forum.coppermine-gallery.net

Support => cpg1.5 bridging => cpg1.5.x Support => cpg1.5 bridge contributions => Topic started by: Cyrolancer on February 23, 2012, 10:28:53 am

Title: LDAP Bridge
Post by: Cyrolancer on February 23, 2012, 10:28:53 am
Coppermine LDAP Bridge v2.0

As the name implies, this is the LDAP bridge. You can find the bridge and the configuration file attached to this post.



What is the LDAP Bridge?
LDAP bridge is a standard Coppermine Bridge. This bridge allows authorization of users through an LDAP server. Tested on CPG v1.5.20.

How can I use it?

Do I need to LDAP users to the CPG database before they log in?
In the previous version of the bridge, you need to, but in v2.0, the bridge automatically manages user operations. The bridge checks the username and password from the LDAP server and after successful authorization, the bridge checks for the user availability in the users table. If user is not available, the bridge creates the user entry but does not save the password. The user entry in the users table is needed for session checks of CPG.

If user_id = 1, the bridge will use local DB for authorization. If user_id > 1, the bridge always uses LDAP server.

What about groups?
Groups are still work-in-progress.

What about Active Directory?
I am planning to integrate AD authorization in the LDAP bridge, or I may build a new bridge. Just give me a couple of weeks :)



I am open to all suggestions and requests regarding to this bridge. Also, comments are welcome :)
Title: Re: LDAP Bridge
Post by: Cyrolancer on February 23, 2012, 03:08:05 pm
Hello again,

I am sorry, I couldn't edit my first message. There were errors in the code and I have corrected some of them. Also, I have updated the bridge and now, it checks for the user_id = 1 (which is the administrator account) and if so, allows admin access. Other users should be added manually. If possible, I am going to write a plugin to allow addition of LDAP users to the database. Of course, it is possible to set a cron job and add all LDAP users to the "users" table, but that's not planned right now.

The new code is attached to this message. There are several changes in the login method and I have added user_id check to the query that updates the last visit time.

I would be glad, if you comment (positively or negatively) to the code.

Edit: The final code is attached at the last post.

Title: Re: LDAP Bridge
Post by: Cyrolancer on February 24, 2012, 10:24:35 am
Hello again,

I have updated some sections of this bridge. From now on, it works completely with a standard OpenLDAP server. You can change $LDAPCONF array for your server, DN and LDAP protocol. If authentication fails, returns back to the "Login Failed" screen.

There are not so much comments on the code, but it works. I am going to update it to have more comments (and more customization options) later on.

Also, I have faced a problem. It is not possible to make configuration through Bridge Manager. I think, it only parses pre-defined variables (such as forum URL, location to bridge app etc.) but not the custom ones I have added (directory server, dn, protocol).

Hope you enjoy the code :)

Edit: I have updated the code. Please consider this new file.
Title: Re: LDAP Bridge
Post by: salah1hadinata on June 05, 2012, 11:29:21 am
i still can't understand how to setup this ldap mode, i have follow your step but i can't even search my account on active directory / ldap..

can you make some tutorial to set this ldap?

need help please  :(
Title: Re: LDAP Bridge
Post by: Cyrolancer on June 05, 2012, 07:53:14 pm
Let's start from the beginning.

1. Download the file and rename it to ldap.inc.php
2. Go to line 51 of ldap.inc.php
3. Change the 3 lines below.
Code: [Select]
$LDAPCONF['auth_server'] = 'testdir.example.com';
$LDAPCONF['dn'] = 'ou=testou, dc=testdir, dc=example, dc=com';
$LDAPCONF['protocol'] = 3;

$LDAPCONF['auth_server'] is the variable where you put your LDAP server. You can write "127.0.0.1" or "localhost" or the domain name you have set up in your LDAP server configuration file.

$LDAPCONF['dn'] is the location where the users are placed in the LDAP server. You can manage these by using ldaptools package in Linux or LDAPAdmin or JXExplorer software in Windows.

$LDAPCONF['protocol'] is the protocol number. It can be 2 or 3. You set these before you start the LDAP server.

2. Put the file into bridges/ directory in your CPG installation.
3. Login your CPG with admin
4. Go to the bridge manager
5. Enable LDAP Bridge
6. There are no configuration settings present in this LDAP bridge, so you need to press next until you see the success message.

After setting the LDAPCONF variables, you need to consider the LDAP server side. If you are able to configure your LDAP server correctly, you will be able to use this LDAP bridge. Don't forget, you can always login with your admin account that you have created during CPG installation regardless of your LDAP server is running or not.

Note: I have tried this bridge on standard installation of Debian 6.0.5 minimal version with the slapd package from the default repositories.
Title: Re: LDAP Bridge
Post by: deserteagle on June 08, 2012, 07:44:26 am
This can't work for active directory.

my environment
wamp2.1, coppermine 1,6.16

I have made mantisbt 1.2.8 authenticate user against windows active directory successfully.Some guys said in windows a username and password is required anonymouse can't work to retrieve the info.

