puki1400
Jr. Member
Posts: 11
|
 |
« on: Dec 11, 2006, 04:20 PM » |
|
Hello All... I've decided to work on an LDAP authentication plugin (why not?). Anyway, I took the IMAP auth plugin and triend to modify it to work with LDAP, but it's not working. Here's the code: /* <?php
* Written by: Samuel Gammon
* Based on the IMAP authentication plugin by Adam Crownoble
* Contact: samusweb@gmail.com
* Created: 12/10/2005
* Name: LDAP Authentication
* For: MODX CMS (modxcms.com)
* Code Type: Plugin
* Description: Authenticate against an LDAP server
* Configuration: &server=IMAP Server;string;[your ldap server url]
&port=IMAP Port;int;993
&ssl=SSL;list;Yes,No;Yes
&validate_ssl_cert=Validate SSL Certificate;list;Yes,No;Yes
&ldap_user=LDAP Username;string;[YOUR LDAP USER NAME]
&ldap_pass=LDAP Password;string;[YOUR LDAP PASSWORD]
* Events: OnManagerAuthentication and/or OnWebAuthentication
*/
/*
License
LDAP Authentication - A MODx plugin that allows authentication against an LDAP server
Copyright (C) 2005 Adam Crownoble
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
// Psuedo Constants
$eventId = 0;
//$box = "INBOX";
$eventName = $modx->Event->activePlugin;
// Generate flags
//$flags = '/ldap';
//if($ssl == 'Yes') $flags .= '/ssl';
//if($validate_ssl_cert != 'Yes') $flags .= '/novalidate-cert';
// Assume authentication failed
$success = false;
// If LDAP extension not installed...
if(!function_exists('ldap_connect')) {
// Get the event's
if($eventName == 'OnManagerAuthentication') {
$eventId = 81;
} elseif($eventName == 'OnWebAuthentication') {
$eventId = 79;
}
// Log an error
$modx->logEvent($eventId, 3, 'The PHP LDAP extension must be enabled for the IMAP Authentication plugin to work.', 'IMAP Authentication Plugin');
// If the LDAP extension exists...
} else {
// Attempt to open an LDAP connection to the server using the given username and password
// If the connection fails PHP will throw an error so we use @ to supress it
//--------------LDAP CONNECT START
$ldap_connection = @ldap_connect("$server:$port")
if ($ldap_connection) {
$ldap_authenticate = ldap_bind($ldap_connection, $ldap_user, $ldap_pass);
if ($ldap_authenticate) {
$dn = "cn=$username"; //the object itself instead of the top search level as in ldap_search
$filter="(objectclass=*)"; // this command requires some filter
$justthese = array("cn", "pass", "mail"); //the attributes to pull, which is much more efficient than pulling all attributes if you don't do this
$sr=ldap_read($ldap_connection, $dn, $filter, $justthese);
$entry = ldap_get_entries($ds, $sr);
$entry[0]["mail"][0] = $mail_real
$entry[0]["pass"][0] = $pass_real
if ($password = $pass_real) {
$sucess = true;
}
} else {
$sucess = false;
} else {
$error = "Could not authenticate to LDAP server to search for username and pass.";
} else {
$error = "Could not connect to LDAP server.";
}
ldap_close($ldap_connection);
}
}
if ($error) {
echo $error;
}
// Return the succes boolean
$modx->Event->output($success);
What say the MODx community? I'm REALLY desperate to make this work. Instead of spitting out an error when I configure it for the wrong server, it authenticates just fine. I'm not sure whether it is authenticating through SQL or LDAP, even in the Audit Trail. Thanks in advance for help  . mod note: added code tags. |
|
|
|
« Last Edit: Dec 12, 2006, 01:15 PM by puki1400 »
|
Logged
|
|
|
|
doze
Coding Team
Posts: 3,660
....Boom!
|
 |
« Reply #1 on: Dec 27, 2006, 05:05 AM » |
|
Hello, just noticed this thread, so a little late reply, but looking at your code, shouldn't:
ldap_get_entries($ds, $sr);
be:
ldap_get_entries($ldap_connection, $sr);
and:
$entry[0]["mail"][0] = $mail_real
$entry[0]["pass"][0] = $pass_real
be:
$mail_real = $entry[0]["mail"][0];
$pass_real = $entry[0]["pass"][0];
and then you have that if ($password = $pass_real) conditional there, but I don't see where $password comes from.. so those are wrong atleast, didn't look at the logic yet.
|
|
|
|
|
Logged
|
|
|
|
puki1400
Jr. Member
Posts: 11
|
|
« Reply #2 on: Dec 28, 2006, 02:02 PM » |
|
I actually don't know, I have no experience whatsoever in plugin writing. All I changed from the IMAP plugin (which seemed to work) was the connection string, and the variables (which I thought I replaced  ). I'll try what you found, thanks  . Also: is there any way to have user groups with an authentication plugin such as this one? |
|
|
|
|
Logged
|
|
|
|
doze
Coding Team
Posts: 3,660
....Boom!
