Re: Extending built-in Auth Component?
Nathaniel Price wrote: > > Anyway, here's the extension I came up with (saved in app/controllers/ > components/ldap_auth.php): > App::import('Component', 'Auth'); > > class LdapAuthComponent extends AuthComponent { > var $ldapModel = 'LdapUser'; > > function startup(&$controller) { > if (isset($controller->data[$this->userModel])) { > $username = $controller->data[$this->userModel][$this- >>fields['username']]; > $password = $controller->data[$this->userModel][$this- >>fields['password']]; > $res = $this->preauthUser($username, $password); > > if (!$res) { > //set password to blank to ensure the auth fails > > $controller->data[$this->userModel][$this->fields['password']] = > ''; > } > } > //Continue with standard auth process > return parent::startup($controller); > } > .. > .. > .. > I think you're going to auth against LDAP and update your database on every page load by doing it this way. Maybe that's the way you want to do it, but another thing you could do is just add another condition to the if statement in the startup method: if ($controller->action == 'login' && isset($controller->data[$this->userModel])) { In my application, I'm not going to worry too much about them changing things on the LDAP server minute to minute, so I use the above if statement. Thanks so much for volunteering all this code. It's been very helpful. -- View this message in context: http://n2.nabble.com/Extending-built-in-Auth-Component--tp1369764p2342959.html Sent from the CakePHP mailing list archive at Nabble.com. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Extending built-in Auth Component?
I've got it working, yes, though I'm still a bit dissatisfied with the solution I came up with. For one, you can't refer to AuthComponent via $this->Auth inside your controller anymore, it has to be $this- >LdapAuth. Not sure how much that will affect things. First an explanation of what this does. Basically, the LdapAuthComponent sits on top of AuthComponent and intercepts login form submissions. It then uses the LdapUser model to check to see if the user exists, and if you can bind successfully with that username and password combination. If so, it inserts (or updates) a user in the users table with the username and password combination that was submitted on login, and from there AuthComponent can use that data in the table to log them in. This is ideal for me because I don't have control over the data the LDAP server provides me, and I'd like to be able to attach more data to a user than the LDAP server provides me. Also note: this code is unsupported. Use it at your own risk. I may or may not answer questions about it. Anyway, here's the extension I came up with (saved in app/controllers/ components/ldap_auth.php): data[$this->userModel])) { $username = $controller->data[$this->userModel][$this- >fields['username']]; $password = $controller->data[$this->userModel][$this- >fields['password']]; $res = $this->preauthUser($username, $password); if (!$res) { //set password to blank to ensure the auth fails $controller->data[$this->userModel][$this->fields['password']] = ''; } } //Continue with standard auth process return parent::startup($controller); } function preauthUser($username, $password) { //TODO: un-hard-code the other database model fields. $ldap =& $this->getLdapModel(); $model =& $this->getModel(); $res = $ldap->auth($username, $password); if ($res !== false) { //Successfull LDAP bind - update user database $data = $model->findByUsername($username); if (!$data) { $data = array(); $data[$this->userModel][$this->fields['username']] = $username; $data[$this->userModel]['created'] = date('Y-m-d H:i:s'); } //TODO: if data hasn't changed, avoid updating the database $data[$this->userModel][$this->fields['password']] = $this- >password($password); $data[$this->userModel]['email'] = $res[0][$this->ldapModel] ['mail']; $model->save($data); return true; } return false; } function &getLdapModel($name = null) { $model = null; if (!$name) { $name = $this->ldapModel; } if (PHP5) { $model = ClassRegistry::init($name); } else { $model =& ClassRegistry::init($name); } if (empty($model)) { trigger_error(__('LdapAuth::getLdapModel() - Model is not set or could not be found', true), E_USER_WARNING); return null; } return $model; } } ?> I use the following model for Users - this is stored in the database (app/models/user.php): array('email'), 'password' => array('alphaNumeric'), 'active' => array('numeric') ); } /* database creation script: CREATE TABLE `users` ( `id` int(10) unsigned NOT NULL auto_increment, `username` varchar(50) NOT NULL, `password` varchar(50) NOT NULL, `email` varchar(128) default NULL, `active` tinyint(4) NOT NULL default '0', `created` datetime default NULL, `modified` datetime NOT NULL, PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; */ ?> And the following model for LdapUsers (app/models/ldap_user.php) I'm not sure where I got this code--I thought it was from the bakery, but I can't seem to find it again. :( Regardless, it has been slightly modified for my purposes. ds = ldap_connect($this->host, $this->port); ldap_set_option($this->ds, LDAP_OPT_PROTOCOL_VERSION, 3); if ($this->user) { ldap_bind($this->ds, $this->user, $this->pass); } else { //Do an anonymous bind. ldap_bind($this->ds); } } function __destruct() { ldap_close($this->ds); } function findAll($attribute = 'uid', $value = '*', $ba
Re: Extending built-in Auth Component?
