AD Authentication

Thanks for pointing out. I'm already having some feedback about problems with Active Directory, but I'll not be able to work on it until April, since I'm taking holidays just now.

Until then... can somebody provide me of an AD installation I can test my module against? :P . Thanks

Hi,

I've had success in hacking the ldap_authentication module to authenticate against active directory. It's not pretty and doesn't do lookups or user management. Sorry about the lack of a patch, but I have also added some irrelevant hacks to the module.

I put the ldap variables - anonymous user, base dn, etc in an array $ldap and put it in site/default/settings.php. I also had to replace ldap_read with ldap_search:

//$result = ldap_read($con, $dn, 'objectClass=*'); 
$result = ldap_search($con, $ldap['base_dn'], $dn);

I also had to modify the bind:

function _ldap_integration_bind($con, $dn, $pass) {
  ob_start();
	global $ldap;
	$anon_bind = @ldap_bind($con, $ldap['anon_id'], $ldap['anon_password']);
	$res = _ad_bind($con, $dn, $pass);
  ob_end_clean();

  return $res;
}

adding a new AD bind function:

function _ad_bind($con, $dn, $pass) {
    // Bind anonymously
    $res = false;
    $dn = "cn=".$dn;
    global $ldap;
    $anon_res = @ldap_search($con, $ldap['base_dn'], $dn);
    if ($anon_res) {
      $users = @ldap_get_entries($con, $anon_res);
      $user_dn = $users[0]["dn"];
      $pass = _ldap_integration_decrypt($pass);
      $res = @ldap_bind($con, $user_dn, $pass);
    }
    return $res;
}

Hope that's of some help.

Thanks, mate. I'll add that code as soon as I get news of the new version properly working.

I've been able to get version 4.6.0 to authenticate to LDAP (Active Directory) by making my login replacement look like this:

cn=$1,cn=Users,dc=$2,dc=$3 (I needed to force the extra "cn=Users" for some reason).

I also made my LDAP Search filter look like this to get the search box to work:

CN=%searchstring

The problem I'm having is that whenever a user tries to login and puts in a bad username or password, the program experiences a bind problem (this is in the watchdog):

ldap_bind(): Unable to bind to server: Invalid credentials in /var/www/html/modules/ldap_integration.module on line 408.

and then displays a blank screen with this in the address line "http://knowledge.sriconsulting.com/?q=user/login&destination=front_page". The user doesn't see the "Sorry. Unrecognized username or password. Have you forgotten your password?" unless he goes back to the root page.

Any thoughts?

Thanks,

Vicki

OK, next week I'll be back in the Internet as normal and I'll be able to chack all this all out and include the suggestions given in the module's code. Sorry for the wait and thanks for your feedback.

After some incommunication, travelling and procrastination, I've come up with preliminary versions covering this issue.

As I keep having strange problems with CVS, I publish them next as attachments to this issue, as well as giving quick links from the project page.

Version for Drupal 4.5.

Version for Drupal 4.6

Nobody complains, so this seems to be fixed.

Hi All,

I am trying to get the ldap_integration-4.6.0-20050628 module work here, using the version that pablobm posted on this thread on August 19. I'm running a Drupal installation on Linux, authenticating against a MS Active Directory. Installation went fine and conf.php is configured. In Drupal/Settings/ldap_integration, as "Systemtype and login details", I'm using "Active Directory System" instead of "LDAP Login Pattern". When I'm trying to login now, I get two warnings:

warning: ldap_read(): Search: Operations error in /srv/www/drupal/modules/ldap_integration/LDAPInterface.php on line 113.
warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /srv/www/drupal/modules/ldap_integration/LDAPInterface.php on line 114.

Having a look in LDAPInterface.php I find the function retrieveAttributes($dn). There the lines:

$result = ldap_read($this->connection, $dn, 'objectClass=*');
$entries = ldap_get_entries($this->connection, $result);

Problem is, that I can't find a ldap_read, or ldap_get_entries function anywhere and so can't the skript. Not in the above mentioned tar ball, nor in the 4.5.0 versions. Am I missing something here? Shouldn't these two functions be provided with this module? Any help is highly appreciated.

Besides this issue, a big thank you to pablobm for his work.

Heya there, and first of all, thanx alot for your wonderful work...

I'm using your module to authenticate a drupal on os X tiger 10.4 / apache / php5 against a Windows 2003 AD server.

I configured everything successfully, and when authenticating,
I get this:

warning: ldap_read(): Search: No such object in /Library/WebServer/Documents/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 126.
warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /Library/WebServer/Documents/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 127.
warning: Cannot modify header information - headers already sent by (output started at /Library/WebServer/Documents/modules/ldap_integration/ldap_integration/LDAPInterface.php:125) in /Library/WebServer/Documents/includes/bootstrap.inc on line 701.
, with nothing else on the page.
and if I navigate back to the home page, I am authenticated...

if you need any details, tell me and I'd be glad to help.

