PHPJunkyard support forum


https://developers.phpjunkyard.com/

Sharing: LDAP Integration

https://developers.phpjunkyard.com/viewtopic.php?t=4744

Page 1 of 2

Sharing: LDAP Integration

Posted: Tue Oct 15, 2013 8:33 am
by snifty
Version of script: 2.5.2

As I needed LDAP-Logon for our Hesk-Admins I figured out how to implement this easily and so I wanted to share this to everybody else.

Maybe Klemen can use it to adopt it to the next version (with a checkbox in the admin-settings to enable or disable LDAP)…

What the code does:
The given username and password is verified with LDAP and if it fits you’re logged on. Otherwise the credentials are checked against the local Hesk-Database.

To implement copy the following lines to hesk\admin\index.php (below line 178):

Code: Select all

    /////////////////////////////////////////////////
    // *** Parameter for LDAP-Check ***
    $ldap_server = "ldap://192.168.0.1";
    $auth_dc = "@yourdomain.com";
    $auth_user_full = $user.$auth_dc;
    $errorcode = "";

    if ($connect=@ldap_connect($ldap_server)) {
        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);

        if ($bind=@ldap_bind($connect, $auth_user_full, $pass)) {
            //echo "Right password!";
		}
        else {
            //echo "Wrong password!";
            $errorcode = "wrong_ldap_pass__try_local_DB_pass";
        }        
    }
    else {
        echo "No connection to LDAP-Server possible.";
    } 
    ////////////////////////////////////////////////
	
    if ($errorcode == "wrong_ldap_pass__try_local_DB_pass"){
Close the if-Statement in line 213 (below the /* Check password */ Part)

I hope this helps somebody else to save some time!

Re: Sharing: LDAP Integration

Posted: Tue Oct 15, 2013 4:39 pm
by Klemen
Thanks for sharing your LDAP integration.

I don't have any LDAP experience myself so I will need to look into it and learn more about it before including it in the official release.

Re: Sharing: LDAP Integration

Posted: Wed Oct 16, 2013 12:34 pm
by vladsn07
I can not. Do not quite understand what lines. How can I make neotorye line on the home page some of the rows were entered automatically?

Re: Sharing: LDAP Integration

Posted: Wed Oct 16, 2013 12:59 pm
by snifty
Not sure what you mean.

All you have to do is paste the code to the file.
Then edit those 2 lines to your needs:
$ldap_server = "ldap://192.168.0.1";
$auth_dc = "@yourdomain.com";

One thing said: the username in your Active Directory (LDAP) should be the same as in your local HESK-Database.

Re: Sharing: LDAP Integration

Posted: Sat Nov 01, 2014 1:28 am
by Hairball
Hey this is great! Any chance we can have it allow only one LDAP group?

Re: Sharing: LDAP Integration

Posted: Sun Nov 02, 2014 3:27 pm
by mkoch227
I tried in the past to setup LDAP, but I kept getting errors about that I didn't have any LDAP libraries installed in my PHP installation. Do you know if your LDAP script works with a basic PHP installation, or one would need to add additional libraries to their installation?

Re: Sharing: LDAP Integration

Posted: Tue Nov 04, 2014 8:55 am
by snifty
For me it worked just adding the lines. No special libraries required.

Re: Sharing: LDAP Integration

Posted: Tue Nov 04, 2014 3:56 pm
by Klemen
LDAP support in PHP is not enabled by default, you may need to recompile your PHP (or enable extension on Windows):
http://php.net/manual/en/ldap.installation.php

Re: Sharing: LDAP Integration

Posted: Wed Mar 25, 2015 4:00 pm
by zeclad01
Thanks a lot man, it's not a sexy way to do it but it works. I'm in 2.6.2 version.

But please use TLS between client and webserver and between webserver and LDAPserver.
Because your password is plain text on network. Look on your webserver with tcpdump and open it with Ethereal or Wireshark :

tcpdump -i ens32 -vv -w /tmp/ldap.dump
(-i = name of interface
-vv = for verbose
-w = save to file)

So you need to use HTTPS and LDAPS.