Hi Nathaniel, Did you get your AuthComponent extension working? If so, would you like to share it? :) I've been looking for LDAP authentication in cake for some time, but I'm not sure how to get to it. -- alx --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Extending built-in Auth Component?
I'm assuming you're talking about one of these (they were the only results for a search on bakery for 'ldap' that I could find): http://bakery.cakephp.org/articles/view/ldap-models-in-cakephp http://bakery.cakephp.org/articles/view/using-ldap-as-a-datasource-basic-find-example I looked at that and it doesn't seem to me like it will work. Have you (or anyone else, for that matter) actually tried using Auth with one of these as the model? The problem that I see is that LDAP (or at least our ldap server) doesn't let me see even encrypted passwords, so I can't do what auth tries to do, namely hash a password, then run $model->find() on the username and hashed password. For authenticating based on ldap, basically I have to run ldap_bind($ldap, $username, $password) to authenticate against the server (this is simplified, but that's the general idea). I can't use ldap_search() for that sort of query. In other words, from what I can tell, LDAP as a model doesn't map onto Auth's expectations of the model providing a table-like mapping of usernames to passwords, a pretty fundamental limitation of Auth, IMHO. I have also searched high and low for any concrete information about using Auth with an LDAP model and I've come up empty- handed--except for things that don't use Auth in the first place, or where they do the same thing I do, namely extend Auth. Now, I suppose I could modify things so that doing a find() that contains a password tries to do a bind instead of/in addition to a search... Part of the thing is that I still want to have a table that stores user data for users that have logged in; might be able to hack it so that the LdapUser model saves a User as well, but I'm not sure how that'd work. If there is anyone else who has dealt with this before, I'd love to hear from them. On Oct 24, 2:46 am, Penfold <[EMAIL PROTECTED]> wrote: > Hi, > > there is a article on bakery about using ldap, in theory you would > replace you users table with a link to ldap and you wont need to > change anything in auth. > > and all user information will be store in ldap > > On 23 Oct, 22:10, Nathaniel Price <[EMAIL PROTECTED]> wrote: > > > I'd like to extend the Auth component in such a way as to be able to > > use LDAP to log users in; basically, my approach would be to > > authenticate the user via LDAP, then, if the user is valid and > > properly authenticated, it would put them into the user database that > > Auth uses and would hand control back to Auth from there. It looks > > something like this: > > > > App::import('Component', 'Auth'); > > > class LdapAuth extends Auth { > > var $ldapModel = 'LdapUser'; > > > function startup(&$controller) { > > $username = > > $controller->data[$this->userModel][$this->fields['username']]; > > > $password = $controller->data[$this->userModel][$this- > > > >fields['password']]; > > > $res = $this->preauthUser($username, $password); > > > if (!$res) { > > //set password to blank to ensure the auth fails > > > > $controller->data[$this->userModel][$this->fields['password']] = > > ''; > > } > > //Continue with standard auth process > > return parent::startup($controller); > > } > > > //... rest of class here} > > > ?> > > > However, when I try to use this component in my pages, I get the > > following error: > > Fatal error: Class 'Auth' not found in C:\...\app\controllers > > \components\ldap_auth.php on line 4 > > > Is there something I'm doing wrong that makes it so that Auth isn't > > included in my file? I thought App::import() would take care of that, > > but apparently it's not. > > > Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Extending built-in Auth Component?
Doh! I realized that about 10 minutes after I posted. Thanks. On Oct 23, 3:31 pm, "Jay Reeder" <[EMAIL PROTECTED]> wrote: > Nathaniel, > > We're doing something similar. Try: > > class LdapAuthComponent extends AuthComponent > > On Thu, Oct 23, 2008 at 5:10 PM, Nathaniel Price <[EMAIL PROTECTED]>wrote: > > > > > I'd like to extend the Auth component in such a way as to be able to > > use LDAP to log users in; basically, my approach would be to > > authenticate the user via LDAP, then, if the user is valid and > > properly authenticated, it would put them into the user database that > > Auth uses and would hand control back to Auth from there. It looks > > something like this: > > > > App::import('Component', 'Auth'); > > > class LdapAuth extends Auth { > > var $ldapModel = 'LdapUser'; > > > function startup(&$controller) { > > $username = $controller->data[$this->userModel][$this- > > >fields['username']]; > > $password = $controller->data[$this->userModel][$this- > > >fields['password']]; > > > $res = $this->preauthUser($username, $password); > > > if (!$res) { > > //set password to blank to ensure the auth fails > > > $controller->data[$this->userModel][$this->fields['password']] = > > ''; > > } > > //Continue with standard auth process > > return parent::startup($controller); > > } > > > //... rest of class here > > } > > ?> > > > However, when I try to use this component in my pages, I get the > > following error: > > Fatal error: Class 'Auth' not found in C:\...\app\controllers > > \components\ldap_auth.php on line 4 > > > Is there something I'm doing wrong that makes it so that Auth isn't > > included in my file? I thought App::import() would take care of that, > > but apparently it's not. > > > Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Extending built-in Auth Component?
