Hello, Thank you for your ldapextauth plugin module for gforge. I made some improvments to adapt it to my environment. I have an AD and I am using the sAMAccountName field as login username, so your current implementation is currently unusable because it use the username as bind dn. I change the way an account is validated: first of all, the login is tried with the provided username and password trying to bind with dn=username, then if it fails, a connection is made with a predefined user and password and the correct dn is recovered for such username provided, if any. The login is then re-tried with the updated dn.
After applying the patch, you have to add two new variable to config.php for the predefined bind dn. $sys_ldap_binddn = "cn=padl,cn=Users,dc=comune,dc=prato,dc=local"; $sys_ldap_bindpwd = "***********"; Leandro ----------------------- Dott. Leandro Dardini Comune di Prato Sistema Informativo Via Cairoli, 16 59100 - Prato (Italy) Phone : +39 0574615216 Fax : +39 0574615212
--- /usr/local/src/gforge-trunk.orig/gforge/plugins/ldapextauth/include/LdapExtAuthPlugin.class 2007-05-08 09:21:27.000000000 +0200 +++ ./plugins/ldapextauth/include/LdapExtAuthPlugin.class 2007-05-09 16:52:16.000000000 +0200 @@ -36,6 +36,8 @@ $this->base_dn = $sys_ldap_dn ; $this->ldap_server = $sys_ldap_server ; $this->ldap_port = $sys_ldap_port ; + $this->ldap_binddn = $sys_ldap_binddn; + $this->ldap_bindpwd = $sys_ldap_bindpwd; if ($base_dn) { $this->base_dn = $base_dn ; } @@ -71,7 +73,6 @@ function AuthUser ($loginname, $passwd) { global $feedback,$Language; - if (!$this->ldap_conn) { $this->ldap_conn = ldap_connect ($this->ldap_server, $this->ldap_port); @@ -84,129 +85,156 @@ $GLOBALS['ldap_auth_failed']=true; return false; } - + $u = user_get_object_by_name ($loginname) ; - if ($u) { + if ($u) { // User exists in DB - if (@ldap_bind($this->ldap_conn, $dn, $passwd)) { - // Password from form is valid in LDAP - if (session_login_valid_dbonly ($loginname, $passwd, false)) { - // Also according to DB - $GLOBALS['ldap_auth_failed']=false; - return true ; - } else { - // Passwords mismatch, update DB's - $u->setPasswd ($passwd) ; - $GLOBALS['ldap_auth_failed']=false; - return true ; + // Try to connect using the provided dn + if (! @ldap_bind($this->ldap_conn, $dn, $passwd)) { + // user not authenticated, try recovering connection dn for user + if (@ldap_bind($this->ldap_conn, $this->ldap_binddn, $this->ldap_bindpwd)) { + if ($this->ldap_kind=="AD"){ + $res = ldap_search ($this->ldap_conn, $this->base_dn, "sAMAccountName=".$loginname) ; + } else { + $res = ldap_read ($this->ldap_conn, $dn, "objectclass=*") ; + } + $info = ldap_get_entries ($this->ldap_conn,$res); + $ldapentry = $info[0] ; + + $mappedinfo = plugin_ldapextauth_mapping ($ldapentry) ; + $dn=$mappedinfo['binddn']; + if ( ! @ldap_bind($this->ldap_conn, $dn, $passwd)) { + $GLOBALS['ldap_auth_failed']=true; + $feedback=_('Invalid Password Or User Name'); + return false ; + } } - } else { - // Wrong password according to LDAP - $feedback=_('Invalid Password Or User Name'); - $GLOBALS['ldap_auth_failed']=true; - return false ; + } + // Password from form is valid in LDAP + if (session_login_valid_dbonly ($loginname, $passwd, false)) { + // Also according to DB + $GLOBALS['ldap_auth_failed']=false; + return true ; } } else { // User doesn't exist in DB yet - if (@ldap_bind($this->ldap_conn, $dn, $passwd)) { - // User authenticated - // Now get her info - if ($this->ldap_kind=="AD"){ - $res = ldap_search ($this->ldap_conn, $this->base_dn, "sAMAccountName=".$loginname) ; - } else { - $res = ldap_read ($this->ldap_conn, $dn, "objectclass=*") ; - } - $info = ldap_get_entries ($this->ldap_conn,$res); - $ldapentry = $info[0] ; - - $mappedinfo = plugin_ldapextauth_mapping ($ldapentry) ; + // Try to connect using the provided dn + if (! @ldap_bind($this->ldap_conn, $dn, $passwd)) { + // user not authenticated, try recovering connection dn for user + if (@ldap_bind($this->ldap_conn, $this->ldap_binddn, $this->ldap_bindpwd)) { + if ($this->ldap_kind=="AD"){ + $res = ldap_search ($this->ldap_conn, $this->base_dn, "sAMAccountName=".