MODX :: [Plugin] LDAP Authentication Plugin

11

puki1400 Reply #1, 5 years, 5 months ago

Link to this post#1

Hello All...
I've decided to work on an LDAP authentication plugin (why not?).

Anyway, I took the IMAP auth plugin and triend to modify it to work with LDAP, but it's not working. Here's the code:

/* <?php
 *  Written by: Samuel Gammon
 *  Based on the IMAP authentication plugin by Adam Crownoble
 *  Contact: samusweb@gmail.com
 *  Created: 12/10/2005
 *  Name: LDAP Authentication
 *  For: MODX CMS (modxcms.com)
 *  Code Type: Plugin
 *  Description: Authenticate against an LDAP server
 *  Configuration: &server=IMAP Server;string;[your ldap server url]
                   &port=IMAP Port;int;993
                   &ssl=SSL;list;Yes,No;Yes
                   &validate_ssl_cert=Validate SSL Certificate;list;Yes,No;Yes
                   &ldap_user=LDAP Username;string;[YOUR LDAP USER NAME]
                   &ldap_pass=LDAP Password;string;[YOUR LDAP PASSWORD]
 *  Events: OnManagerAuthentication and/or OnWebAuthentication
 */

/*
                             License

LDAP Authentication - A MODx plugin that allows authentication against an LDAP server
Copyright (C) 2005  Adam Crownoble

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

*/

// Psuedo Constants
$eventId = 0;
//$box = "INBOX";
$eventName = $modx->Event->activePlugin;

// Generate flags
//$flags = '/ldap';
//if($ssl == 'Yes') $flags .= '/ssl';
//if($validate_ssl_cert != 'Yes') $flags .= '/novalidate-cert';

// Assume authentication failed
$success = false;

// If LDAP extension not installed...
if(!function_exists('ldap_connect')) {

 // Get the event's
 if($eventName == 'OnManagerAuthentication') {
  $eventId = 81;
 } elseif($eventName == 'OnWebAuthentication') {
  $eventId = 79;
 }

 // Log an error
 $modx->logEvent($eventId, 3, 'The PHP LDAP extension must be enabled for the IMAP Authentication plugin to work.', 'IMAP Authentication Plugin');

// If the LDAP extension exists...
} else {

 // Attempt to open an LDAP connection to the server using the given username and password
 // If the connection fails PHP will throw an error so we use @ to supress it

//--------------LDAP CONNECT START

  $ldap_connection = @ldap_connect("$server:$port")
if ($ldap_connection) {
  $ldap_authenticate = ldap_bind($ldap_connection, $ldap_user, $ldap_pass);
     if ($ldap_authenticate) {  

  $dn = "cn=$username"; //the object itself instead of the top search level as in ldap_search
  $filter="(objectclass=*)"; // this command requires some filter
  $justthese = array("cn", "pass", "mail"); //the attributes to pull, which is much more efficient than pulling all attributes if you don't do this
     $sr=ldap_read($ldap_connection, $dn, $filter, $justthese);
         $entry = ldap_get_entries($ds, $sr);

$entry[0]["mail"][0] = $mail_real
$entry[0]["pass"][0] = $pass_real

if ($password = $pass_real) {
 $sucess = true;
}
} else {
$sucess = false;
} else {
$error = "Could not authenticate to LDAP server to search for username and pass.";
} else {
$error = "Could not connect to LDAP server.";
}

ldap_close($ldap_connection);
 

 }

}
if ($error) {
echo $error;
}
// Return the succes boolean
$modx->Event->output($success);

What say the MODx community? I'm REALLY desperate to make this work.

Instead of spitting out an error when I configure it for the wrong server, it authenticates just fine. I'm not sure whether it is authenticating through SQL or LDAP, even in the Audit Trail.

Thanks in advance for help

.

mod note: added code tags.

4,183

"He can have a lollipop any time he wants to. That's what it means to be a programmer."

doze Reply #2, 5 years, 4 months ago

Link to this post#2

Hello, just noticed this thread, so a little late reply, but looking at your code, shouldn't:

ldap_get_entries($ds, $sr);

be:

ldap_get_entries($ldap_connection, $sr);

and:

$entry[0]["mail"][0] = $mail_real
$entry[0]["pass"][0] = $pass_real

be:

$mail_real = $entry[0]["mail"][0];
$pass_real = $entry[0]["pass"][0];

and then you have that if ($password = $pass_real) conditional there, but I don't see where $password comes from.. so those are wrong atleast, didn't look at the logic yet.

11

puki1400 Reply #3, 5 years, 4 months ago

Link to this post#3

I actually don't know, I have no experience whatsoever in plugin writing.
All I changed from the IMAP plugin (which seemed to work) was the connection string, and the variables (which I thought I replaced

). I'll try what you found, thanks

.

Also: is there any way to have user groups with an authentication plugin such as this one?

4,183

"He can have a lollipop any time he wants to. That's what it means to be a programmer."

doze Reply #4, 5 years, 4 months ago

Link to this post#4

The imap plugin seems to use $username and $userpassword variables what are not initialized in it, I guess those hold the username/password from MODx login on that event, so you might want to change:

if ($password = $pass_real) {
$sucess = true;
}

to:

if ($userpassword == $pass_real) {
$sucess = true;
}

Do you mean with the user groups question, that you would want MODx to use the usergroups from LDAP or what?

11

puki1400 Reply #5, 5 years, 4 months ago

Link to this post#5

Well, I make heavy use of the usergroups function for access permissions.
Can a user's group be retrieved via an LDAP field (I know it can be retrieved, but can it be passed on to the MODx system)?

4,183

"He can have a lollipop any time he wants to. That's what it means to be a programmer."

doze Reply #6, 5 years, 4 months ago

Link to this post#6

You'd need to do some synchronization module to retrieve (and create) usergroups from LDAP to MODx.. And you know that even if you make this LDAP plugin, you still need to have all the users from LDAP in MODx too with the same user names.. Atleast that's what I think, someone correct me if I'm wrong. So you need some synchronization module to do that too.

In future versions (1.0), it will be easier to have the users to come from LDAP or AD or IMAP or SMF or whatever or all combined, but you can get more info about that when the time comes..

11

puki1400 Reply #7, 5 years, 4 months ago

Link to this post#7

When is V1.0 coming out then?

4,183

"He can have a lollipop any time he wants to. That's what it means to be a programmer."

doze Reply #8, 5 years, 4 months ago

Link to this post#8

There's not any fixed time frames, but I suspect that you have something by the next christmas..

11

puki1400 Reply #9, 5 years, 4 months ago

Link to this post#9

Cool. I think I can wait that long

.

Thanks for the help, I'll mark this as officially closed in my book. Thanks for the help, doze

!

9

dwalters Reply #10, 5 years, 2 months ago

Link to this post#10

The project I'm working on requires LDAP access before Dec 2007, so I'd be very interested to have a go at coding this plugin.

One way I see this working is like this. When the manager logs in to view the 'Web users' page s/he would see the list of exisiting MODx users (if any) and also a list of users from the LDAP server. The manager could then choose which of the available LDAP users to convert to MODx members. Does this sound like a reasonable scheme?

Being new to MODx I'm unsure how to go about implementing this. Doze mentions (above) the need to write a synchronisation module to convert LDAP users to MODx members. Does anyone have any pointers regarding the inner workings of the MODx web user creation process that would help me get under way?

Thanks for your help.