Sharing: LDAP Integration

[snifty]

Version of script: 2.5.2

As I needed LDAP-Logon for our Hesk-Admins I figured out how to implement this easily and so I wanted to share this to everybody else.

Maybe Klemen can use it to adopt it to the next version (with a checkbox in the admin-settings to enable or disable LDAP)…

What the code does:
The given username and password is verified with LDAP and if it fits you’re logged on. Otherwise the credentials are checked against the local Hesk-Database.

To implement copy the following lines to hesk\admin\index.php (below line 178):

Code: Select all

    /////////////////////////////////////////////////
    // *** Parameter for LDAP-Check ***
    $ldap_server = "ldap://192.168.0.1";
    $auth_dc = "@yourdomain.com";
    $auth_user_full = $user.$auth_dc;
    $errorcode = "";

    if ($connect=@ldap_connect($ldap_server)) {
        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);

        if ($bind=@ldap_bind($connect, $auth_user_full, $pass)) {
            //echo "Right password!";
		}
        else {
            //echo "Wrong password!";
            $errorcode = "wrong_ldap_pass__try_local_DB_pass";
        }        
    }
    else {
        echo "No connection to LDAP-Server possible.";
    } 
    ////////////////////////////////////////////////
	
    if ($errorcode == "wrong_ldap_pass__try_local_DB_pass"){

Close the if-Statement in line 213 (below the /* Check password */ Part)

I hope this helps somebody else to save some time!

[Klemen]

Thanks for sharing your LDAP integration.

I don't have any LDAP experience myself so I will need to look into it and learn more about it before including it in the official release.

[vladsn07]

I can not. Do not quite understand what lines. How can I make neotorye line on the home page some of the rows were entered automatically?

[snifty]

Not sure what you mean.

All you have to do is paste the code to the file.
Then edit those 2 lines to your needs:
$ldap_server = "ldap://192.168.0.1";
$auth_dc = "@yourdomain.com";

One thing said: the username in your Active Directory (LDAP) should be the same as in your local HESK-Database.

[Hairball]

Hey this is great! Any chance we can have it allow only one LDAP group?

[mkoch227]

I tried in the past to setup LDAP, but I kept getting errors about that I didn't have any LDAP libraries installed in my PHP installation. Do you know if your LDAP script works with a basic PHP installation, or one would need to add additional libraries to their installation?

[snifty]

For me it worked just adding the lines. No special libraries required.

[Klemen]

LDAP support in PHP is not enabled by default, you may need to recompile your PHP (or enable extension on Windows):
http://php.net/manual/en/ldap.installation.php

[zeclad01]

Thanks a lot man, it's not a sexy way to do it but it works. I'm in 2.6.2 version.

But please use TLS between client and webserver and between webserver and LDAPserver.
Because your password is plain text on network. Look on your webserver with tcpdump and open it with Ethereal or Wireshark :

tcpdump -i ens32 -vv -w /tmp/ldap.dump
(-i = name of interface
-vv = for verbose
-w = save to file)

So you need to use HTTPS and LDAPS.

For people lost, add snifty's code like this :
(and yes the account need to be create by hand before login)

Code: Select all

/* User entered all required info, now lets limit brute force attempts */
        hesk_limitBfAttempts();

        $result = hesk_dbQuery("SELECT * FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."users` WHERE `user` = '".hesk_dbEscape($user)."' LIMIT 1");
        if (hesk_dbNumRows($result) != 1)
        {
        hesk_session_stop();
        $_SESSION['a_iserror'] = array('user','pass');
        hesk_process_messages($hesklang['wrong_user'],'NOREDIRECT');
        print_login();
        exit();
        }

        $res=hesk_dbFetchAssoc($result);
        foreach ($res as $k=>$v)
        {
            $_SESSION[$k]=$v;
        }

        /////////////////////////////////////////////////
    // *** Parameter for LDAP-Check ***
    $ldap_server = "ldaps://192.168.1.1";
    $auth_dc = "@mydomain.local";
    $auth_user_full = $user.$auth_dc;
    $errorcode = "";

    if ($connect=@ldap_connect($ldap_server)) {
        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
echo $connect.$auth_user_full.$pass."<br/>";

        if ($bind=@ldap_bind($connect, $auth_user_full, $pass)) {
            echo "Right password!";
      }
        else {
            echo "Wrong password!";
            $errorcode = "wrong_ldap_pass__try_local_DB_pass";
        }
    }
    else {
        echo "No connection to LDAP-Server possible.";
    }
    ////////////////////////////////////////////////

    if ($errorcode == "wrong_ldap_pass__try_local_DB_pass"){
        /* Check password */
        if (hesk_Pass2Hash($pass) != $_SESSION['pass'])
    {
        hesk_session_stop();
        $_SESSION['a_iserror'] = array('pass');
                hesk_process_messages($hesklang['wrong_pass'],'NOREDIRECT');
                print_login();
                exit();
        }
}
    $pass_enc = hesk_Pass2Hash($_SESSION['pass'].strtolower($user).$_SESSION['pass']);

    /* Check if default password */

If i keep HESK for my company, i'm going to work on LDAP group.

[tdemeyer]

We are running 2.5.5 with the AD/LDAP mod.

Anyone can verify/confirm this mod still works for 2.6.6? (do I simply keep my 'old' \admin\index.php file? (or are there code changes on this page)

[Klemen]

Definitely do NOT keep the old files as this might result in a broken update.

I didn't try it, but my guess is you will need to modify the new admin/index.php with the code between ////////////////////////////////////////////////

Whatever you do, make sure you:
1. backup all existing files and database first
2. if at all possible, install a clean copy 2.6.6 in a test folder first, make changes and see if it works there

[snifty]

Do it just like Klemen says. And it is still working.

[tdemeyer]

Hi Klemen,

LDAP integration is running fine for a few years now.. Is there any chance it will become integrated in a near future release? I'm always somewhat reluctant to upgrade to new versions, knowing I have to edit the index file each time (and not knowing if the changed code will still work with the new release...)

[Klemen]

The problem is I don't have any experience with LDAP at all so I find it difficult to develop, maintain and support it.

I will look into it, but can't give any promises.

[snifty]

Yeah, this would be great!

But as zeclad01 mentioned, please use ldaps instead of ldap.