Hi Roland :)
> Do you get the DN/user and plain text password from CAS?
> Usually, CAS returns only a token. How did you manage it to use the
> CAS data to login to LDAP?
Ok let's talk about it ! ;-)
The CAS Server gives me a ticket and some other attributes about the
user logged in : dn, memberof groups, etc. But not the password ! it
remains stored "far far away" :-P in the LDAP directory :)
LAM starts the usual ldap connection with an account that can only read
the whole sub tree. Using user's DN and the tree suffix, the user is
then jailed in its subtree. When modifying something, he acts as
himeslef (not cn=reader anymore). I also check he's got the right
memberof group ... to only let in only gentle people ;-)
Let's see how I've done this.
Except the config pages, the main hacks are only LDAP class and
login/logout pages :-) there's also a little bit of slapd config...
Here are some snippets ; ** ==> don't bite me, it's still beta !! <== **
;-)
* *First, login !
*
I've renamed login.php to login.classic.php, and added a login.cas.php
that handles the phpCAS stuff.
I've created a new login.php page that deals with the auth method ('CAS'
or 'classic', stored in config.inc) :
> switch ($_SESSION["cfgMain"]->getAuthType()) {
> case LAMCfgMain::AUTH_CAS:
> metaRefresh("login.cas.php?".$_SERVER['QUERY_STRING']); // query
> string needed for logout
> break;
>
> case (LAMCfgMain::AUTH_CLASSIC):
> metaRefresh("login.classic.php");
> break;
> default:
> logNewMessage(LOG_ERR, "Unkown Auth type
> '".$_SESSION["cfgMain"]->getAuthType()."'- please review global config file");
> StatusMessage("ERROR","Unkown Auth
> type","'".$_SESSION["cfgMain"]->getAuthType()."'- please review global config
> file", NULL, false);
> die();
> }
in login.cas.php, I've implemented a basic phpCAS client. This page
instanciate a new LDap object like this :
> $searchDN = 'cn=reader,dc=myroot,dc=fr'; // my read only user
> $searchPassword = '***';
> $searchSuccess = true;
> $searchError = '';
> $_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap
> object
> $searchLDAPResult = $_SESSION['ldap']->connect($searchDN,
> $searchPassword, true);
Nothing tremendous there, isn't it ? The trick is in further in ldap.inc ;)
But before jupping in this class, we need to have a look at slapd config.
* *Then, a bit of config
*
The authzid is setup in ldap directory config (acl).
> $ sudo ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config
> ...
> olcAccess: {3}to dn.subtree="o=entitytest,dc=myroot,dc=fr" by
> group="cn=ad_admin,ou=groupes,o=entitytest,dc=myroot,dc=fr" write by * break
I've modified cn=reader in my ldap directory to add this attribute :
> authzto : {0}dn.regex=^uid=[^,]*,ou=people,o=entitytest,dc=myroot,dc=fr
that let me cn=reader to auth as uid=thephpcasuser,o=entitytest, since
uid=thephpcasuser is memberOf
cn=ad_admin,ou=groupes,o=entitytest,dc=myroot,dc=fr
Are you still there ? :-P Ok, continue ! :-)
So, who am i finally ?
> $ ldapwhoami -x -H ldapi:/// -D cn=reader,dc=myroot,dc=fr -wtest -e
> '!authzid=dn:uid=thephpcasuser,ou=people,o=entitytest,dc=myroot,dc=fr'
> dn:uid=thephpcasuser,ou=people,o=entitytest,dc=myroot,dc=fr
Hey, Here is cn=reader acting as uid=thephpcasuser =-O
* *Finally, "la classe" **:-) *
in LDap.inc :
* I've added a private $authzid attribute that store the dn of the
phpcas user
* in function connect(), i've added a call (after the bind) to a
function named setProxyAuth() that uses this authzid to "auth as":
> public function setProxyAuth() {
> if (!empty ($_SESSION['cfgMain']) &&
> $_SESSION['cfgMain']->getCasEnableAuthAs()) {
> // Search user's main domain DN
> // TODO FIX ALL code below, this is UGLY !
