next »

[puki1400]

Hello All...
I've decided to work on an LDAP authentication plugin (why not?).

Anyway, I took the IMAP auth plugin and triend to modify it to work with LDAP, but it's not working. Here's the code:

Code:

/* <?php
 *  Written by: Samuel Gammon
 *  Based on the IMAP authentication plugin by Adam Crownoble
 *  Contact: samusweb@gmail.com
 *  Created: 12/10/2005
 *  Name: LDAP Authentication
 *  For: MODX CMS (modxcms.com)
 *  Code Type: Plugin
 *  Description: Authenticate against an LDAP server
 *  Configuration: &server=IMAP Server;string;[your ldap server url]
                   &port=IMAP Port;int;993
                   &ssl=SSL;list;Yes,No;Yes
                   &validate_ssl_cert=Validate SSL Certificate;list;Yes,No;Yes
                   &ldap_user=LDAP Username;string;[YOUR LDAP USER NAME]
                   &ldap_pass=LDAP Password;string;[YOUR LDAP PASSWORD]
 *  Events: OnManagerAuthentication and/or OnWebAuthentication
 */

/*
                             License

LDAP Authentication - A MODx plugin that allows authentication against an LDAP server
Copyright (C) 2005  Adam Crownoble

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

*/

// Psuedo Constants
$eventId = 0;
//$box = "INBOX";
$eventName = $modx->Event->activePlugin;

// Generate flags
//$flags = '/ldap';
//if($ssl == 'Yes') $flags .= '/ssl';
//if($validate_ssl_cert != 'Yes') $flags .= '/novalidate-cert';

// Assume authentication failed
$success = false;

// If LDAP extension not installed...
if(!function_exists('ldap_connect')) {

 // Get the event's
 if($eventName == 'OnManagerAuthentication') {
  $eventId = 81;
 } elseif($eventName == 'OnWebAuthentication') {
  $eventId = 79;
 }

 // Log an error
 $modx->logEvent($eventId, 3, 'The PHP LDAP extension must be enabled for the IMAP Authentication plugin to work.', 'IMAP Authentication Plugin');

// If the LDAP extension exists...
} else {

 // Attempt to open an LDAP connection to the server using the given username and password
 // If the connection fails PHP will throw an error so we use @ to supress it

//--------------LDAP CONNECT START

  $ldap_connection = @ldap_connect("$server:$port")
if ($ldap_connection) {
  $ldap_authenticate = ldap_bind($ldap_connection, $ldap_user, $ldap_pass);
     if ($ldap_authenticate) {  

  $dn = "cn=$username"; //the object itself instead of the top search level as in ldap_search
  $filter="(objectclass=*)"; // this command requires some filter
  $justthese = array("cn", "pass", "mail"); //the attributes to pull, which is much more efficient than pulling all attributes if you don't do this
     $sr=ldap_read($ldap_connection, $dn, $filter, $justthese);
         $entry = ldap_get_entries($ds, $sr);

$entry[0]["mail"][0] = $mail_real
$entry[0]["pass"][0] = $pass_real

if ($password = $pass_real) {
 $sucess = true;
}
} else {
$sucess = false;
} else {
$error = "Could not authenticate to LDAP server to search for username and pass.";
} else {
$error = "Could not connect to LDAP server.";
}

ldap_close($ldap_connection);
 

 }

}
if ($error) {
echo $error;
}
// Return the succes boolean
$modx->Event->output($success);

What say the MODx community? I'm REALLY desperate to make this work.

Instead of spitting out an error when I configure it for the wrong server, it authenticates just fine. I'm not sure whether it is authenticating through SQL or LDAP, even in the Audit Trail.

Thanks in advance for help  .

mod note: added code tags.

[doze]

Hello, just noticed this thread, so a little late reply, but looking at your code, shouldn't:

ldap_get_entries($ds, $sr);

be:

ldap_get_entries($ldap_connection, $sr);

and:

$entry[0]["mail"][0] = $mail_real
$entry[0]["pass"][0] = $pass_real

be:

$mail_real = $entry[0]["mail"][0];
$pass_real = $entry[0]["pass"][0];

and then you have that if ($password = $pass_real) conditional there, but I don't see where $password comes from.. so those are wrong atleast, didn't look at the logic yet.

[puki1400]

I actually don't know, I have no experience whatsoever in plugin writing.
All I changed from the IMAP plugin (which seemed to work) was the connection string, and the variables (which I thought I replaced  ). I'll try what you found, thanks  .

Also: is there any way to have user groups with an authentication plugin such as this one?

