Authenticating users via PHP


#1

Hi,

I’m running EFA (forum.efa-project.org/viewtopic.php?t=1484 but I can’t seem to get it to work.

Any suggestions?

Gerald


#2

…not without knowing what exactly does not work. The linked documentation describes a LDAP connection - is that not working? Do you get errors, etc.?


#3

I added some debug code, and I get a bind failure.

This is what they use to connect to AD

[code]/**

  • @param $user

  • @param $password

  • @return null|string
    */
    function ldap_authenticate($user, $password)
    {
    $user = strtolower($user);
    if ($user != “” && $password != “”) {
    $ds = ldap_connect(LDAP_HOST, LDAP_PORT) or die("Could not connect to " . LDAP_HOST);
    // Check if Microsoft Active Directory compatibility is enabled
    if (defined(‘LDAP_MS_AD_COMPATIBILITY’) && LDAP_MS_AD_COMPATIBILITY === true) {
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    }
    ldap_bind($ds, LDAP_USER, LDAP_PASS); <<<<---------- FAILS HERE
    if (strpos($user, ‘@’) and LDAP_EMAIL_FIELD === ‘mail’) {
    $r = ldap_search($ds, LDAP_DN, LDAP_EMAIL_FIELD . “=$user”) or die(“Could not search”);
    } elseif (strpos($user, ‘@’)) {
    $r = ldap_search($ds, LDAP_DN, LDAP_EMAIL_FIELD . “=SMTP:$user”) or die(“Could not search”);
    } else {
    $r = ldap_search($ds, LDAP_DN, “sAMAccountName=$user”) or die(“Could not search”);
    }
    if ($r) {
    $result = ldap_get_entries($ds, $r) or die(“Could not get entries”);
    if ($result[0]) {
    if (in_array(“group”, array_values($result[0][“objectclass”]))) {
    return null;
    }
    $user = $result[0][‘userprincipalname’][‘0’];
    if (ldap_bind($ds, $user, “$password”)) {
    if (isset($result[0][LDAP_EMAIL_FIELD])) {
    foreach ($result[0][LDAP_EMAIL_FIELD] as $email) {
    if (substr($email, 0, 4) == “SMTP”) {
    $email = strtolower(substr($email, 5));
    break;
    }
    }

                     $sql = sprintf("SELECT username FROM users WHERE username = %s", quote_smart($email));
                     $sth = dbquery($sql);
                     if (mysql_num_rows($sth) == 0) {
                         $sql = sprintf(
                             "REPLACE INTO users (username, fullname, type, password) VALUES (%s, %s,'U',NULL)",
                             quote_smart($email),
                             quote_smart($result[0]['cn'][0])
                         );
                         dbquery($sql);
                     }
    
                     return $email;
                 }
             }
         }
     }
    

    }

    return null;
    }[/code]

And these are my settings:

// LDAP settings define('USE_LDAP', true); define('LDAP_SSL', false); // set to true if using LDAP with SSL encryption define('LDAP_HOST', 'server.example.com'); define('LDAP_PORT', '389'); define('LDAP_DN', 'DC=example,DC=com'); define('LDAP_USER', 'administrator@example.com'); define('LDAP_PASS', 'secret'); define('LDAP_SITE', 'default-first-site-name'); // can be set to 'proxyaddresses' or 'mail'. Please refer to your LDAP system manual for the right keyword define('LDAP_EMAIL_FIELD', 'mail'); // Microsoft Active Directory compatibility support for searches from Domain Base DN define('LDAP_MS_AD_COMPATIBILITY', true);

Does that help at all? I do have the right name and password. My PHP is pretty weak.

Gerald


#4

Interestingly enough, this worked perfectly on another install.

I’ll compare the two and see if I can find any differences.

Gerald