The following warnings occurred:
Warning [2] Undefined variable $unreadreports - Line: 26 - File: global.php(961) : eval()'d code PHP 8.1.2-1ubuntu2.14 (Linux)
File Line Function
/global.php(961) : eval()'d code 26 errorHandler->error
/global.php 961 eval
/showthread.php 28 require_once





× This forum is read only. As of July 23, 2019, the UserSpice forums have been closed. To receive support, please join our Discord by clicking here. Thank you!

  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Using Userspice with Microsoft Active Directory
#11
Do you have an ldap server we could use for testing?
  Reply
#12
There is a free online LDAP server for testing. I have tested it and it works fine. 
http://www.forumsys.com/tutorials/integr...st-server/

To test it first, please download the free LDAP Admin application from http://www.ldapadmin.org/download/ldapadmin.html

when you launch the LDAP admin, configure your connection as shown in the attached image

Host: ldap.forumsys.com
Host: 389
Ver: 3
Base: dc=example,dc=com
Simple authentication
username: cn=read-only-admin,dc=example,dc=com
password: password

------------------------------------------------------------------------------------------------------------------------------------------

Another free public LDAP server (tested)
https://www.zflexldapadministrator.com/i...nline-ldap

Server: www.zflexldap.com 
Port: 389


Bind DN: cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com
Bind Password: zflexpass


---------------------------------------------------------------------------------------------------------------------------------------------

Thanks for your help and support.


Attached Files Thumbnail(s)
   
  Reply
#13
I wrote a proof of concept ldap login. No form. Hard coded credentials in the php file and used it to connect to that second demo server you sent. Can you test it? Feel free to edit the credentials.

By default, when you load this page it should try to authenticate with the demo server and if it's successful, it will log you in as user 2. If you don't have one in your db, change the id on this file or create one. Please let me know what happens.

Put this file in your root directory and call it ldap.php or whatever.
https://pastebin.com/5qNuvtM4
  Reply
#14
The proof of concept worked fine with me. Thanks. 

I even tried it with our LDAP and it works perfectly fine. 

But this will lead to so many further questions and steps to fully integrate it with US.

1) Normally you bind a username & password that has the ability to search the LDAP for the requested username/password (bind search username)
2) Link the login page to use LDAP login option
3) Add an option to disable "reset password" (hiding registration already there)
4) Map user's attributes (fields) to US attributes (e.g: ldap_name:US_name, ldap_email:US_email ... etc) 

I'm attaching an Active Directory configuration page for the open source Booked (previously PhpScheduleIt).

Thanks again for your continuous support. You rocks!


Attached Files Thumbnail(s)
   
  Reply
#15
It's been a LOOOONG time since I've used Active Directory, so I may need your help.

Here is my thought and you can tell me if I'm wrong.

1. Can you always use your email to authenticate with LDAP?
2. If not, can LDAP "return" the email address when you authenticate with an id/username?

The way the other OAUTH logins work is if you successfully authenticate, we do a lookup on the users table to see if your email is in there. If it is, we log you in as that user. If it isn't, we automatically create an account for you.

We would need to figure out that part with LDAP.
  Reply
#16
(04-13-2019, 12:50 PM)mudmin Wrote: It's been a LOOOONG time since I've used Active Directory, so I may need your help.  

Here is my thought and you can tell me if I'm wrong.

1. Can you always use your email to authenticate with LDAP?  
2. If not, can LDAP "return" the email address when you authenticate with an id/username?

The way the other OAUTH logins work is if you successfully authenticate, we do a lookup on the users table to see if your email is in there. If it is, we log you in as that user. If it isn't, we automatically create an account for you.

We would need to figure out that part with LDAP.

