-
Notifications
You must be signed in to change notification settings - Fork 0
LDAP
WARNING! This document was written in 2012 for the old website. It's very outdate, but it may give you informations on how to start using the plugin.
Posted on Monday, Feb 06, 2012 by Greg
The LDAP plugin shipped with PHPDevShell is a very basic illustration of using the PluggableAuth mecanism. If you want better ldap support, you can easily use a third party library (more to come). This page will explain how to use the LDAP plugin for user authentication.
Note: "user authentification" is the process by which the system finds out the User ID of the person requesting access. It usually includes providing a username and a password, which are checked against a list of valid users. The LDAP connector is shipped with the PluggableAuth plugin, which add suppport for external authentification methods. So make sure you have the PluggableAuth plugin installed.
The method to connect to the server is to use the provided username and password to the Directory. Other methods, such as using a fixed credential, will be added in the future. The PluggableAuth mechanism allows several authentication schemes to work at the same time. We will then create a connector to our LDAP directory, and then declare it as the default scheme.
Let's start with the big part, the rest will be easy
The connector class is the heart of the mechanism. It allows you to provide all the info needed to query the directory server, and optionally alter the way the authentication works.
In your project, create a folder "includes" if it's not already there. Then create a php file to hold your connector, let's say "ldap_sample.class.php":
require_once dirname(__FILE__).'/../../PluggableAuth/includes/AUTH_ldap.class.php';
class ldap_sample extends AUTH_ldap
{
protected $source = array(
'url' => 'ldap://ldap_addr/OU=test,DC=ldap,DC=phpdevshell,DC=org',
'defaults' => array(
'user_group' => 2,
'user_role' => 2
),
'namePattern' => '%s',
'required' => true
);
}
We'll see the parameters later, for now just provide the ldap url to access the directory.
For the shell to use the class we just wrote, we need to declare it ; in the plugin config file (config/plugin.config.xml), add the following lines:
(note: if you already have a clause, just add the declaration)
Now go to the Plugin Management page and re-install your plugin.
Now that our plugin is know to the system, it will allow existing users to authenticate against the Directory. What about new users?
The plugin ships with a beta version of a special class PHPDS_importUser which can be used to create new users inside the PHPDevShell database. You can use it to extend your own connector so a new user is created if the credentials are correct:
require_once dirname(__FILE__).'/../../PluggableAuth/includes/AUTH_ldap.class.php';
require_once dirname(__FILE__).'/../../PluggableAuth/includes/PHPDS_importUser.class.php';
class ldap_sample extends AUTH_ldap
{
protected $source = array(
'url' => 'ldap://ldap_addr/OU=test,DC=ldap,DC=phpdevshell,DC=org',
'defaults' => array(
'user_group' => 2,
'user_role' => 2
),
'namePattern' => '%s',
'defaultGroups' => array(11),
'defaultRoles' => array(10),
'required' => true
);
`public function addUser($username, $password, $sourceName = null)`
`{`
`$newUser = $this->factory('PHPDS_importUser');`
`$userData = array('user_id' => 0, 'user_name' => $username, 'user_password'=> $sourceName);`
`$userData = array_merge($this->source['defaults'], $userData);`
`$newUser->import($userData);`
`if (is_array($this->source['defaultGroups'])) {`
`foreach($this->source['defaultGroups'] as $gID) $newUser->addGroup($gID);`
`}`
`if (is_array($this->source['defaultRoles'])) {`
`foreach($this->source['defaultRoles'] as $rID) $newUser->addRole($rID);`
`}`
`$newUser->save();`
`}`
}
Now that we have a full connector, we just have to tell the framework it's the default connector, so it will be used for unknown users. In the "...config.php" file of the site which will use our connector, add the following:
`$configuration['auth']['default'] = 'ldap_sample';`
Note: there is not "default connector" if you don't specify one. In that case, only the build-in mecanism (MD5 password in the database) would be used. Behind the scene
This mechanism actually only checks the given credentials against the given Directory. The credentials are given by the PluggableAuth underlying system, which is called by the Login system.
To specify with auth source a known user should be checked against, the regular password field of the _db_core_users table is used ; either with the (local) MD5 content, or a special "source" text content. (in our example, the password would be "ldap_sample" which cannot be mistaken for a MD5 signature).
As you can see, beside holding its own data, the connector has two functions: a mandatory "lookupUser()" and an optional "addUser()". It has no other constraints.