[horde] Solved: Restrict Horde login by LDAP group
Derek Dresser
ddresser at rnome.com
Fri Jan 27 07:30:08 PST 2006
In the hopes of saving others time, and supplementing my memory, here's how I
got Horde to restrict login access by LDAP (openLDAP) group.
-Derek
Horde Authentication by LDAP group
After quite a lot of playing with LDAP ACL's, I discovered the way to
authenticate users normally using IMP and LDAP, and then restrict them by
membership in a particular LDAP group. This allows us to run multiple different
Horde installations on the same box and restrict who can log into each by
creating an appropriate group. It also allows us to use IMP for authentication
resulting in a single login for the users.
postauthenticate hook
There are multiple custom hooks available in Horde. Two of these are the
preauthenticate and postauthenticate hooks. The basic idea is to allow IMP to
authenticate with IMAP and the use the postauthenticate hook to enforce the
further requirement of specific LDAP group membership.
postauthenticate hook for openldap groups
I took the example provided for Active Directory groups and modified it to use
openLDAP groups. The major difference is that in Active Directory, it appears
that the group membership information is stored in the user account using the
"memberof" attribute. In openLDAP, the group membership information is
(typically, in my experience) stored in the group object using the "member"
attribute, so instead of searching the user dn for a list of groups, we end up
searching the group object for a list of members.
Here is the modified hook.
// Here is an example of validating the user's right to login to Horde by
// consulting group membership in an LDAP directory. That way, if your Horde
// installation is configured to authenticate against IMP which in turn
// authenticate via IMAP, it is still possible to limit access to Horde by
// group membership. The following example had been made with an openLDAP
// Directory in mind. Note that if the LDAP directory is unavailable or some
// other error occur, authentication will fail.
if (!function_exists('_horde_hook_postauthenticate')) {
function _horde_hook_postauthenticate($userID, $credential, $realm)
{
$ldapServer = 'localhost';
$ldapPort = '389';
// Note that credential is sent plain-text in this case, so don't use
// privileged account here or setup SSL (by using port 636 above).
// uncomment if not using an anonymous bind
//$binddn = 'uid=bindn,ou=people,dc=example,dc=com';
//$bindpw = 'password';
// search base for LDAP groups
$searchBase = 'ou=group,dc=example,dc=com';
$groupAttr = 'cn';
// Group membership attribute, need to be all lowercase
$groupMembershipAttr = 'member';
// Attribute to check for right to use Horde
$groupName = 'horde_authorized_group_name';
$ret = false;
$ds = @ldap_connect($ldapServer, $ldapPort);
// used to set the LDAP protocol to version 3 (recommended)
// not necessary if your LDAP server supports version 2
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
if (@ldap_bind($ds, $binddn, $bindpw)) {
$searchResult = @ldap_search($ds, $searchBase, $groupAttr . '=' .
$groupName, array($groupMembershipAttr), 0, 1, 5);
if ($information = @ldap_get_entries($ds, $searchResult)) {
// make pattern case-insensitive
$pattern = '/' . $userID . '/i';
foreach ($information[0][$groupMembershipAttr] as $group) {
if (preg_match($pattern, $group)) {
$ret = true;
break;
}
}
}
}
ldap_close($ds);
return $ret;
}
}
enabling the postauthenticate hook
In the Horde administrative interface, select the "custom function hooks" tab
and check the box for
function _horde_hook_postauthenticate()
-- DerekDresser - 27 Jan 2006
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 1324 bytes
Desc: PGP Public Key
Url : http://lists.horde.org/archives/horde/attachments/20060127/425c3b11/attachment.bin
More information about the horde
mailing list