1. I'm not sure, but I believe yes we can. 
2. yes LDAP will return the email address with many other attributes.

I did ldapsearch for our LDAP and it will return so many attribtes (fields) such as:

cn: username
displayName:   (full name)
givenName: (first name)
sn: (last name)
title: user title
mail: email
and so many other attribute

so as you said, after successful ldap authentication, if the user has an account in the US DB, then login him in, otherwise create a new account for him (matching given attributes)

from your machine, try to run this command:

Code:
ldapsearch -h www.zflexldap.com -p 389 -D "uid=guest2,ou=users,ou=guests,dc=zflexsoftware,dc=com" -x -w guest2password -b "dc=zflexsoftware,dc=com" -s
sub "uid=guest2"

this will return all user's attributes. then based on custom fields mappings, we can store these attribute to US users table.

I placed a code that will return all attributes for logged in user

https://pastebin.com/sVfXn0Z2
  Reply
#17
(04-13-2019, 01:38 PM)anasaz Wrote:
(04-13-2019, 12:50 PM)mudmin Wrote: It's been a LOOOONG time since I've used Active Directory, so I may need your help.  

Here is my thought and you can tell me if I'm wrong.

1. Can you always use your email to authenticate with LDAP?  
2. If not, can LDAP "return" the email address when you authenticate with an id/username?

The way the other OAUTH logins work is if you successfully authenticate, we do a lookup on the users table to see if your email is in there. If it is, we log you in as that user. If it isn't, we automatically create an account for you.

We would need to figure out that part with LDAP.

1. I'm not sure, but I believe yes we can. 
2. yes LDAP will return the email address with many other attributes.

I did ldapsearch for our LDAP and it will return so many attribtes (fields) such as:

cn: username
displayName:   (full name)
givenName: (first name)
sn: (last name)
title: user title
mail: email
and so many other attribute

so as you said, after successful ldap authentication, if the user has an account in the US DB, then login him in, otherwise create a new account for him (matching given attributes)

from your machine, try to run this command:

Code:
ldapsearch -h www.zflexldap.com -p 389 -D "uid=guest2,ou=users,ou=guests,dc=zflexsoftware,dc=com" -x -w guest2password -b "dc=zflexsoftware,dc=com" -s
sub "uid=guest2"

this will return all user's attributes. then based on custom fields mappings, we can store these attribute to US users table.

I placed a code that will return all attributes for logged in user

https://pastebin.com/sVfXn0Z2
I'm still using that test server, so I don't think I can run commands directly from it.    Let me check out everything else.
  Reply
#18
Ahh. I'm looking at your pastebin and I understand now.

I guess here is my question... When I see
$ldapserver = 'www.zflexldap.com';
$ldapuser = 'uid=guest2,ou=users,ou=guests,dc=zflexsoftware,dc=com';
$ldappass = 'guest2password';
$ldaptree = "dc=zflexsoftware,dc=com";

How much of that information is static for the whole organization and would the user be expected to type in
uid=guest2,ou=users,ou=guests,dc=zflexsoftware,dc=com

Or would the system know everything except the "guest2" part?
  Reply
#19
It seems there are two methods to authenticate users using LDAP:

1) by using admin ldap search account. in this case one account will search the LDAP for the logged in user. then run another bind for the user to check. the benefit here, is that we dont need to include the long ldap user static information.

2) second method, is what we used earlier. allowing the logged in user to do the bind and check for his own attributes. but while I'm reading, I found out that some organizations doesn't allow all users to fitch LDAP entries even its own! beide that different users can be in different OUs (eg: employee1 inside OU=Employees but student1 inside OU=Students)

at our origanization, we have few systems that is connected to our Active Directory. and we use method # 1. I guess most open source systems do the same.

the main purpose of using admin account, is to get the user DN (full OU path), then use this DN to check the logged in user.

I have created a script using method # 1 (testing the free LDAP server) .. but I had to define the full admin username, because admin OU is different from users OU.

In our case I was able to use our admin search account and it worked fine with few users.

here is the code from pasteBin https://pastebin.com/8NNFNthK
  Reply
#20
Awesome thanks for this. I think we can figure out a way to make this integrate. I will take a look.
  Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)