Author Topic: Nedi Authentification  (Read 4187 times)

Stefmcp

  • Newbie
  • *
  • Posts: 2
    • View Profile
Nedi Authentification
« on: March 31, 2010, 04:49:46 PM »
Hi,

I need to authenticate nedi user with microsoft LDAP server

have you any idea or information for the best way to do this.

thanks

CentOS 5
Nedi 1.0.5

oxo

  • Full Member
  • ***
  • Posts: 131
    • View Profile
    • mOxOed
Re: Nedi Authentification
« Reply #1 on: April 06, 2010, 09:43:24 PM »
Well, apache can use LDAP (AD) to autenticate.
Nedi can use noauth to allow the apache to authenticate the pages.
But, there are problems about autherization.
One has to type a user name in NeDi login page, after being authenticated: it is easy to write admin and have full access.

So, 2 ways to go: implement LDAP in NeDi (not my way to go) or make NeDi more friendly to noauth=apache authentication (which would mean tacacs, radius etc etc).

If NeDi's father will support a code proposal from me, drop a PayPal contribution to him and I will write the code on present release (which will hopefully come in other releases).

However, make sure you can implement LDAP authentication in apache as your first step and post that you could-

Implementation notes:
- feature: if a user is authenticated, and not already in the NeDi user database, the user will be created with as little Authorization possible. The user should be given the autherization needed latter.

« Last Edit: April 06, 2010, 09:46:59 PM by oxo »
Owen Brotherwood, JNData A/S, DK

Stefmcp

  • Newbie
  • *
  • Posts: 2
    • View Profile
Re: Nedi Authentification
« Reply #2 on: April 15, 2010, 04:18:46 PM »
oxo,

i'll write php LDAP authentification with AD (windows 2003 DC) for current realease, if you want yo integrate to the current or next realease. 
You need to compile PHP with LDAP Support.

Stef

Code Modification

index.php line ~36
Code: [Select]
require_once ("inc/libldap.php");index.php line ~92


Code: [Select]
}elseif ( strstr($guiauth,'ldap') && $_POST['user'] != "admin" ){ # Ldap code by Stephane Garret

if (user_from_ldap_servers($_POST['user'],$_POST['pass'], false)){
$query = GenQuery('user','s','*','','',array('name'),array('='),array($_POST['user']) );
$res    = @DbQuery($query,$link);
$uok = 1;
$ldaperr = "<h4>Authentication LDAP OK</h4>";
}else {
$uok = 0;
$ldaperr = "<h4>Authentication LDAP Failed </h4>";
}
}

User-Account.php line 54

Code: [Select]
<input type="submit" name="createldap" value="<?=$addlda?>">
User-Account.php line 65
Code: [Select]
elseif(isset($_GET['createldap']) and $_GET['usr']){
$now = time();
//$pass = md5( $_GET['usr'] );
if (user_from_ldap_servers($_GET['usr'])){
$query = GenQuery('user','i','','','',array('name','email','phone','password','time','language','theme'),'',array($fields['ldap_login'] ,$fields['ldap_field_email'],$fields['ldap_field_phone'],'',$now,'english','default') );
if( !@DbQuery($query,$link) ){echo "<h4>".DbError($link)."</h4>";}else{echo "<h5>$usrlbl $_GET[usr]: $addbtn OK</h5>";}
}else{
echo "<SCRIPT LANGUAGE=\"JavaScript\"> alert(\"Ldap No user found\")</SCRIPT>";
}
}


gui.php

english
Code: [Select]
$addlda = "Add from Ldap";Deutch
Code: [Select]
$addlda = "Hinzufügen von LDAP";

create a new file libapp.php in /inc
Code: [Select]
<?php

/**
 * ldap
 * Check all the directories. When the user is found, then import it
 * @param $login : user login
 * @param $password : user password 
 * @param $import : import user or check
**/
function user_from_ldap_servers($login$password ''$import true){
global $ldapserver,$ldaprootdn,$ldapbasedn,$ldaprootpw,$ldapserverport,$user_dn,$fields;
global $dbhost,$dbuser,$dbpass,$dbname;

// search if user exist in local user DB
$link = @DbConnect($dbhost,$dbuser,$dbpass,$dbname);
$query GenQuery('user','s','*','','',array('name'),array('='),array($login) );
$res    = @DbQuery($query,$link);
if ($import) {
if (@DbNumRows($res)==0){
$result=ldapFindDn($login);
if ($result != false){
return $result;
}
}  
return false;
} else {
if (@DbNumRows($res)>0){
$result=ldapFindDn($login);
if ($result != false){
$ds1 connect_ldap($ldapserver$ldapserverport$user_dn$password0,0);
if($ds1){
//Authetication OK for user
return true;
}else {
//Authetication Failed for user
return false;
}
}else{
echo "User not declare in NEDI";
}

}
}
return false;
}


/** Find User dn
 *
 * @param   $login  dn of the user to find
*/
function ldapFindDn($login) {
global $ldapserver,$ldaprootdn,$ldapbasedn,$ldaprootpw,$ldapserverport,$user_dn;

//Connect to the directory
$ds connect_ldap($ldapserver$ldapserverport$ldaprootdn$ldaprootpw0,0);
if ($ds) {
//Get the user's dn
$user_dn ldap_search_user_dn($ds$ldapbasedn'samaccountname'stripslashes($login), '');
if ($user_dn) {
if (getFromLDAP($ds$user_dnaddslashes($login))){
return true;
} else {
return false;
}
}
} else {
return false;
}
}