Thank you
Romain Dardour

First of all, I have no access to an AD configuration, so I can't develop properly any code involving it :( . If somebody has the necessary knowledge to have a go at it, everybody will appreciate it.

Now, in response to #10 (ob): the functions are part of PHP's own library. Actually, the errors shown are not about the module not finding the functions, but about them failing to work properly.

Then I read #11 (astroboy), who tells me that despite the errors, the system seems to somehow accept the login. Is it a correct login or can anyone enter with any key or things like that?. If it is, then solution can't be too far away.

The code used for AD authentication is mostly copypasted from #2 by allrite (what reminds me that I've given him no credit. Shit. Fixed now, it will be in next version). You see, I'm playing blind here. Please help! :'(

I am having the same problem of #10 (ob):

Yes, I can get past that problem page and I'm then logged in as the user but because it had problems with the ldap_read and ldap_get_entries the user does not have the password or email address coming form ldap or well any of the entries it requires from ldap. You can then manually put them in and the user works fine.

After doing some testing I found out that the function called

function retrieveAttributes($dn) {
$result = ldap_read($this->connection, $dn, 'objectClass=*');
$entries = ldap_get_entries($this->connection, $result);

return $entries[0];
}

The $dn that is being feed this function is only the login and not the ldap_dn needed by the php's ldap_read. With AD_style after all there is a $user_dn, I guess somehow this isn't getting passed on when it is needed in this function. Not sure how all that works of course.

Stacy, astroboy, ob:

I think these errors are associated with PHP5, as explained in this thread:
http://drupal.org/node/29217

I made the LDAP auth module work cleanly against Active Directory with the following changes, which mainly deal with getting the right dn for the user:
diff ldap_integration/LDAPInterface.php /srv/www/htdocs/modules/ldap_integration/ldap_integration/LDAPInterface.php
62c62,63
< $dn = 'cn=' . $name;
---
> $dn = 'sAMAccountName=' . $name;
> //srf
64c65,67
< $anon_res = @ldap_search($this->connection, variable_get('ldap_base_dn', ''), $dn);
---
> //srf - the base dn is already passed as an argument to this function $anon_res = @ldap_search($this->connection, variable_get('ldap_base_dn', ''), $dn);
> $anon_res = @ldap_search($this->connection, $base_dn, $dn);
> //srf
65a69,73
> if (ldap_count_entries($this->connection, $anon_res) !=1) {
> watchdog('user',"Error: Zero or more than 1 user found with $dn");
> return false;
> }
> //srf
81a90,109
> function name_to_dn_AD($name = '', $base_dn = '') {
> global $ldap;
>
> $dn = 'sAMAccountName=' . $name;
> $res = @ldap_search($this->connection, $base_dn, $dn);
> if ($res) {
> if (ldap_count_entries($this->connection, $res) !=1) {
> watchdog('user',"Error: Zero or more than 1 user found with $base_dn");
> return false;
> }
>
> $users = @ldap_get_entries($this->connection, $res);
>
> $user_dn = $users[0]["dn"];
>
> }
>
> return $user_dn;
> }
>

diff ldap_integration.module /srv/www/htdocs/modules/ldap_integration/ldap_integration.module
93d92
<
291a291,292
> global $ldap;
> if(variable_get('ldap_system_type', LDAP_STANDARD_SYSTEM) == LDAP_STANDARD_SYSTEM) {
295a297,299
> } else {
> return $ldap->name_to_dn_AD($login, variable_get('ldap_base_dn',''));
> }

HTH

Thanks for that patch!. Do you want to marry me? ;) .

I publish here a new version patched as you suggest. If the others can give some feedback during the next days, it would really help.

Hi!

The code works fine. Thanks you.

But I found an bug:
- Log in drupal as new user using Ldap-Modul
- Log out of drupal
- Change Password in AD
- Try to log in to drupal
- The OLD password ist still th only valid

I've found the reason. A Patch is attached.

That patch makes both the local drupal and the LDAP password work - probably not what you want, as you'll inevitably have one that is never changed, exposing a vulnerability.
See the Authentication only LDAP module thread for a patch that does the desired effect.

Hi!

Oh, sorry for that. I missunderstood something. Thanks for the hint.

But without that patch discriped in "Authentication only LDAP module", this AD module is useless, isn't it?
The only benefit is an initial data source for new users. But after that you have still two different user management databases.

In our case this is useless and absolutly unwanted. I wonder in which case this can be useful?

I.

I agree, that's why I added that patch to the Authentication only issue.
Feel free to state your opinion over there - that's what I think everyone wants, but I can't speak for everyone. :-)

Some of this is now fixed, whereas some other stuff is being discussed at the thread called "Authentication only LDAP module".

So I think I can close this bug and state it is fixed.

Another victory for open source :P .

I forgot that "fixed" doesn't mean "closed". So this is closed now.