Hi Stef, great, thanks a lot for your detailed description. :)
I put CAS on my list for 4.8. Now I have all that is needed to support
it. :)
Best regards
Roland
On 17.07.2014 23:43, Stef wrote:
> Hi Roland :)
>
>> Do you get the DN/user and plain text password from CAS?
>> Usually, CAS returns only a token. How did you manage it to use the
>> CAS data to login to LDAP?
>
> Ok let's talk about it ! ;-)
>
> The CAS Server gives me a ticket and some other attributes about the
> user logged in : dn, memberof groups, etc. But not the password ! it
> remains stored "far far away" :-P in the LDAP directory :)
>
> LAM starts the usual ldap connection with an account that can only read
> the whole sub tree. Using user's DN and the tree suffix, the user is
> then jailed in its subtree. When modifying something, he acts as
> himeslef (not cn=reader anymore). I also check he's got the right
> memberof group ... to only let in only gentle people ;-)
>
> Let's see how I've done this.
>
> Except the config pages, the main hacks are only LDAP class and
> login/logout pages :-) there's also a little bit of slapd config...
>
> Here are some snippets ; ** ==> don't bite me, it's still beta !! <== **
> ;-)
>
> * *First, login !
> *
>
>
> I've renamed login.php to login.classic.php, and added a login.cas.php
> that handles the phpCAS stuff.
> I've created a new login.php page that deals with the auth method ('CAS'
> or 'classic', stored in config.inc) :
>> switch ($_SESSION["cfgMain"]->getAuthType()) {
>> case LAMCfgMain::AUTH_CAS:
>> metaRefresh("login.cas.php?".$_SERVER['QUERY_STRING']); // query
>> string needed for logout
>> break;
>>
>> case (LAMCfgMain::AUTH_CLASSIC):
>> metaRefresh("login.classic.php");
>> break;
>> default:
>> logNewMessage(LOG_ERR, "Unkown Auth type
>> '".$_SESSION["cfgMain"]->getAuthType()."'- please review global config
>> file");
>> StatusMessage("ERROR","Unkown Auth
>> type","'".$_SESSION["cfgMain"]->getAuthType()."'- please review global
>> config file", NULL, false);
>> die();
>> }
> in login.cas.php, I've implemented a basic phpCAS client. This page
> instanciate a new LDap object like this :
>> $searchDN = 'cn=reader,dc=myroot,dc=fr'; // my read only user
>> $searchPassword = '***';
>> $searchSuccess = true;
>> $searchError = '';
>> $_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap
>> object
>> $searchLDAPResult = $_SESSION['ldap']->connect($searchDN,
>> $searchPassword, true);
> Nothing tremendous there, isn't it ? The trick is in further in ldap.inc ;)
> But before jupping in this class, we need to have a look at slapd config.
>
> * *Then, a bit of config
> *
>
>
> The authzid is setup in ldap directory config (acl).
>
>> $ sudo ldapvi -Y EXTERNAL -h ldapi:/// -b cn=config
>> ...
>> olcAccess: {3}to dn.subtree="o=entitytest,dc=myroot,dc=fr" by
>> group="cn=ad_admin,ou=groupes,o=entitytest,dc=myroot,dc=fr" write by * break
> I've modified cn=reader in my ldap directory to add this attribute :
>> authzto : {0}dn.regex=^uid=[^,]*,ou=people,o=entitytest,dc=myroot,dc=fr
>
> that let me cn=reader to auth as uid=thephpcasuser,o=entitytest, since
> uid=thephpcasuser is memberOf
> cn=ad_admin,ou=groupes,o=entitytest,dc=myroot,dc=fr
>
> Are you still there ? :-P Ok, continue ! :-)
>
> So, who am i finally ?
>> $ ldapwhoami -x -H ldapi:/// -D cn=reader,dc=myroot,dc=fr -wtest -e
>> '!authzid=dn:uid=thephpcasuser,ou=people,o=entitytest,dc=myroot,dc=fr'
>> dn:uid=thephpcasuser,ou=people,o=entitytest,dc=myroot,dc=fr
> Hey, Here is cn=reader acting as uid=thephpcasuser =-O
>
> * *Finally, "la classe" **:-) *
>
> in LDap.inc :
>
> * I've added a private $authzid attribute that store the dn of the
> phpcas user
> * in function connect(), i've added a call (after the bind) to a
> function named setProxyAuth() that uses this authzid to "auth as":
>
>> public function setProxyAuth() {
>> if (!empty ($_SESSION['cfgMain']) &&
>> $_SESSION['cfgMain']->getCasEnableAuthAs()) {
>> // Search user's main domain DN
>> // TODO FIX ALL code below, this is UGLY !