$loginname) ; + } else { + $res = ldap_read ($this->ldap_conn, $dn, "objectclass=*") ; + } + $info = ldap_get_entries ($this->ldap_conn,$res); + $ldapentry = $info[0] ; - // Insert into DB - $u = new User () ; - - $unix_name = $loginname ; - $firstname = '' ; - $lastname = '' ; - $password1 = $passwd ; - $password2 = $passwd ; - $email = '' ; - $mail_site = 1 ; - $mail_va = 0 ; - $language_id = 1 ; - $timezone = 'GMT' ; - $jabber_address = '' ; - $jabber_only = 0 ; - $theme_id = 1 ; - $unix_box = '' ; - $address = '' ; - $address2 = '' ; - $phone = '' ; - $fax = '' ; - $title = '' ; - $ccode = 'US' ; - $send_mail = false ; - - if ($mappedinfo['firstname']) { - $firstname = $mappedinfo['firstname'] ; - } - if ($mappedinfo['lastname']) { - $lastname = $mappedinfo['lastname'] ; - } - if ($mappedinfo['email']) { - $email = $mappedinfo['email'] ; - } - if ($mappedinfo['language_id']) { - $language_id = $mappedinfo['language_id'] ; - } - if ($mappedinfo['timezone']) { - $timezone = $mappedinfo['timezone'] ; - } - if ($mappedinfo['jabber_address']) { - $jabber_address = $mappedinfo['jabber_address'] ; - } - if ($mappedinfo['address']) { - $address = $mappedinfo['address'] ; - } - if ($mappedinfo['address2']) { - $address2 = $mappedinfo['address2'] ; - } - if ($mappedinfo['phone']) { - $phone = $mappedinfo['phone'] ; - } - if ($mappedinfo['fax']) { - $fax = $mappedinfo['fax'] ; - } - if ($mappedinfo['title']) { - $title = $mappedinfo['title'] ; - } - if ($mappedinfo['ccode']) { - $ccode = $mappedinfo['ccode'] ; - } - if ($mappedinfo['themeid']) { - $theme_id = $mappedinfo['themeid'] ; - } - - if (!$u->create ($unix_name,$firstname,$lastname,$password1,$password2,$email, - $mail_site,$mail_va,$language_id,$timezone,$jabber_address,$jabber_only,$theme_id, - $unix_box, $address, $address2, $phone, $fax, $title, $ccode, $send_mail)) { - $GLOBALS['ldap_auth_failed']=true; - $feedback = "<br>Error Creating User: ".$u->getErrorMessage(); - return false; - } - - if (!$u->setStatus ('A')) { + $mappedinfo = plugin_ldapextauth_mapping ($ldapentry) ; + $dn=$mappedinfo['binddn']; + if ( ! @ldap_bind($this->ldap_conn, $dn, $passwd)) { + $GLOBALS['ldap_auth_failed']=true; + $feedback=_('Invalid Password Or User Name'); + return false ; // Probably ignored, but just in case + } + } else { + $feedback=_('Invalid Password Or User Name for bind account'); $GLOBALS['ldap_auth_failed']=true; - $feedback = "<br>Error Activating User: ".$u->getErrorMessage(); - return false; + return false ; } - $GLOBALS['ldap_auth_failed']=false; - $GLOBALS['ldap_first_login']=true; - return true ; + } + // User authenticated + // Now get her info + if ($this->ldap_kind=="AD"){ + $res = ldap_search ($this->ldap_conn, $this->base_dn, "sAMAccountName=".$loginname) ; } else { + $res = ldap_read ($this->ldap_conn, $dn, "objectclass=*") ; + } + $info = ldap_get_entries ($this->ldap_conn,$res); + $ldapentry = $info[0] ; + + $mappedinfo = plugin_ldapextauth_mapping ($ldapentry) ; + + // Insert into DB + $u = new User () ; + + $unix_name = $loginname ; + $firstname = '' ; + $lastname = '' ; + $password1 = $passwd ; + $password2 = $passwd ; + $email = '' ; + $mail_site = 1 ; + $mail_va = 0 ; + $language_id = 1 ; + $timezone = 'GMT' ; + $jabber_address = '' ; + $jabber_only = 0 ; + $theme_id = 1 ; + $unix_box = '' ; + $address = '' ; + $address2 = '' ; + $phone = '' ; + $fax = '' ; + $title = '' ; + $ccode = 'US' ; + $send_mail = false ; + + if ($mappedinfo['firstname']) { + $firstname = $mappedinfo['firstname'] ; + } + if ($mappedinfo['lastname']) { + $lastname = $mappedinfo['lastname'] ; + } + if ($mappedinfo['email']) { + $email = $mappedinfo['email'] ; + } + if ($mappedinfo['language_id']) { + $language_id = $mappedinfo['language_id'] ; + } + if ($mappedinfo['timezone']) { + $timezone = $mappedinfo['timezone'] ; + } + if ($mappedinfo['jabber_address']) { + $jabber_address = $mappedinfo['jabber_address'] ; + } + if ($mappedinfo['address']) { + $address = $mappedinfo['address'] ; + } + if ($mappedinfo['address2']) { + $address2 = $mappedinfo['address2'] ; + } + if ($mappedinfo['phone']) { + $phone = $mappedinfo['phone'] ; + } + if ($mappedinfo['fax']) { + $fax = $mappedinfo['fax'] ; + } + if ($mappedinfo['title']) { + $title = $mappedinfo['title'] ; + } + if ($mappedinfo['ccode']) { + $ccode = $mappedinfo['ccode'] ; + } + if ($mappedinfo['themeid']) { + $theme_id = $mappedinfo['themeid'] ; + } + if (!$u->create ($unix_name,$firstname,$lastname,$password1,$password2,$email, + $mail_site,$mail_va,$language_id,$timezone,$jabber_address,$jabber_only,$theme_id, + $unix_box, $address, $address2, $phone, $fax, $title, $ccode, $send_mail)) { + $GLOBALS['ldap_auth_failed']=true; + $feedback = "<br>Error Creating User: ".$u->getErrorMessage(); + return false; + } + + if (!$u->setStatus ('A')) { $GLOBALS['ldap_auth_failed']=true; - $feedback=_('Invalid Password Or User Name'); - return false ; // Probably ignored, but just in case + $feedback = "<br>Error Activating User: ".$u->getErrorMessage(); + return false; } + $GLOBALS['ldap_auth_failed']=false; + $GLOBALS['ldap_first_login']=true; + return true ; } } }