+- UserSpice (https://userspice.com/forums)
+-- Forum: Miscellaneous (https://userspice.com/forums/forumdisplay.php?fid=28)
+--- Forum: Off-topic Discussions (https://userspice.com/forums/forumdisplay.php?fid=10)
+--- Thread: Using Userspice with Microsoft Active Directory (/showthread.php?tid=850)
RE: Using Userspice with Microsoft Active Directory - mudmin - 04-12-2019
Do you have an ldap server we could use for testing?
RE: Using Userspice with Microsoft Active Directory - anasaz - 04-12-2019
There is a free online LDAP server for testing. I have tested it and it works fine.
http://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
To test it first, please download the free LDAP Admin application from http://www.ldapadmin.org/download/ldapadmin.html
when you launch the LDAP admin, configure your connection as shown in the attached image
Host: ldap.forumsys.com
Host: 389
Ver: 3
Base: dc=example,dc=com
Simple authentication
username: cn=read-only-admin,dc=example,dc=com
password: password
------------------------------------------------------------------------------------------------------------------------------------------
Another free public LDAP server (tested)
https://www.zflexldapadministrator.com/index.php/blog/82-free-online-ldap
Server: www.zflexldap.com
Port: 389
Bind DN: cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com
Bind Password: zflexpass
---------------------------------------------------------------------------------------------------------------------------------------------
Thanks for your help and support.
RE: Using Userspice with Microsoft Active Directory - mudmin - 04-13-2019
I wrote a proof of concept ldap login. No form. Hard coded credentials in the php file and used it to connect to that second demo server you sent. Can you test it? Feel free to edit the credentials.
By default, when you load this page it should try to authenticate with the demo server and if it's successful, it will log you in as user 2. If you don't have one in your db, change the id on this file or create one. Please let me know what happens.
Put this file in your root directory and call it ldap.php or whatever.
https://pastebin.com/5qNuvtM4
RE: Using Userspice with Microsoft Active Directory - anasaz - 04-13-2019
The proof of concept worked fine with me. Thanks.
I even tried it with our LDAP and it works perfectly fine.
But this will lead to so many further questions and steps to fully integrate it with US.
1) Normally you bind a username & password that has the ability to search the LDAP for the requested username/password (bind search username)
2) Link the login page to use LDAP login option
3) Add an option to disable "reset password" (hiding registration already there)
4) Map user's attributes (fields) to US attributes (e.g: ldap_name:US_name, ldap_email:US_email ... etc)
I'm attaching an Active Directory configuration page for the open source Booked (previously PhpScheduleIt).
Thanks again for your continuous support. You rocks!
RE: Using Userspice with Microsoft Active Directory - mudmin - 04-13-2019
It's been a LOOOONG time since I've used Active Directory, so I may need your help.
Here is my thought and you can tell me if I'm wrong.
1. Can you always use your email to authenticate with LDAP?
2. If not, can LDAP "return" the email address when you authenticate with an id/username?
The way the other OAUTH logins work is if you successfully authenticate, we do a lookup on the users table to see if your email is in there. If it is, we log you in as that user. If it isn't, we automatically create an account for you.
We would need to figure out that part with LDAP.
RE: Using Userspice with Microsoft Active Directory - anasaz - 04-13-2019
(04-13-2019, 12:50 PM)mudmin Wrote: It's been a LOOOONG time since I've used Active Directory, so I may need your help.
Here is my thought and you can tell me if I'm wrong.
1. Can you always use your email to authenticate with LDAP?
2. If not, can LDAP "return" the email address when you authenticate with an id/username?
The way the other OAUTH logins work is if you successfully authenticate, we do a lookup on the users table to see if your email is in there. If it is, we log you in as that user. If it isn't, we automatically create an account for you.
We would need to figure out that part with LDAP.
1. I'm not sure, but I believe yes we can.
2. yes LDAP will return the email address with many other attributes.