> $domainCode = phpCAS::getAttributes()['authDomain'];
> $domainDN = "";
>
> // each o=entity,dc=myroot,dc=fr contains two node : ou=groups &
> ou=people (users)
> // in phpcas user, I don't have the complete dn of it's entity,
> just a code
> // each o=entity,dc=myroot,dc=fr have a destinationIndicator
> that match phpCAS'user attribute 'authDomain'
>
> $searchResult = @ldap_search(
> $this->server,
> "dc=myroot,dc=fr",
> "destinationIndicator=$domainCode",
> array ('o'),
> 0, 0, 0, LDAP_DEREF_NEVER);
>
>
>
> if ($searchResult != false) {
> $searchInfo = ldap_get_entries($this->server, $searchResult);
> $domainDN = $searchInfo[0]['dn'];
> }
>
> $user = phpCAS::getUser()
> $userdn = sprintf('uid=%s,ou=people,%s', $user, $domainDN);
> #
> # Check to see if the directory server supports the
> # Proxied Authorization control
> #
> $r = @ ldap_read($this->server, '', 'objectclass=*', array
> ('supportedControl'));
> if ($r) {
> $results = @ ldap_get_entries($this->server, $r);
> if ($results['count'] == 0) {
> logNewMessage(LOG_ERR, 'Could not read Root DSE');
> return ldap_errno($this->server);
> }
> if ($results[0]['supportedcontrol']['count'] == 0) {
> return 'Could not find any supportedControl attributes in
> Root DSE';
> }
> $found_ctrl = 0;
> for ($i = 0; $i < $results[0]['supportedcontrol']['count'];
> $i++) {
> if ($results[0]['supportedcontrol'][$i] ==
> '2.16.840.1.113730.3.4.18') {
> $found_ctrl = 1;
> }
> }
> if ($found_ctrl == 0) {
> logNewMessage(LOG_ERR, 'Proxied Authorization control is
> not supported');
> return ldap_errno($this->server);
> }
> } else {
> logNewMessage(LOG_ERR, 'Root DSE Search failed : ' . @
> ldap_error($this->server));
> return @ ldap_error($this->server);
> }
> $proxy_auth_ctrl = array (
> 'oid' => '2.16.840.1.113730.3.4.18',
> 'value' => "dn:" . $userdn,
> 'iscritical' => true
> );
> if (!ldap_set_option($this->server, LDAP_OPT_SERVER_CONTROLS,
> array ($proxy_auth_ctrl))) {
> logNewMessage(LOG_ERR, 'Could not set Proxy Auth control');
> return ldap_errno($this->server);
> } else {
> logNewMessage(LOG_DEBUG, "Using authzid " . $userdn);
> }
> $this->authzid = $userdn;
> return true;
> }
> }
function decrypt_login() as also been a little bit modified to add
$authzid in ret array, that let me print the real user when editing a
user or a group (when callin edit.php in the browser, main_header.php is
modified to replace $userData[0] by $userData[2].
Et voilà ! all this stuff is working, but I need to reread my code ...
and raise my nose of my keyboard...
Finally i've also modified a little bit the config/* files (main.php,
confmain.php and mainmanage.php) because everything is now casified !!
No password needed anymore to manage configs ! I've coded that only
users memberof cn=ad_admin,ou=groupes,o=entitytest,dc=myroot,dc=fr AND
(that's my need) users from a precise
ou=people,o=BigBrotherEntity,dc=myroot,dc=fr can let in
/templates/config/index.php ; /So that a cn=ad_admin member can manager
its subtree, but can't modify config file, except if he's from
o=BigBrotherEntity
What do you think about all this ?
Have Good night :-P
Le 17/07/2014 22:18, Roland Gruber a écrit :
> Hi Stef,
>
> On 17.07.2014 21:39, Stef wrote:
>> A couple of days ago, I started to CASify LAM with the help of Jasig phpCAS.
> sounds interesting. Do you get the DN/user and plain text password from CAS?
> Usually, CAS returns only a token. How did you manage it to use the CAS
> data to login to LDAP?
>
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
>
>
> _______________________________________________
> Lam-public mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/lam-public
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Lam-public mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lam-public