/**
 * Function that try to load from LDAP the user information...
 *
 * @param $ldap_connection ldap connection descriptor
 * @param $ldap_method LDAP method
 * @param $userdn Basedn of the user
 * @param $login User Login
 */
function getFromLDAP($ldap_connection$userdn$login) {
global $ldapserver,$ldaprootdn,$ldapbasedn,$ldaprootpw,$ldapserverport,$user_dn,$fields;

if ($ldap_connection) {
$fields=array('ldap_login'=>'samaccountname'
'ldap_field_email'=>'userprincipalname'
'ldap_field_realname'=>'sn'
 
'ldap_field_firstname'=>'givenname'
 
'ldap_field_phone'=>'telephonenumber'
 
'ldap_field_title'=>'title'
 
); 
$fields array_filter($fields);
$f array_values($fields);
$sr = @ldap_read($ldap_connection$userdn"objectClass=*"$f);
$v ldap_get_entries($ldap_connection$sr);
if (!is_array($v) || count($v) == 0){
return false;
}
         foreach (
$fields as $k => $e) {
if (empty($v[0][$e][0])){
   switch ($k){
                  case 
"title":
                  case 
"type":
                  default:
$fields[$k] = "";
                     break;
                   }
               } else {
switch ($k)
{
case "language":
case "title":
case "type":
default:
if (!empty($v[0][$e][0])){
 $fields[$k] = addslashes($v[0][$e][0]);
}else{
$fields[$k] = "";
break;
}
}
}
}

return true;
}
return false;

}


/**
 * Connect to a LDAP serveur
 *
 * @param $host : LDAP host to connect
 * @param $port : port to use
 * @param $login : login to use
 * @param $password : password to use
 * @param $use_tls : use a tls connection ?
 * @param $deref_options Deref options used
**/
function connect_ldap($host$port$login ""$password ""$use_tls false,$deref_options) {
global $CFG_GLPI;

$ds = @ldap_connect($hostintval($port));
if ($ds) {

@ldap_set_option($dsLDAP_OPT_PROTOCOL_VERSION3);
@ldap_set_option($dsLDAP_OPT_REFERRALS0);
@ldap_set_option($dsLDAP_OPT_DEREF$deref_options);
//@ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

if ($use_tls) {
if (!@ldap_start_tls($ds)) {
return false;
}
}
// Auth bind
if ($login != '') {
$b = @ldap_bind($ds$login$password);
} else { // Anonymous bind
$b = @ldap_bind($ds);
}

if ($b) {
return $ds;
} else {
return false;
}
} else {
return false;
}
}


/**
 * Get dn for a user 
 *
 * @param $ds : LDAP link
 * @param $basedn : base dn used to search
 * @param $login_attr : attribute to store login
 * @param $login : user login
 * @param $condition : ldap condition used
 * @return dn of the user, else false
**/
function ldap_search_user_dn($ds$basedn$login_attr$login$condition) {

$filter "($login_attr=$login)";

if (!empty ($condition)){
$filter "(& $filter $condition)";
}
if ($result ldap_search($ds$basedn$filter
array ("dn"$login_attr),0,0)
){
$info ldap_get_entries($ds$result);
if (is_array($info) AND $info['count'] == 1) {
return $info[0]['dn'];
} else { 
$dn "$login_attr=$login," $basedn;
return $dn;
}
} else {
return false;
}
}


?>

libmisc.php

Code: [Select]
global $ldapserver,$ldapserverport,$ldapbasedn,$ldaprootdn,$ldaprootpw;
Code: [Select]
elseif ($v[0] == "ldapserver") {$ldapserver = $v[1];}
elseif ($v[0] == "ldapserverport") {$ldapserverport = $v[1];}
elseif ($v[0] == "ldapbasedn") {$ldapbasedn = $v[1];}
elseif ($v[0] == "ldaprootdn") {$ldaprootdn = $v[1];}
elseif ($v[0] == "ldaprootpw") {$ldaprootpw = $v[1];}

Nedi.conf

Code: [Select]

guiauth ldap

#LDAP configuration
ldapserver     XXX.XXX.XXX.XXX
ldapserverport   389
ldapbasedn   DC=XXXX,DC=XXXX
ldaprootdn    CN=userldap,OU=ou user,OU=XXXX,DC=XXXX
ldaprootpw   CN password


« Last Edit: April 15, 2010, 06:39:33 PM by Stefmcp »

rickli

  • Administrator
  • Hero Member
  • *****
  • Posts: 2178
    • View Profile
    • NeDi
Re: Nedi Authentification
« Reply #3 on: April 15, 2010, 08:41:25 PM »
If this is of general interest, I'd look at integration into the release...
Please consider Other-Invoices on your NeDi installation for an annual contribution, tx!
-Remo

oxo

  • Full Member
  • ***
  • Posts: 131
    • View Profile
    • mOxOed
Re: Nedi Authentification
« Reply #4 on: April 17, 2010, 09:25:20 PM »
If this is of general interest, I'd look at integration into the release...
I think it has general interest (hope Paypal intrest too ...): I usually change the code to support Apache authentication and leave the LDAP (AD) authentication in the hands of Apache (allows one to use any supported Apache authentication).
Owen Brotherwood, JNData A/S, DK