I did ldapsearch for our LDAP and it will return so many attribtes (fields) such as:
cn: username
displayName: (full name)
givenName: (first name)
sn: (last name)
title: user title
mail: email
and so many other attribute
so as you said, after successful ldap authentication, if the user has an account in the US DB, then login him in, otherwise create a new account for him (matching given attributes)
from your machine, try to run this command:
Code:
ldapsearch -h www.zflexldap.com -p 389 -D "uid=guest2,ou=users,ou=guests,dc=zflexsoftware,dc=com" -x -w guest2password -b "dc=zflexsoftware,dc=com" -s
sub "uid=guest2"this will return all user's attributes. then based on custom fields mappings, we can store these attribute to US users table.
I placed a code that will return all attributes for logged in user
https://pastebin.com/sVfXn0Z2
RE: Using Userspice with Microsoft Active Directory - mudmin - 04-14-2019
(04-13-2019, 01:38 PM)anasaz Wrote:I'm still using that test server, so I don't think I can run commands directly from it. Let me check out everything else.(04-13-2019, 12:50 PM)mudmin Wrote: It's been a LOOOONG time since I've used Active Directory, so I may need your help.
Here is my thought and you can tell me if I'm wrong.
1. Can you always use your email to authenticate with LDAP?
2. If not, can LDAP "return" the email address when you authenticate with an id/username?
The way the other OAUTH logins work is if you successfully authenticate, we do a lookup on the users table to see if your email is in there. If it is, we log you in as that user. If it isn't, we automatically create an account for you.
We would need to figure out that part with LDAP.
1. I'm not sure, but I believe yes we can.
2. yes LDAP will return the email address with many other attributes.
I did ldapsearch for our LDAP and it will return so many attribtes (fields) such as:
cn: username
displayName: (full name)
givenName: (first name)
sn: (last name)
title: user title
mail: email
and so many other attribute
so as you said, after successful ldap authentication, if the user has an account in the US DB, then login him in, otherwise create a new account for him (matching given attributes)
from your machine, try to run this command:
Code:ldapsearch -h www.zflexldap.com -p 389 -D "uid=guest2,ou=users,ou=guests,dc=zflexsoftware,dc=com" -x -w guest2password -b "dc=zflexsoftware,dc=com" -s
sub "uid=guest2"
this will return all user's attributes. then based on custom fields mappings, we can store these attribute to US users table.
I placed a code that will return all attributes for logged in user
https://pastebin.com/sVfXn0Z2
RE: Using Userspice with Microsoft Active Directory - mudmin - 04-14-2019
Ahh. I'm looking at your pastebin and I understand now.
I guess here is my question... When I see
$ldapserver = 'www.zflexldap.com';
$ldapuser = 'uid=guest2,ou=users,ou=guests,dc=zflexsoftware,dc=com';
$ldappass = 'guest2password';
$ldaptree = "dc=zflexsoftware,dc=com";
How much of that information is static for the whole organization and would the user be expected to type in
uid=guest2,ou=users,ou=guests,dc=zflexsoftware,dc=com
Or would the system know everything except the "guest2" part?
RE: Using Userspice with Microsoft Active Directory - anasaz - 04-14-2019
It seems there are two methods to authenticate users using LDAP:
1) by using admin ldap search account. in this case one account will search the LDAP for the logged in user. then run another bind for the user to check. the benefit here, is that we dont need to include the long ldap user static information.
2) second method, is what we used earlier. allowing the logged in user to do the bind and check for his own attributes. but while I'm reading, I found out that some organizations doesn't allow all users to fitch LDAP entries even its own! beide that different users can be in different OUs (eg: employee1 inside OU=Employees but student1 inside OU=Students)
at our origanization, we have few systems that is connected to our Active Directory. and we use method # 1. I guess most open source systems do the same.
the main purpose of using admin account, is to get the user DN (full OU path), then use this DN to check the logged in user.
I have created a script using method # 1 (testing the free LDAP server) .. but I had to define the full admin username, because admin OU is different from users OU.
In our case I was able to use our admin search account and it worked fine with few users.
here is the code from pasteBin https://pastebin.com/8NNFNthK
RE: Using Userspice with Microsoft Active Directory - mudmin - 04-14-2019
Awesome thanks for this. I think we can figure out a way to make this integrate. I will take a look.