aC forum: LDAP database loging code snippet

Post #18 by RobDaPraia

RobDaPraia — Sun, 30 Dec 2007 19:11:47 UTC

Thanks for the explanation, was looking for this to SSO into ActiveCollab.

I just did the following on my Apache web server where authentication is done by the Apache web server and the user name is stored as a server variable "PHP_AUTH_USER". Since this PHP_AUTH_USER is a user name and not an id, I had to add an extra field to the acx_users table: acx_users.username varchar 10, not null and to hack the file Users.class.php to create a function to search for the user by username.

Users.class.php:

/* Hacked by Rob */
/* Extra function for SSO after authentication by Apache
this requires extra field in table acx_users.username varchar 10, not null

/**
* Return user by username
*
* @param string $username
* @return User
*/
function findByUserName($username) {
return Users::find(array(
'conditions' => 'username = ' . db_escape($username),
'one' => true,
));
} // findByUserName

/* End of Hacked by Rob */

For authentication I made the following class, based on the article in the knowledge base:

class ApacheAuthenticationProvider extends AuthenticationProvider {

function initialize() {

$user = Users::findByUserName($_SERVER['PHP_AUTH_USER']);

if(instance_of($user, 'User')) {
return $this->logUserIn($user);
} else {
return new Error('User not recognized');
} // if
} // initialize

}

?>

Post #17 by colin.hostert

colin.hostert — Thu, 20 Dec 2007 06:22:32 UTC

Has anyone had any success getting this to work against an openLDAP directory ?

Post #16 by phodgdon

phodgdon — Wed, 05 Dec 2007 02:39:31 UTC

Nevermind, I see your zip file. Thanks.

Post #15 by phodgdon

phodgdon — Wed, 05 Dec 2007 02:38:23 UTC

Casper - I was able to use the adLDAP library and get it so i can authenticate off Active Directory using the example, how did you then incorporate that into the authentication for activeCollab? Did you use the method that Ilija mentioned in his documentation?

Post #14 by Valdemar

Valdemar — Wed, 28 Nov 2007 16:26:49 UTC

I got the error message: "Failed to create an account. Reason: Failed to validate model properties" with my $user_data array for some odd reason - I couldn't figure out why. However, by doing it exactly as you did, it works!

It now automatically creates new users, assigns them to a company and gives them a role. Excellent.

Get it here: http://fatty.dk/acadauthprovider.zip

Thanks.

Post #13 by Ilija Studen

Ilija Studen — Wed, 28 Nov 2007 14:45:36 UTC

We added that article just recently.

As a side note: save() method returns true if everything went fine or an Error instance in case of error with all the details - error message, parameters, where it was thrown etc.

Post #12 by Valdemar

Valdemar — Wed, 28 Nov 2007 14:37:46 UTC

I completely missed that part :) Guess I need glasses. Looks the same as what I've already tried, after looking in UserProfileController.class.php. I created the User object fine, but then tried doing a ->save(), but nothing was written to the db, not even an error. I'll look into it when I get the time.

Post #11 by Ilija Studen

Ilija Studen — Wed, 28 Nov 2007 14:32:10 UTC

Hi Casper,

Have you checked out Overriding / Extending activeCollab Authentication knowledge base entry? In code examples you have a peace that create a new user in activeCollab database. It works - tested.

Post #10 by phodgdon

phodgdon — Wed, 28 Nov 2007 13:27:35 UTC

Great thanks! We do have a lot of users with aliases and we also have 2 email systems so it makes it a challenge, but this should work.

Post #9 by Valdemar

Valdemar — Wed, 28 Nov 2007 11:13:42 UTC

Okay, polished it a bit. This is for Active Directory using the great adLDAP library by Scott Barnett. Please be sure that your Apache has mod_ldap working and installed. You can use the example.php in the adLDAP distribution to test the connection to your AD.

http://fatty.dk/acadauthprovider.zip

^ That would be the authentication provider. Be sure to read the README and INSTALL - it's pretty basic stuff really. You still log on with your e-mail address - but remember, the e-mail username (username@bla.com) HAS to be the same as the AD username (username@bla.local). Beware of this, since it's not always the same. For instance, if your user uses an e-mail alias or different e-mail, than for logon.

*** Automatic user creation is not working (when as user is not created in aC, but authenticates in AD). I seem to be able to create the object fine, but it won't save it to the database using $this->new_user->save(). Any ideas or help would be appreciated. But for now, it does what it's supposed to, log people on. *** UPDATE: It's working now, just grab the zip again.

Beware that it falls back to the standard basic authentication, so passwords set in aC still work! (this may change when I can update the password using the API).

Enjoy.