[sork] UPDATED Patch - Framework Auth & Passwd LDAP Driver

LRM lrm at ionline.com.br
Tue May 4 09:19:27 PDT 2004



This is the final patch for perfect integration of passwd with Active
Directory, after Jan reviewed some aspects of the code and fixed some
encoding conversion functions on the framework earlier today.


Jan, the String::convertCharset now works perfectly, and its being used as
you suggested. The 'x' is gone the conversion is clean for AD use.


I've spend quite some time double checking that I just added functionality
to the code, I didn't took anything off, and I can't see anywhere the code
would break something that would be working before. I've tested the patch on
both AD and OpenLDAP installations here and everything was fine. But anyway,
feel free to evaluate it and suggest changes, if any still pending.


Whats new:


-          New parameter 'sslhost' added to backend configuration. Provides
the exact FQDN to be used on LDAPS access to the AD server.

-          New 'encryption' type added to the framework: 'msad' - Tells
passwd you are going to change the password on MS AD, so it properly encodes
the new plaintext password.

-          The code now makes the best effort to connect to LDAP using
current credentials on all parts. But if anything goes wrong with that it
still tries a guest connection.

-          If 'tls' backend parmeter is set, it will bypass the LDAPS
connection, preserving previous functionality. AD DOES NOT WORK with TLS, so
this parameter should never be set when using passwd with AD.


Sample backends.php for an Active Directory Server:


$backends['ldap'] = array(

    'name' => 'somedomain.net',

    'preferred' => 'somedomain.net',

    'password policy' => array(

        'minLength' => 8,

        'maxLength' => 14


    'driver' => 'ldap',

    'params' => array(

        'host' => 'localhost',

        'sslhost' => 'someserver.somedomain.net',

        'port' => 389,

        'basedn' => 'OU=Departments,DC=somedomain,DC=net',

        'uid' => 'sAMAccountName',

        'realm' => 'somedomain.net',

        'attribute' => 'unicodePwd',

        'encryption' => 'msad'




Tricky thing here: I'm using 'sAMAccountName' as the 'uid' identifier. This
is because the REAL logon username on AD is stored on this parameter, and
NOT the CN. You can rename the CN of a User and still the logon name would
keep the same, which would break things up.


Second tricky thing: Of course you must enable php_ldap.dll and all the
proper PHP extensions needed. But for LDAPS connections to work properly,
you must create a folder C:\OpenLDAP\sysconf\ (YES, IT MUST BE ON DRIVE C:
BECAUSE THIS IS HARDCODED INSIDE THE DLL). Inside this folder, create a file
named ldap.conf and insert the following line at the top: TLS_REQCERT never


This must be done or else the LDAPS connection will NOT work.


This patch is being sent to both horde and sork lists, since it affects


Any questions, suggestions, please let me know.


Jan, THANKS A LOT. ;-)





-------------- next part --------------
A non-text attachment was scrubbed...
Name: passwd.lib.driver.ldap.php.patch
Type: application/octet-stream
Size: 4827 bytes
Desc: not available
Url : http://lists.horde.org/archives/sork/attachments/20040504/232a21b7/passwd.lib.driver.ldap.php-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: framework.auth.php.patch
Type: application/octet-stream
Size: 720 bytes
Desc: not available
Url : http://lists.horde.org/archives/sork/attachments/20040504/232a21b7/framework.auth.php-0001.obj

More information about the sork mailing list