|
|
« Reply #3 on: Dec 28, 2006, 02:23 PM » |
|
The imap plugin seems to use $username and $userpassword variables what are not initialized in it, I guess those hold the username/password from MODx login on that event, so you might want to change:
if ($password = $pass_real) {
$sucess = true;
}
to:
if ($userpassword == $pass_real) {
$sucess = true;
}
Do you mean with the user groups question, that you would want MODx to use the usergroups from LDAP or what?
|
|
|
|
|
Logged
|
|
|
|
puki1400
Jr. Member
Posts: 11
|
|
« Reply #4 on: Dec 28, 2006, 03:08 PM » |
|
Well, I make heavy use of the usergroups function for access permissions.
Can a user's group be retrieved via an LDAP field (I know it can be retrieved, but can it be passed on to the MODx system)?
|
|
|
|
|
Logged
|
|
|
|
doze
Coding Team
Posts: 3,660
....Boom!
|
|
« Reply #5 on: Dec 29, 2006, 05:39 PM » |
|
You'd need to do some synchronization module to retrieve (and create) usergroups from LDAP to MODx.. And you know that even if you make this LDAP plugin, you still need to have all the users from LDAP in MODx too with the same user names.. Atleast that's what I think, someone correct me if I'm wrong. So you need some synchronization module to do that too.
In future versions (1.0), it will be easier to have the users to come from LDAP or AD or IMAP or SMF or whatever or all combined, but you can get more info about that when the time comes..
|
|
|
|
|
Logged
|
|
|
|
puki1400
Jr. Member
Posts: 11
|
|
« Reply #6 on: Dec 30, 2006, 01:12 PM » |
|
When is V1.0 coming out then?
|
|
|
|
|
Logged
|
|
|
|
doze
Coding Team
Posts: 3,660
....Boom!
|
|
« Reply #7 on: Dec 30, 2006, 01:18 PM » |
|
There's not any fixed time frames, but I suspect that you have something by the next christmas..
|
|
|
|
|
Logged
|
|
|
|
puki1400
Jr. Member
Posts: 11
|
|
« Reply #8 on: Dec 30, 2006, 01:24 PM » |
|
Cool. I think I can wait that long . Thanks for the help, I'll mark this as officially closed in my book. Thanks for the help, doze ! |
|
|
|
|
Logged
|
|
|
|
dwalters
Jr. Member
Posts: 8
|
|
« Reply #9 on: Mar 01, 2007, 03:24 AM » |
|
The project I'm working on requires LDAP access before Dec 2007, so I'd be very interested to have a go at coding this plugin.
One way I see this working is like this. When the manager logs in to view the 'Web users' page s/he would see the list of exisiting MODx users (if any) and also a list of users from the LDAP server. The manager could then choose which of the available LDAP users to convert to MODx members. Does this sound like a reasonable scheme?
Being new to MODx I'm unsure how to go about implementing this. Doze mentions (above) the need to write a synchronisation module to convert LDAP users to MODx members. Does anyone have any pointers regarding the inner workings of the MODx web user creation process that would help me get under way?
Thanks for your help.
|
|
|
|
|
Logged
|
|
|
|
doze
Coding Team
Posts: 3,660
....Boom!
|
|
« Reply #10 on: Mar 01, 2007, 06:33 AM » |
|
The SFM integration module converts SMF users to MODx users, you could look at that for some example code.
|
|
|
|
|
Logged
|
|
|
|
|
sorenmalling
Guest
|
|
« Reply #11 on: Feb 22, 2008, 06:16 PM » |
|
Hi,
Sorry for "waking up" this thread, but I would like to know, whether there is plans for LDAP support in the upcoming release?
I'm depending on the LDAP support, for choosing MODx running our organisation site, with about 8000 members already registred in a LDAP database.
Best regards
Sřren
|
|
|
|
|
Logged
|
|
|
|
unclespencer
Jr. Member
Posts: 33
|
|
« Reply #12 on: Nov 17, 2008, 06:02 PM » |
|
any news on this technology?
|
|
|
|
|
Logged
|
|
|
|
|
|
BobRay
Coding Team
Posts: 3,175
|
|
« Reply #14 on: Nov 18, 2008, 05:26 PM » |
|
I wrote an LDAP authentication routine in PHP a long, long time ago. I don't have it any more, but I wouldn't think it would be that hard to do for MODx. The development needs to be done by someone with access to a LDAP system, though, which leaves me out.
|
|
|
|
|
Logged
|
|
|
|
|
