LDAP Bridge LDAP Bridge
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

LDAP Bridge

Started by Cyrolancer, February 23, 2012, 10:28:53 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Cyrolancer

Coppermine LDAP Bridge v2.0

As the name implies, this is the LDAP bridge. You can find the bridge and the configuration file attached to this post.




What is the LDAP Bridge?
LDAP bridge is a standard Coppermine Bridge. This bridge allows authorization of users through an LDAP server. Tested on CPG v1.5.20.

How can I use it?

  • First, you need to set up your configuration in the config_ldap.inc.php file. I have tried to explain the details in that file.
  • Place the configuration file to the "include" folder of your CPG installation.
  • Upload the bridge file in the "bridges" folder.
  • Use the Bridge Manager inside CPG to activate.
  • The user having user_id = 1 (that is the first user you have created when you are installing CPG) will be always active, even if your LDAP server crashes.

Do I need to LDAP users to the CPG database before they log in?
In the previous version of the bridge, you need to, but in v2.0, the bridge automatically manages user operations. The bridge checks the username and password from the LDAP server and after successful authorization, the bridge checks for the user availability in the users table. If user is not available, the bridge creates the user entry but does not save the password. The user entry in the users table is needed for session checks of CPG.

If user_id = 1, the bridge will use local DB for authorization. If user_id > 1, the bridge always uses LDAP server.

What about groups?
Groups are still work-in-progress.

What about Active Directory?
I am planning to integrate AD authorization in the LDAP bridge, or I may build a new bridge. Just give me a couple of weeks :)




I am open to all suggestions and requests regarding to this bridge. Also, comments are welcome :)

Cyrolancer

#1
Hello again,

I am sorry, I couldn't edit my first message. There were errors in the code and I have corrected some of them. Also, I have updated the bridge and now, it checks for the user_id = 1 (which is the administrator account) and if so, allows admin access. Other users should be added manually. If possible, I am going to write a plugin to allow addition of LDAP users to the database. Of course, it is possible to set a cron job and add all LDAP users to the "users" table, but that's not planned right now.

The new code is attached to this message. There are several changes in the login method and I have added user_id check to the query that updates the last visit time.

I would be glad, if you comment (positively or negatively) to the code.

Edit: The final code is attached at the last post.


Cyrolancer

#2
Hello again,

I have updated some sections of this bridge. From now on, it works completely with a standard OpenLDAP server. You can change $LDAPCONF array for your server, DN and LDAP protocol. If authentication fails, returns back to the "Login Failed" screen.

There are not so much comments on the code, but it works. I am going to update it to have more comments (and more customization options) later on.

Also, I have faced a problem. It is not possible to make configuration through Bridge Manager. I think, it only parses pre-defined variables (such as forum URL, location to bridge app etc.) but not the custom ones I have added (directory server, dn, protocol).

Hope you enjoy the code :)

Edit: I have updated the code. Please consider this new file.

salah1hadinata

i still can't understand how to setup this ldap mode, i have follow your step but i can't even search my account on active directory / ldap..

can you make some tutorial to set this ldap?

need help please  :(

Cyrolancer

Let's start from the beginning.

1. Download the file and rename it to ldap.inc.php
2. Go to line 51 of ldap.inc.php
3. Change the 3 lines below.

$LDAPCONF['auth_server'] = 'testdir.example.com';
$LDAPCONF['dn'] = 'ou=testou, dc=testdir, dc=example, dc=com';
$LDAPCONF['protocol'] = 3;


$LDAPCONF['auth_server'] is the variable where you put your LDAP server. You can write "127.0.0.1" or "localhost" or the domain name you have set up in your LDAP server configuration file.

$LDAPCONF['dn'] is the location where the users are placed in the LDAP server. You can manage these by using ldaptools package in Linux or LDAPAdmin or JXExplorer software in Windows.

$LDAPCONF['protocol'] is the protocol number. It can be 2 or 3. You set these before you start the LDAP server.

2. Put the file into bridges/ directory in your CPG installation.
3. Login your CPG with admin
4. Go to the bridge manager
5. Enable LDAP Bridge
6. There are no configuration settings present in this LDAP bridge, so you need to press next until you see the success message.

After setting the LDAPCONF variables, you need to consider the LDAP server side. If you are able to configure your LDAP server correctly, you will be able to use this LDAP bridge. Don't forget, you can always login with your admin account that you have created during CPG installation regardless of your LDAP server is running or not.

Note: I have tried this bridge on standard installation of Debian 6.0.5 minimal version with the slapd package from the default repositories.

deserteagle

This can't work for active directory.

my environment
wamp2.1, coppermine 1,6.16

I have made mantisbt 1.2.8 authenticate user against windows active directory successfully.Some guys said in windows a username and password is required anonymouse can't work to retrieve the info.

