From b64de13e2830e352b267ed948b9a49fa360a5cda Mon Sep 17 00:00:00 2001 From: Stuart Campbell Date: Mon, 3 Oct 2022 15:37:03 -0400 Subject: [PATCH 1/3] Add examples of new config parameters for LDAP --- api/config_sample.php | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/api/config_sample.php b/api/config_sample.php index 0a2fe9d20..99c0acda2 100644 --- a/api/config_sample.php +++ b/api/config_sample.php @@ -40,6 +40,13 @@ # Update the ldap(s) prefix, hostname and search settings as required $ldap_server = 'ldaps://ldap.example.com'; $ldap_search = 'ou=people,dc=example,dc=com'; + # Specify the LDAP server type, can be either + # "openldap" (default) or "activedirectory" + $ldap_server_type = "openldap"; + # If using "activedirectory" then specify the legacy domain name. + # i.e. "MYDOMAIN" rather than "mydomain.com" + # This will be prepended onto the username (e.g. MYDOMAIN\mylogin) + $active_directory_domain = "MYDOMAIN"; # Upload directory # - used for user image uploads From 66fded12f28110ecbe261b1dc06b1d03513f9fa2 Mon Sep 17 00:00:00 2001 From: Stuart Campbell Date: Mon, 3 Oct 2022 15:46:24 -0400 Subject: [PATCH 2/3] Add logic for Active Directory server being used as LDAP server --- api/src/Authentication/Type/LDAP.php | 33 ++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/api/src/Authentication/Type/LDAP.php b/api/src/Authentication/Type/LDAP.php index 27dcbe097..af5c7efdf 100644 --- a/api/src/Authentication/Type/LDAP.php +++ b/api/src/Authentication/Type/LDAP.php @@ -15,7 +15,13 @@ function check() function authenticate($login, $password) { global $ldap_server; - global $ldap_search; + global $ldap_server_type; + global $ldap_search; + global $active_directory_domain; + + if (!$ldap_server_type) { + $ldap_search_type = "openldap"; + } $conn = ldap_connect($ldap_server); @@ -23,14 +29,27 @@ function authenticate($login, $password) // Tested against LDAP version 3 (could add support for older versions here) ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); - try { - // testing with openldap indicates this call needs to use a correct - // DN syntax: "uid=,ou=people,dc=example,dc=com" - return ldap_bind($conn, "uid=" . $login . "," . $ldap_search, $password); + try { + if ($ldap_server_type == "activedirectory") { + if (!$active_directory_domain) { + error_log("'active_directory_domain' parameter is not defined."); + error_log("\t This is required when LDAP server type is 'activedirectory'"); + return false; + } + $ldap_user = $active_directory_domain . "\\" . $login; + } else { + // testing with openldap indicates this call needs to use a correct + // DN syntax: "uid=,ou=people,dc=example,dc=com" + $ldap_user = $login . "," . $ldap_search; + } + return ldap_bind($conn, $ldap_user, $password); // Couldn't bind - } catch (\Exception $e) { - return false; + } catch (\Exception $e) { + error_log("SynchWeb - LDAP Auth FAILURE for user $login"); + error_log("\t" . $e->getMessage()); + error_log("\tldap_error: " . ldap_error($conn) . " (Err Code: " . ldap_errno($conn) . ")"); + return false; } } } From 2c9454192333c4d4e51a9006771745c59a8b6713 Mon Sep 17 00:00:00 2001 From: Mark W <24956497+ndg63276@users.noreply.github.com> Date: Wed, 15 Nov 2023 16:08:03 +0000 Subject: [PATCH 3/3] Fix whitespace --- api/src/Authentication/Type/LDAP.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/api/src/Authentication/Type/LDAP.php b/api/src/Authentication/Type/LDAP.php index 81c01c10b..669e92120 100644 --- a/api/src/Authentication/Type/LDAP.php +++ b/api/src/Authentication/Type/LDAP.php @@ -42,7 +42,6 @@ function authenticate($login, $password) if ($ldap_use_tls) { ldap_start_tls($conn); } - try { if ($ldap_server_type == "activedirectory") { if (!$active_directory_domain) { @@ -51,7 +50,7 @@ function authenticate($login, $password) return false; } $ldap_user = $active_directory_domain . "\\" . $login; - } else { + } else { // testing with openldap indicates this call needs to use a correct // DN syntax: "uid=,ou=people,dc=example,dc=com" $ldap_user = "uid=" . $login . "," . $ldap_search;