For people lost, add snifty's code like this :
(and yes the account need to be create by hand before login)

Code: Select all

/* User entered all required info, now lets limit brute force attempts */
        hesk_limitBfAttempts();

        $result = hesk_dbQuery("SELECT * FROM `".hesk_dbEscape($hesk_settings['db_pfix'])."users` WHERE `user` = '".hesk_dbEscape($user)."' LIMIT 1");
        if (hesk_dbNumRows($result) != 1)
        {
        hesk_session_stop();
        $_SESSION['a_iserror'] = array('user','pass');
        hesk_process_messages($hesklang['wrong_user'],'NOREDIRECT');
        print_login();
        exit();
        }

        $res=hesk_dbFetchAssoc($result);
        foreach ($res as $k=>$v)
        {
            $_SESSION[$k]=$v;
        }

        /////////////////////////////////////////////////
    // *** Parameter for LDAP-Check ***
    $ldap_server = "ldaps://192.168.1.1";
    $auth_dc = "@mydomain.local";
    $auth_user_full = $user.$auth_dc;
    $errorcode = "";

    if ($connect=@ldap_connect($ldap_server)) {
        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
echo $connect.$auth_user_full.$pass."<br/>";

        if ($bind=@ldap_bind($connect, $auth_user_full, $pass)) {
            echo "Right password!";
      }
        else {
            echo "Wrong password!";
            $errorcode = "wrong_ldap_pass__try_local_DB_pass";
        }
    }
    else {
        echo "No connection to LDAP-Server possible.";
    }
    ////////////////////////////////////////////////

    if ($errorcode == "wrong_ldap_pass__try_local_DB_pass"){
        /* Check password */
        if (hesk_Pass2Hash($pass) != $_SESSION['pass'])
    {
        hesk_session_stop();
        $_SESSION['a_iserror'] = array('pass');
                hesk_process_messages($hesklang['wrong_pass'],'NOREDIRECT');
                print_login();
                exit();
        }
}
    $pass_enc = hesk_Pass2Hash($_SESSION['pass'].strtolower($user).$_SESSION['pass']);

    /* Check if default password */
If i keep HESK for my company, i'm going to work on LDAP group.

Re: Sharing: LDAP Integration

Posted: Tue Feb 09, 2016 3:53 pm
by tdemeyer
We are running 2.5.5 with the AD/LDAP mod.

Anyone can verify/confirm this mod still works for 2.6.6? (do I simply keep my 'old' \admin\index.php file? (or are there code changes on this page)

Re: Sharing: LDAP Integration

Posted: Tue Feb 09, 2016 4:26 pm
by Klemen
Definitely do NOT keep the old files as this might result in a broken update.

I didn't try it, but my guess is you will need to modify the new admin/index.php with the code between ////////////////////////////////////////////////

Whatever you do, make sure you:
1. backup all existing files and database first
2. if at all possible, install a clean copy 2.6.6 in a test folder first, make changes and see if it works there

Re: Sharing: LDAP Integration

Posted: Tue Feb 09, 2016 8:15 pm
by snifty
Do it just like Klemen says. And it is still working. :D

Re: Sharing: LDAP Integration

Posted: Tue Nov 22, 2016 7:27 am
by tdemeyer
Hi Klemen,

LDAP integration is running fine for a few years now.. Is there any chance it will become integrated in a near future release? I'm always somewhat reluctant to upgrade to new versions, knowing I have to edit the index file each time (and not knowing if the changed code will still work with the new release...)

Re: Sharing: LDAP Integration

Posted: Tue Nov 22, 2016 11:32 am
by Klemen
The problem is I don't have any experience with LDAP at all so I find it difficult to develop, maintain and support it.

I will look into it, but can't give any promises.

Re: Sharing: LDAP Integration

Posted: Tue Nov 22, 2016 11:36 am
by snifty
Yeah, this would be great!

But as zeclad01 mentioned, please use ldaps instead of ldap.
All times are UTC
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited