Le 30/01/2014 09:08, MOKRANI Rachid a écrit :
Hi,
I am currently usingDL 0.8 . It is time to change the DL version 0.12.
My DL 0.8 source code was modified to allow user authentication
directly with AD (with the help of Yuri). My auth.php (DL 0.8) file
below works for users AD authentification and show all the change we need.
Now I have tomake the same changes to the new version of DL. The
auth.php file no longer exists, the parameters of the new file
sessauth.php have changed. Everything need to reproduceand again
modify the source code.
I think theideal solution would be to use users AD authentification
without having to modify the source code.
Is someone use user AD authentification ? and how he do it ?
You can use AD auth in apache (mod_authnz_ldap, or mod_krb5). See for
example
http://www.conigliaro.org/2008/12/31/active-directory-authentication-on-apache-with-mod_authnz_ldap/.
I personnaly protect DL with LemonLDAP::NG, which can work with AD
itself (well, if DL is the only app you want to protect, LemonLDAP::NG
is probably overkill, but it's definitly possible)
Regards, Daniel
Regards.
Below my auth.php (DL 0.8)
<?php
// initialize the session and authorization
function authenticate()
{
global $db, $authRealm;
// external authentication (built-in methods)
foreach(Array('PHP_AUTH_USER', 'REMOTE_USER', 'REDIRECT_REMOTE_USER')
as $key)
{
if(isset($_SERVER[$key]))
{
$remoteUser = $_SERVER[$key];
break;
}
}
// authentication attempt
if(!isset($remoteUser))
{
if(empty($_REQUEST['u']) || !isset($_POST['p']))
{
// simple logout
return false;
}
$user = $_REQUEST['u'];
$pass = md5($_POST['p']);
}
else
{
if(isset($_REQUEST['u']) && empty($_REQUEST['u']))
{
// remote logout
Header('HTTP/1.0 401 Unauthorized');
Header('WWW-Authenticate: Basic realm="' . $authRealm . '"');
includeTemplate('style/include/rmtlogout.php');
return null;
}
$user = $remoteUser;
}
if(!isset($remoteUser) && !empty($_REQUEST['p']))
{
$dc = "YYYYYYYYYY";
$domain = "XXXXXXXXX";
$ldap = ldap_connect("ldap://".$dc, 389);
$mbpass = mb_convert_encoding($_REQUEST['p'], "ISO-8859-1");
$okpass = (@ldap_bind($ldap, $domain . '\\' . $user, $mbpass)?
true: false);
// $okpass = (@ldap_bind($ldap, $domain . '\\' . $user,
$_REQUEST['p'])? true: false);
if($okpass) $remoteUser = $user;
// RECOVER email adress in AD
$filter = "(&(objectClass=user)(samaccountname=".$user.")(cn=*))";
$sr=ldap_search($ldap, "OU=XXXXXXX,DC=XXXXX,DC=XXXXX", "$filter");
$info = ldap_get_entries($ldap, $sr);
$_SESSION['mail'] = $info[0]["mail"][0];
$mailutilisateur = $info[0]["mail"][0];
// BEGIN add email if no exist
if(empty($_SESSION['mail']))
{
$_SESSION['mail'] = "nore...@xxx.xx";
}
// END : add email
}
// verify if we have administration rights
$sql = "SELECT u.id, u.name, pass_md5, admin FROM user u"
. " LEFT JOIN role r ON r.id = u.role_id"
. " WHERE u.name = " . $db->quote($user);
$DATA = $db->query($sql)->fetch();
if($DATA !== false)
$okpass = (isset($remoteUser) || ($pass === $DATA['pass_md5']));
else
{
$okpass = isset($remoteUser);
if($okpass)
{
// create a stub user and get the id
$sql = "INSERT INTO user (name, role_id) VALUES (";
$sql .= $db->quote($user);
$sql .= ", (SELECT id FROM role WHERE name = 'user')";
$sql .= ")";
if($db->exec($sql) != 1) return false;
// fetch defaults
$sql = "SELECT u.id, u.name, admin FROM user u";
$sql .= " LEFT JOIN role r ON r.id = u.role_id";
$sql .= " WHERE u.name = " . $db->quote($user);
$DATA = $db->query($sql)->fetch();
}
}
if(!$okpass) return false;
// ADD USER IN LOG FILE
logEvent("Connexion de : $user - $mailutilisateur" );
// END
return $DATA;
}
if(!isset($_SESSION["auth"]) || isset($_REQUEST['u']))
{
$_SESSION["auth"] = authenticate();
if($_SESSION["auth"] === null)
{
session_destroy();
exit();
}
}
?>
__________________________
/Avant d'imprimer, pensez à l'environnement ! Please consider the
environment before printing ! /
/Ce message et toutes ses pièces jointes sont confidentiels et établis
à l'intention exclusive de ses destinataires. Toute utilisation non
conforme à sa destination, toute diffusion ou toute publication,
totale ou partielle, est interdite, sauf autorisation expresse. IFP
Energies nouvelles décline toute responsabilité au titre de ce
message. This message and any attachments are confidential and
intended solely for the addressees. Any unauthorised use or
dissemination is prohibited. IFP Energies nouvelles should not be
liable for this message./
__________________________
--
Daniel Berteaud
FIREWALL-SERVICES SARL.
Société de Services en Logiciels Libres
Technopôle Montesquieu
33650 MARTILLAC
Tel : 05 56 64 15 32
Fax : 05 56 64 15 32
Web : http://www.firewall-services.com