In mantis, the config is like this:
config_inc.php
$g_login_method = LDAP;
$g_ldap_server = 'dc01.mydomain.net';
$g_ldap_port = 389; # Default is 389
$g_ldap_root_dn = "OU=Users,OU=Region,OU=AP,DC=dc01,DC=mydomain,DC=net";
$g_ldap_bind_dn = 'dc01\john';
$g_ldap_bind_passwd = 'welcome';
$g_use_ldap_email = ON;
$g_use_ldap_realname = ON;
$g_ldap_protocol_version = 3;
$g_ldap_uid_field= 'sAMAccountName'; # Use 'sAMAccountName' for Active Directory - this is the name of the attribute used to search a user
$g_ldap_realname_field  = 'cn';
$g_ldap_follow_referrals = OFF;


I think below two is needed for windows active directory

ldap_bind_dn = '';
ldap_bind_passwd = '';

but I don't know how to coding it. If  you can update it, that's will be great.


deserteagle

My Coppermine version is 1.5.16

Cyrolancer

Yes, the bridge uses anonymous bind to search for DN. Probably this bridge won't work when the LDAP server is not accepting anonymous bind.

For me, it is impossible to use a Windows Server, as I don't have a licensed copy of it. I can only try it on a LDAP server running under Linux. I think, it is possible to disable anonymous bind in a OpenLDAP server. I will try to find a solution for it.

deserteagle

After I disable the bridge, the original user and group which I created gone. the user list is empty.

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fi.imgur.com%2FqpbOn.png&hash=91c2afb146dd3947919be773ff5a5e0eeee69662)

deserteagle

It's better to be able to do the search with username and password.
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fi.imgur.com%2FqpbOn.png&hash=91c2afb146dd3947919be773ff5a5e0eeee69662)
(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fi.imgur.com%2FqpbOn.png&hash=91c2afb146dd3947919be773ff5a5e0eeee69662)

Quote from: deserteagle on June 11, 2012, 09:25:01 AM
After I disable the bridge, the original user and group which I created gone. the user list is empty.

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fi.imgur.com%2FqpbOn.png&hash=91c2afb146dd3947919be773ff5a5e0eeee69662)

Cyrolancer

Quote from: deserteagle on June 11, 2012, 09:25:01 AM
After I disable the bridge, the original user and group which I created gone. the user list is empty.

(https://coppermine-gallery.com/forum/proxy.php?request=http%3A%2F%2Fi.imgur.com%2FqpbOn.png&hash=91c2afb146dd3947919be773ff5a5e0eeee69662)

If you use the bridge, you cannot use the user manager inside CPG. But, the group manager works. These are the features of CPG, it is not possible to change this behavior.

If it is possible, can you please check the users table in your database? You know, you need to add your LDAP users manually (at least for now) to use the bridge.



deserteagle

of course, I alrerady created the user in database, I tried rername a old username and created a new one, both can't work, after press ok button to login, it go to a blank page with address as below:

http://cmy56/gallery/login.php?referer=index.php%3Fmessage_id%3D2911210115b2e4da60c06343b454954a%26message_icon%3Dinfo

deserteagle

I suggest you can try use adLDAP 4.03, another system named phpScheduleIt use adLDAP to authenticate user against Active Directory, it work well and simple, authenticate userr from ad and pull the user prorfile like email, department, organization back. All I need do is change the setting in Ldap.config.php

http://adldap.sourceforge.net/

deserteagle

I can't find how to edit early post, I have to post new one.

Maybe I'm wrong about the anonymouse issue, after I check the setting in phpScheduleIt adldap, the username and password value is empty but it works!

$conf['settings']['Username'] = '';
$conf['settings']['Password'] = '';

hope this can help you save some times.

Cyrolancer

I know about adLDAP. The problem is, I don't have a licensed copy of Windows Server, so I cannot try adLDAP. It will take some time to find a trial version or similar and work on it.

For now, I am trying to improve the LDAP bridge. As you can see, for now, LDAP bridge works manually. You need to enter all user data by yourself. This is not feasible and needs to be automated. Probably, that will be your solution to the empty user table problem. Also, I need to check for non-anonymous bind.

For the LDAP part, I will finish in 1 or 2 weeks. For the AD part, I will try working on it as soon as possible. I cannot give an exact time, because first of all, I need to find a Windows Server, but probably, AD part will be finished in 2 to 3 weeks.

3 weeks... that is a long time, I know it, but I have a job to do and CPG is just for hobby :)

Cyrolancer

I think I have found a solution for AD.

Can you please do the change below?

Delete:

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $LDAPCONF['protocol']);


Add:

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $LDAPCONF['protocol']);
ldap_set_option($conn LDAP_OPT_REFERRALS, 0);

deserteagle

no lucky.

I think your suggestion is add a new line
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

(I changed $conn to $ds, but both can't work).

BTW, I rermember somebody said use "samAccountName" for AD,

$g_ldap_uid_field= 'sAMAccountName'; # Use 'sAMAccountName' for Active Directory - this is the name of the attribute used to search a user

Cyrolancer

Probably, I will implement adLDAP. It seems to be easier than putting and trying all PHP LDAP functions.

Cyrolancer

I have updated the code and added some features. The updated code and the details are in the first post. Enjoy :)

deserteagle

sorry for reply so late, I have been sick for one month.

I tried the LDAP Bridge v2.0, still show the white page, can't login againsrt AD.