE',      "DN");
define('MEMBER_ATT',       "member");


* On the page include /login_check.php :

1) Construct of the user DN
- Before :
Code: Select all
$ldap_user_dn = str_replace(USER_REPLACEMENT,$user_loginname,BASE_DN);
NConf_DEBUG::set($ldap_user_dn, 'DEBUG', 'ldap user dn');

- After :
Code: Select all
if ((! defined('SEARCH_TYPE')) || (defined('SEARCH_TYPE') && SEARCH_TYPE == "UID")) {
    $ldap_user_dn = str_replace(USER_REPLACEMENT,$user_loginname,BASE_DN);
    NConf_DEBUG::set($ldap_user_dn, 'DEBUG', 'ldap user dn');
} elseif ((defined('SEARCH_TYPE')) && (SEARCH_TYPE == "DN")) {
    $search =  @ldap_search($ldapconnection, BASE_DN, "(&(uid=$user_loginname))");
    $result = ldap_get_entries($ldapconnection, $search);
    $ldap_user_dn = $result[0]["dn"];
    NConf_DEBUG::set($ldap_user_dn, 'DEBUG', 'ldap user dn');
}


2) Use "MEMBER_ATT"
- Before :
Code: Select all
$Admin_user_array = $results[0]["memberuid"];
...
$Basic_user_array = $results[0]["memberuid"];

- After :
Code: Select all
if (! defined('SEARCH_TYPE')) {
    $Admin_user_array = $results[0]["memberuid"];
} else {
    $Admin_user_array = $results[0][MEMBER_ATT];
}
...
if (! defined('SEARCH_TYPE')) {
    $Basic_user_array = $results[0]["memberuid"];
} else {
    $Basic_user_array = $results[0][MEMBER_ATT];
}


3) Use "DN" or "UID" for the members groups
- Before :
Code: Select all
if (in_array($user_loginname, $Admin_user_array) ){
    $_SESSION['group'] = GROUP_ADMIN;
    message($info, $_SESSION["group"].' access granted', "yes");
}elseif (in_array($user_loginname, $Basic_user_array) ){
    $_SESSION['group'] = GROUP_USER;
    message($info, $_SESSION["group"].' access granted', "yes");
}else{
    message('ERROR', TXT_LOGIN_NOT_AUTHORIZED);
}


- After :
Code: Select all
if ((! defined('SEARCH_TYPE')) || (defined('SEARCH_TYPE') && SEARCH_TYPE == "UID")) {
    if (in_array($user_loginname, $Admin_user_array) ){
        $_SESSION['group'] = GROUP_ADMIN;
        message($info, $_SESSION["group"].' access granted', "yes");
    }elseif (in_array($user_loginname, $Basic_user_array) ){
        $_SESSION['group'] = GROUP_USER;
        message($info, $_SESSION["group"].' access granted', "yes");
    }else{
        message('ERROR', TXT_LOGIN_NOT_AUTHORIZED);
    }
} elseif ((defined('SEARCH_TYPE')) && (SEARCH_TYPE == "DN")) {
    if (in_array($ldap_user_dn, $Admin_user_array) ){
        $_SESSION['group'] = GROUP_ADMIN;
        message($info, $_SESSION["group"].' access granted', "yes");
    }elseif (in_array($ldap_user_dn, $Basic_user_array) ){
        $_SESSION['group'] = GROUP_USER;
        message($info, $_SESSION["group"].' access granted', "yes");
    }else{
        message('ERROR', TXT_LOGIN_NOT_AUTHORIZED);
    }
}


I think it's more flexible and now, we are not limited with a predefined structure for the ldap tree. If the "SEARCH_TYPE" isn't used, the old method is used.


What do you think ? Is it possible to incorporate this change in the core, I don't think I'd be the only one experiencing this problem.

Sorry for my english ;-)


Sincerely,

Alexandre
Guest
 

Re: LDAP Authentification : changes

Postby alexandrech » Thu Aug 18, 2011 16:27

If you've a question with this post, it's my account, but i've posting without be logged.

Alexandre
alexandrech
 

Re: LDAP Authentification : changes

Postby fgander » Sun Aug 21, 2011 13:16

Hey

I hope I will find some time in the next week or 2 for having a look on this. Thanks for your post so far.

Cheers Fabian
F.G. - NConf developer
http://www.nconf.org
Image
Follow NConf on Twitter!
User avatar
fgander
NConf developer
NConf developer
 
Posts: 308
Joined: Mon Mar 16, 2009 14:23
Location: Bern, Switzerland


Return to Feature requests

Who is online

Users browsing this forum: No registered users and 1 guest

cron