Hi, there is a article on bakery about using ldap, in theory you would replace you users table with a link to ldap and you wont need to change anything in auth. and all user information will be store in ldap On 23 Oct, 22:10, Nathaniel Price <[EMAIL PROTECTED]> wrote: > I'd like to extend the Auth component in such a way as to be able to > use LDAP to log users in; basically, my approach would be to > authenticate the user via LDAP, then, if the user is valid and > properly authenticated, it would put them into the user database that > Auth uses and would hand control back to Auth from there. It looks > something like this: > > App::import('Component', 'Auth'); > > class LdapAuth extends Auth { > var $ldapModel = 'LdapUser'; > > function startup(&$controller) { > $username = > $controller->data[$this->userModel][$this->fields['username']]; > > $password = $controller->data[$this->userModel][$this- > > >fields['password']]; > > $res = $this->preauthUser($username, $password); > > if (!$res) { > //set password to blank to ensure the auth fails > > $controller->data[$this->userModel][$this->fields['password']] = > ''; > } > //Continue with standard auth process > return parent::startup($controller); > } > > //... rest of class here} > > ?> > > However, when I try to use this component in my pages, I get the > following error: > Fatal error: Class 'Auth' not found in C:\...\app\controllers > \components\ldap_auth.php on line 4 > > Is there something I'm doing wrong that makes it so that Auth isn't > included in my file? I thought App::import() would take care of that, > but apparently it's not. > > Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Extending built-in Auth Component?
Nathaniel, We're doing something similar. Try: class LdapAuthComponent extends AuthComponent On Thu, Oct 23, 2008 at 5:10 PM, Nathaniel Price <[EMAIL PROTECTED]>wrote: > > I'd like to extend the Auth component in such a way as to be able to > use LDAP to log users in; basically, my approach would be to > authenticate the user via LDAP, then, if the user is valid and > properly authenticated, it would put them into the user database that > Auth uses and would hand control back to Auth from there. It looks > something like this: > > App::import('Component', 'Auth'); > > class LdapAuth extends Auth { >var $ldapModel = 'LdapUser'; > >function startup(&$controller) { >$username = $controller->data[$this->userModel][$this- > >fields['username']]; >$password = $controller->data[$this->userModel][$this- > >fields['password']]; > >$res = $this->preauthUser($username, $password); > >if (!$res) { >//set password to blank to ensure the auth fails > > $controller->data[$this->userModel][$this->fields['password']] = > ''; >} >//Continue with standard auth process >return parent::startup($controller); >} > > //... rest of class here > } > ?> > > However, when I try to use this component in my pages, I get the > following error: > Fatal error: Class 'Auth' not found in C:\...\app\controllers > \components\ldap_auth.php on line 4 > > Is there something I'm doing wrong that makes it so that Auth isn't > included in my file? I thought App::import() would take care of that, > but apparently it's not. > > Thanks! > > > > --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Extending built-in Auth Component?
I'd like to extend the Auth component in such a way as to be able to use LDAP to log users in; basically, my approach would be to authenticate the user via LDAP, then, if the user is valid and properly authenticated, it would put them into the user database that Auth uses and would hand control back to Auth from there. It looks something like this: data[$this->userModel][$this- >fields['username']]; $password = $controller->data[$this->userModel][$this- >fields['password']]; $res = $this->preauthUser($username, $password); if (!$res) { //set password to blank to ensure the auth fails $controller->data[$this->userModel][$this->fields['password']] = ''; } //Continue with standard auth process return parent::startup($controller); } //... rest of class here } ?> However, when I try to use this component in my pages, I get the following error: Fatal error: Class 'Auth' not found in C:\...\app\controllers \components\ldap_auth.php on line 4 Is there something I'm doing wrong that makes it so that Auth isn't included in my file? I thought App::import() would take care of that, but apparently it's not. Thanks! --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---