Howto: Active Directory + LDAP Authentication

avatar Kon Wilms Pro Nov 18. 2009. 7:18 pm #1
I'm posting this for the benefit of anyone else running into problems with hooking into AD/LDAP. We have this setup running on Win2k3 and now Win2k8 AD servers with LDAP providers. Configuring that part of the equation is up to you.

Additions to activecollab/config/config.php:

define('AUTH_PROVIDER', 'ActiveDirectoryAuthenticationProvider');
define('AUTH_AD_ACCOUNT_SUFFIX','@ldap.server.com');
define('AUTH_AD_EMAIL_SUFFIX','@ldap.server.com');
define('AUTH_AD_BIND_USERNAME', 'authdummy');
define('AUTH_AD_BIND_PASSWORD', 'dummypassword');
define('AUTH_AD_BASE_DN', 'CN=Developers,ou=Apache,dc=server,dc=com?sAMAccountName');
define('AUTH_AD_DOMAIN_CONTROLLER','ldap://ldap.server.com');
define('AUTH_AD_REAL_PRIMARYGROUP', true);
define('AUTH_AD_USE_SSL', false);
define('AUTH_AD_RECURSIVE_GROUPS', true);
define('AUTH_AD_USERADD_AUTO', true);
define('AUTH_AD_USERADD_ROLE_ID', 0);
define('AUTH_AD_USERADD_COMPANY_ID', 0);


Note the use of a dummy account which is required to iterate LDAP. We are using a Developers CN in Apache OU (YMMV)

Changes to activecollab/activecollab/angie/classes/auth/providers/LDAPAuthenticationProvider.class.php:

    function authenticate($credentials) {
      $email    = array_var($credentials, 'authdummy@ldap.server.com');
      $password = array_var($credentials, 'dummypassword');
      $remember = (boolean) array_var($credentials, 'remember', false);
      $user = Users::findByEmail($email);
                $ldapserver = 'ldap://ldap.server.com/ou=Apache,dc=server,dc=com?sAMAccountName'; //   ldap://ldap.server.com
                $conn_string = 'CN=Developers,ou=Apache,dc=server,dc=com'; //   cn=users, dc=xxx, dc=xxx
                $ldapconn = ldap_connect("$ldapserver");
                $userInfo = ldap_search($ldapconn,"$conn_string", "mail=$email");  // first check to see if they are active in LDAP
                $count = ldap_count_entries($ldapconn, $userInfo);
                if ($count) {
                        $info = ldap_get_entries($ldapconn, $userInfo);
                        $shortname =(isset($info[0]["uid"][0])) ? $info[0]["uid"][0]:'' ;
                   ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
                   $ldapbind = ldap_bind($ldapconn,"uid=$shortname, $conn_string", $password);
                        if (!$ldapbind) {
                                return new Error('Invalid LDAP password');
                        }
                } else if(!$user->isCurrentPassword($password)) {
                        return new Error('Invalid password');
                }
      return $this->logUserIn($user, array(
        'remember' => $remember,
        'new_visit' => true,
      ));
    } // authenticate


Using:

Your administrator account logs in with administrator@fqdn and password assigned in the AC db. To add LDAP users you must manually add them - user@fqdn, with a dummy password. When they log in, they must log in as user/password (the @fqdn is then used to determine their AD location and authenticate them) where the password is their LDAP/AD password.

Hope that helps anyone else out having problems.
avatar michielvoo Mar 8. 2010. 1:42 pm #2
I would like to try this, but there is no LDAPAuthenticationProvider.class.php in our installation. Is that part of a separate module, or was it removed? We use 2.3 with a corporate license.
avatar Ilija Studen Staff Mar 8. 2010. 2:28 pm #3
LDAPAuthenticationProvider was never part of activeCollab, so it was never part of the distribution package.

I don't know which exact authentication provider is referred in this topic, you might want to search the forum for LDAPAuthenticationProvider.
Follow @activecollab and activeCollab on Facebook.
avatar michielvoo Mar 9. 2010. 8:44 am #4
Ok, I understand. I have found several threads, thanks.