[doze]

The imap plugin seems to use $username and $userpassword variables what are not initialized in it, I guess those hold the username/password from MODx login on that event, so you might want to change:

if ($password = $pass_real) {
 $sucess = true;
}

to:

if ($userpassword == $pass_real) {
 $sucess = true;
}

Do you mean with the user groups question, that you would want MODx to use the usergroups from LDAP or what?

[puki1400]

Well, I make heavy use of the usergroups function for access permissions.
Can a user's group be retrieved via an LDAP field (I know it can be retrieved, but can it be passed on to the MODx system)?

[doze]

You'd need to do some synchronization module to retrieve (and create) usergroups from LDAP to MODx.. And you know that even if you make this LDAP plugin, you still need to have all the users from LDAP in MODx too with the same user names.. Atleast that's what I think, someone correct me if I'm wrong. So you need some synchronization module to do that too.

In future versions (1.0), it will be easier to have the users to come from LDAP or AD or IMAP or SMF or whatever or all combined, but you can get more info about that when the time comes..

[puki1400]

When is V1.0 coming out then?

[doze]

There's not any fixed time frames, but I suspect that you have something by the next christmas..

[puki1400]

Cool. I think I can wait that long  .

Thanks for the help, I'll mark this as officially closed in my book. Thanks for the help, doze  !

[dwalters]

The project I'm working on requires LDAP access before Dec 2007, so I'd be very interested to have a go at coding this plugin.

One way I see this working is like this. When the manager logs in to view the 'Web users' page s/he would see the list of exisiting MODx users (if any) and also a list of users from the LDAP server. The manager could then choose which of the available LDAP users to convert to MODx members. Does this sound like a reasonable scheme?

Being new to MODx I'm unsure how to go about implementing this. Doze mentions (above) the need to write a synchronisation module to convert LDAP users to MODx members. Does anyone have any pointers regarding the inner workings of the MODx web user creation process that would help me get under way?

Thanks for your help.

[doze]

The SFM integration module converts SMF users to MODx users, you could look at that for some example code.

Hi,

Sorry for "waking up" this thread, but I would like to know, whether there is plans for LDAP support in the upcoming release?

I'm depending on the LDAP support, for choosing MODx running our organisation site, with about 8000 members already registred in a LDAP database.

Best regards

Søren

[unclespencer]

any news on this technology?

[leapy]

Nothing at all. Which is a shame.

I could use LDAP but wouldn't know where to start, hence my post of some months ago at http://modxcms.com/forums/index.php/topic,27208.0.html.

L

[BobRay]

I wrote an LDAP authentication routine in PHP a long, long time ago. I don't have it any more, but I wouldn't think it would be that hard to do for MODx.   The development needs to be done by someone with access to a LDAP system, though, which leaves me out.

[SD]

I've been following this topic for about a year.. as with others, never really had the time to look into developing this properly although I've developed and tested various PHP LDAP routines for my environment, so I *would* be well placed to dive in and get something happening quickly.  But like I said, time is an issue and unfortunately I don't have enough of it right now to do this and do it right.  And this might not even be an issue any more if "Revolution" will ship with an LDAP module (I've heard whispers, may be completely unfounded though).

I've had success with the PHP LDAP plugins from Drupal and WordPress, so if someone is after some "inspiration" to get going quickly, these might be a good place to start (I haven't looked at licenses for those however but I assume all would be fine to borrow some code from those projects).

If someone can take the lead (set up a repository, work out the required plugin architecture and interoperability with the internals of MODx user auth for Evolution and Revolution) I'd be happy to contribute in my off time.. let me know.

[rthrash]

LDAP won't ship with Revo.

[SD]

Okay great, thanks for clearing that up!

[feamsr00]

Hey Guys,

I'm yet another person looking for ldap support but with no time to code it (not anytime soon at least) if someone just wanted access to an ldap server to use as an reference implementation I could probably provide that sometime soon. Please feel free to post or pm me.

[m3t00]

Hello MODx community,
    I've been trying out various PHP frameworks with a list of criteria. LDAP/Active Directory is critical because we intend to use a huge existing Windows/AD account database for access to our PHP based content. Unfortunately, most frameworks/CMS are geared toward startup blog/forum sites with email registration ad hoc account creation.
    We still need a RAD framework and plan to implement the LDAP/AD authentication into which ever framework we finally go with.

http://adldap.sourceforge.net/ has most of the bases covered on the LDAP/AD technical end.

MODx looks very promising and depending on how the rest of our testing goes I hope to get even more involved in the future.

Thanks,
Mike