Forums / Install & configuration / Win2k LDAP Server Authentication

Win2k LDAP Server Authentication

Author Message

Ashley Knowles

Monday 26 September 2005 11:36:13 pm

Okay I am running a multidomain Active Directory tree here, and users must therefore logon to the LDAP server in the form <username>@<domain name>.

The problem being with this is that the SAM Account Name is not equal to <username>@<domain name>.

I have tried modifying the source code, in the files mentioned in the AD 2003 Hack, but still cannot manage to get it right.

If anyone could let me know how the config file should be setup to work with Active Directory then that would be great. In particular the group related fields as I cannot seem to find any information on what these actually do or what they should reference.

Ashley Knowles

Tuesday 27 September 2005 11:20:50 pm

Further to this, AD stores usernames in the LDAP field "samaccountname". As people logon using username@domain, when ez publish queries the LDAP server, it cannot find username@domain, because samaccountname only holds the username part.

Ashley Knowles

Tuesday 04 October 2005 8:08:04 pm

*bump*

Anybody at all got an idea?

Gunnstein Lye

Friday 14 October 2005 1:56:46 am

Did you find out anything? If not, I'll try to answer this soon.

(I'll wait for your reply.)

best regards

Ashley Knowles

Monday 07 November 2005 6:35:31 pm

Absolutely nothing....

Gunnstein Lye

Tuesday 08 November 2005 1:19:51 am

Allright then, I'll give it a shot. Disclaimer: I know nothing about Active Directory.

First: If your LDAP server does not allow anonymous bind, then you need the support for authenticated bind which will be in 3.8. You can get it in the svn.

Second, the LDAP version number must be correct, either 2 or 3 at the moment. I don't know what is correct for Active Directory, but its documentation should specify it.

Skip the search filters, at least to begin with.

The login attribute refers to the attribute in your LDAP login which should be used as the users' login.

eZ publish needs to store the ldap users as local eZ publish users, in order to use them. More about this in the next 4 paragraphs:

The LDAPUserGroupType and LDAPUserGroup are related. If the LDAPUserGroupType is id, then the LDAPUserGroup refers to content object ids of eZ publish user groups. If it is name, the LDAPUserGroup refers to names of eZ publish user groups.

If the LDAPUserGroup is an array, then the first one will be the default placement of ldap users. If it's not, then all ldap users are stored in the same eZ publish user group.

LDAPUserGroupAttributeType and LDAPUserGroupAttribute are used to specify which attribute of the ldap user object eZ publish should use when deciding where to place the users.

So, an example:
LDAPUserGroupType=name
LDAPUserGroup[]=Default
LDAPUserGroup[]=Secretary
LDAPUserGroup[]=Clerk
LDAPUserGroup[]=Boss
LDAPUserGroupAttributeType=name
LDAPUserGroupAttribute=employeetype
Now, when logging in, eZ publish looks at the LDAP object, and finds the attribute whose name is employeetype, and reads its value. Then, eZ publish searches for an eZ publish user group whose name equals the given value. If it is found, then the user is stored there. If not, it is stored in Default. That should cover the user group settings.

The first name, last name and email settings are used when storing the eZ publish copy of the user.

Now, to the SAM account name. You can either:
- Set LDAPLoginAttribute=samaccountname, and tell people to login with just username, instead of username@domainname, or:

- Find (or create) an LDAP attribute that contains the entire username@domainname, and set LDAPLoginAttribute to that, or, if that is not possible:

- Last solution: If you can not get the entire username@domainname as one single LDAP attribute, then you need to add support for using several attributes. You could set LDAPLoginAttribute=samaccountname@domain (given that the attribute "domain" contains the users domain), and then add the necessary code in kernel/classes/datatypes/ezuser/ezldapuser.php. The relevant part is around line 242 (in 3.8 svn): $LDAPFilter .= "($LDAPLogin=$login)";
Here you need to split $LDAPLogin and $login by "@", and change the filter a bit. Something like this, I think:
$LDAPFilter .= "($LDAPLoginPart1=$loginPart1)";
$LDAPFilter .= "($LDAPLoginPart2=$loginPart2)";

This is very experimental and hypothetical, of course. I hope you don't need to resort to this. If you do, we should add this feature to the distribution.

I hope this helps!