>> $domainCode = phpCAS::getAttributes()['authDomain'];
>> $domainDN = "";
>>
>> // each o=entity,dc=myroot,dc=fr contains two node : ou=groups &
>> ou=people (users)
>> // in phpcas user, I don't have the complete dn of it's entity,
>> just a code
>> // each o=entity,dc=myroot,dc=fr have a destinationIndicator
>> that match phpCAS'user attribute 'authDomain'
>>
>> $searchResult = @ldap_search(
>> $this->server,
>> "dc=myroot,dc=fr",
>> "destinationIndicator=$domainCode",
>> array ('o'),
>> 0, 0, 0, LDAP_DEREF_NEVER);
>>
>>
>>
>> if ($searchResult != false) {
>> $searchInfo = ldap_get_entries($this->server, $searchResult);
>> $domainDN = $searchInfo[0]['dn'];
>> }
>>
>> $user = phpCAS::getUser()
>> $userdn = sprintf('uid=%s,ou=people,%s', $user, $domainDN);
>> #
>> # Check to see if the directory server supports the
>> # Proxied Authorization control
>> #
>> $r = @ ldap_read($this->server, '', 'objectclass=*', array
>> ('supportedControl'));
>> if ($r) {
>> $results = @ ldap_get_entries($this->server, $r);
>> if ($results['count'] == 0) {
>> logNewMessage(LOG_ERR, 'Could not read Root DSE');
>> return ldap_errno($this->server);
>> }
>> if ($results[0]['supportedcontrol']['count'] == 0) {
>> return 'Could not find any supportedControl attributes
>> in Root DSE';
>> }
>> $found_ctrl = 0;
>> for ($i = 0; $i < $results[0]['supportedcontrol']['count'];
>> $i++) {
>> if ($results[0]['supportedcontrol'][$i] ==
>> '2.16.840.1.113730.3.4.18') {
>> $found_ctrl = 1;
>> }
>> }
>> if ($found_ctrl == 0) {
>> logNewMessage(LOG_ERR, 'Proxied Authorization control is
>> not supported');
>> return ldap_errno($this->server);
>> }
>> } else {
>> logNewMessage(LOG_ERR, 'Root DSE Search failed : ' . @
>> ldap_error($this->server));
>> return @ ldap_error($this->server);
>> }
>> $proxy_auth_ctrl = array (
>> 'oid' => '2.16.840.1.113730.3.4.18',
>> 'value' => "dn:" . $userdn,
>> 'iscritical' => true
>> );
>> if (!ldap_set_option($this->server, LDAP_OPT_SERVER_CONTROLS,
>> array ($proxy_auth_ctrl))) {
>> logNewMessage(LOG_ERR, 'Could not set Proxy Auth control');
>> return ldap_errno($this->server);
>> } else {
>> logNewMessage(LOG_DEBUG, "Using authzid " . $userdn);
>> }
>> $this->authzid = $userdn;
>> return true;
>> }
>> }
>
> function decrypt_login() as also been a little bit modified to add
> $authzid in ret array, that let me print the real user when editing a
> user or a group (when callin edit.php in the browser, main_header.php is
> modified to replace $userData[0] by $userData[2].
>
> Et voilà ! all this stuff is working, but I need to reread my code ...
> and raise my nose of my keyboard...
>
> Finally i've also modified a little bit the config/* files (main.php,
> confmain.php and mainmanage.php) because everything is now casified !!
> No password needed anymore to manage configs ! I've coded that only
> users memberof cn=ad_admin,ou=groupes,o=entitytest,dc=myroot,dc=fr AND
> (that's my need) users from a precise
> ou=people,o=BigBrotherEntity,dc=myroot,dc=fr can let in
> /templates/config/index.php ; /So that a cn=ad_admin member can manager
> its subtree, but can't modify config file, except if he's from
> o=BigBrotherEntity
>
> What do you think about all this ?
>
> Have Good night :-P
>
>
> Le 17/07/2014 22:18, Roland Gruber a écrit :
>> Hi Stef,
>>
>> On 17.07.2014 21:39, Stef wrote:
>>> A couple of days ago, I started to CASify LAM with the help of Jasig phpCAS.
>> sounds interesting. Do you get the DN/user and plain text password from CAS?
>> Usually, CAS returns only a token. How did you manage it to use the CAS
>> data to login to LDAP?
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Want fast and easy access to all the code in your enterprise? Index and
>> search up to 200,000 lines of code with a free copy of Black Duck
>> Code Sight - the same software that powers the world's largest code
>> search on Ohloh, the Black Duck Open Hub! Try it now.
>> http://p.sf.net/sfu/bds
>>
>>
>> _______________________________________________
>> Lam-public mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/lam-public
>
>
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
>
>
>
> _______________________________________________
> Lam-public mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/lam-public
>
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Lam-public mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lam-public
