Hello,
I have set up LDAPS on my Active directory to authenticate VCL using a
self-signed wildcard certificate. Running *generic.php* is successful,
giving a *Binding successful* message.
Also, running *openssl s_client -showcerts -CAfile
/etc/pki/tls/certs/ca-bundle.crt -connect ad1.domain.ac.bw:636
<http://ad1.domain.ac.bw:636>* gives a *“Verify return code: 0 (ok)”*
message.
However when I try to authenticate using LDAP in VCL I get Error: An error
has occurred. If this problem persists, please email...
Attached are configured parts of my generic.php, conf.php and ldapauth.php
files.
Thanks in advance for assistance.
Regards,
L. Chirongo
<?php
/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
"BU LDAP" => array("type" => "ldap",
"server" => "ad1.domain.ac.bw", #
hostname of the ldap server
"binddn" => "dc=domain,dc=ac,dc=bw", #
base dn for ldap server
"userid" => "%[email protected]", #
this is what we add to the actual login id to authenticate a user via ldap
# use a
'%s' where the actual login id will go
# for
example1: 'uid=%s,ou=accounts,dc=example,dc=com'
#
example2: '%[email protected]'
#
example3: '%[email protected]'
"unityid" => "samaccountname", # ldap
field that contains the user's login id
"firstname" => "givenname", # ldap
field that contains the user's first name
"lastname" => "sn", # ldap
field that contains the user's last name
"email" => "mail", # ldap
field that contains the user's email address
"defaultemail" => "@domain.ac.bw", # if
for some reason an email address may not be returned for a user, this is what
# can
be added to the user's login id to send mail
"masterlogin" => "CN=VCL
Lookup,CN=Users,DC=domain,DC=ac,DC=bw", # privileged login id for ldap
server
"masterpwd" => "********", # privileged
login password for ldap server
"affiliationid" => 6, # id from
affiliation id this login method is associated with
"lookupuserbeforeauth" => 1, # set this
to 1 to have VCL use masterlogin to lookup the full DN of the user
# and
use that for the ldap bind to auth the user instead of just using the userid
# field
from above
"lookupuserfield" => 'samaccountname',
# if lookupuserbeforeauth is set to 1, this is the attribute to use to
search in ldap
# for
the user. Typically either 'cn', 'uid', or 'samaccountname'
"help" => "BU LDAP if you are using a ****
account"), # message to be displayed on login page about when
# to use this login mechanism
);
#require_once(".ht-inc/authmethods/itecsauth.php");
require_once(".ht-inc/authmethods/ldapauth.php");
#require_once(".ht-inc/authmethods/shibauth.php");
?>
<?php
$server = 'ad1.domain.ac.bw'; # hostname of ldap server
$ldapacct = 'CN=VCL Lookup,CN=Users,DC=domain,DC=ac,DC=bw'; # full DN of
account VCL uses to log in to LDAP server
$ldappass = '********'; # password for $ldapacct
$toplevel = 'dc=domain,dc=ac,dc=bw'; # base DN to use
$search = 'samaccountname=labtest'; # what to search for, examples:
uid=someuserid, cn=someuserid, samaccountname=someuserid; follows normal LDAP
query rules
<?php
// TODO handle generic updating of groups
switch(getAffiliationName($affilid)) {
case 'domain.ac.bw':
updateBUGroups($user);
break;
default:
//TODO possibly add to a default group
}
$user["groups"] = getUsersGroups($user["id"], 1);
$user["groupperms"] = getUsersGroupPerms(array_keys($user['groups']));
$user["privileges"] = getOverallUserPrivs($user["id"]);
$user['login'] = $user['unityid'];
return $user;
}
////////////////////////////////////////////////////////////////////////////////
///
/// \fn updateEXAMPLE1Groups($user)
///
/// \param $user - an array of user data
///
/// \brief builds an array of memberof groups user is a member of and calls
/// updateGroups
///
////////////////////////////////////////////////////////////////////////////////
function updateBUGroups($user) {
global $authMechs;
$auth = $authMechs['BU LDAP'];
$ds = ldap_connect("ldaps://{$auth['server']}/");
if(! $ds)
return 0;
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$res = ldap_bind($ds, $auth['masterlogin'],
$auth['masterpwd']);
if(! $res)
return 0;
$search = ldap_search($ds,
$auth['binddn'],
"{$auth['unityid']}={$user['unityid']}",
array('memberof'), 0, 10, 15);
if(! $search)
return 0;
$data = ldap_get_entries($ds, $search);
$newusergroups = array();
if(! array_key_exists('memberof', $data[0]))
return;
for($i = 0; $i < $data[0]['memberof']['count']; $i++) {
if(preg_match('/^CN=(.+),OU=Users,DC=domain,DC=ac,DC=bw$/',
$data[0]['memberof'][$i], $match))
array_push($newusergroups, getUserGroupID($match[1],
$user['affiliationid']));
}
$newusergroups = array_unique($newusergroups);
updateGroups($newusergroups, $user["id"]);
}
?>