In mantis, the config is like this:
config_inc.php
Code: [Select]
$g_login_method = LDAP;
$g_ldap_server = 'dc01.mydomain.net';
$g_ldap_port = 389; # Default is 389
$g_ldap_root_dn = "OU=Users,OU=Region,OU=AP,DC=dc01,DC=mydomain,DC=net";
$g_ldap_bind_dn = 'dc01\john';
$g_ldap_bind_passwd = 'welcome';
$g_use_ldap_email = ON;
$g_use_ldap_realname = ON;
$g_ldap_protocol_version = 3;
$g_ldap_uid_field= 'sAMAccountName'; # Use ‘sAMAccountName’ for Active Directory - this is the name of the attribute used to search a user
$g_ldap_realname_field  = 'cn';
$g_ldap_follow_referrals = OFF;

I think below two is needed for windows active directory

ldap_bind_dn = '';
ldap_bind_passwd = '';

but I don't know how to coding it. If  you can update it, that's will be great.

Title: Re: LDAP Bridge
Post by: deserteagle on June 08, 2012, 07:49:15 am
My Coppermine version is 1.5.16
Title: Re: LDAP Bridge
Post by: Cyrolancer on June 08, 2012, 03:19:28 pm
Yes, the bridge uses anonymous bind to search for DN. Probably this bridge won't work when the LDAP server is not accepting anonymous bind.

For me, it is impossible to use a Windows Server, as I don't have a licensed copy of it. I can only try it on a LDAP server running under Linux. I think, it is possible to disable anonymous bind in a OpenLDAP server. I will try to find a solution for it.
Title: Re: LDAP Bridge
Post by: deserteagle on June 11, 2012, 09:25:01 am
After I disable the bridge, the original user and group which I created gone. the user list is empty.

(http://i.imgur.com/qpbOn.png)
Title: Re: LDAP Bridge
Post by: deserteagle on June 11, 2012, 09:29:33 am
It's better to be able to do the search with username and password.
(http://i.imgur.com/qpbOn.png)
(http://i.imgur.com/qpbOn.png) (http://imgur.com/qpbOn)

After I disable the bridge, the original user and group which I created gone. the user list is empty.

(http://i.imgur.com/qpbOn.png)
Title: Re: LDAP Bridge
Post by: Cyrolancer on June 11, 2012, 11:32:24 pm
After I disable the bridge, the original user and group which I created gone. the user list is empty.

(http://i.imgur.com/qpbOn.png)

If you use the bridge, you cannot use the user manager inside CPG. But, the group manager works. These are the features of CPG, it is not possible to change this behavior.

If it is possible, can you please check the users table in your database? You know, you need to add your LDAP users manually (at least for now) to use the bridge.

 
Title: Re: LDAP Bridge
Post by: deserteagle on June 12, 2012, 03:22:19 am
of course, I alrerady created the user in database, I tried rername a old username and created a new one, both can't work, after press ok button to login, it go to a blank page with address as below:

http://cmy56/gallery/login.php?referer=index.php%3Fmessage_id%3D2911210115b2e4da60c06343b454954a%26message_icon%3Dinfo
Title: Re: LDAP Bridge
Post by: deserteagle on June 12, 2012, 04:06:03 am
I suggest you can try use adLDAP 4.03, another system named phpScheduleIt use adLDAP to authenticate user against Active Directory, it work well and simple, authenticate userr from ad and pull the user prorfile like email, department, organization back. All I need do is change the setting in Ldap.config.php

http://adldap.sourceforge.net/
Title: Re: LDAP Bridge
Post by: deserteagle on June 12, 2012, 04:11:20 am
I can't find how to edit early post, I have to post new one.

Maybe I'm wrong about the anonymouse issue, after I check the setting in phpScheduleIt adldap, the username and password value is empty but it works!

$conf['settings']['Username'] = '';
$conf['settings']['Password'] = '';

hope this can help you save some times.
Title: Re: LDAP Bridge
Post by: Cyrolancer on June 12, 2012, 08:40:05 am
I know about adLDAP. The problem is, I don't have a licensed copy of Windows Server, so I cannot try adLDAP. It will take some time to find a trial version or similar and work on it.

For now, I am trying to improve the LDAP bridge. As you can see, for now, LDAP bridge works manually. You need to enter all user data by yourself. This is not feasible and needs to be automated. Probably, that will be your solution to the empty user table problem. Also, I need to check for non-anonymous bind.

For the LDAP part, I will finish in 1 or 2 weeks. For the AD part, I will try working on it as soon as possible. I cannot give an exact time, because first of all, I need to find a Windows Server, but probably, AD part will be finished in 2 to 3 weeks.

3 weeks... that is a long time, I know it, but I have a job to do and CPG is just for hobby :)
Title: Re: LDAP Bridge
Post by: Cyrolancer on June 12, 2012, 10:42:22 am
I think I have found a solution for AD.

Can you please do the change below?

Delete:
Code: [Select]
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $LDAPCONF['protocol']);

Add:
Code: [Select]
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $LDAPCONF['protocol']);
ldap_set_option($conn LDAP_OPT_REFERRALS, 0);
Title: Re: LDAP Bridge
Post by: deserteagle on June 13, 2012, 10:58:01 am
no lucky.

I think your suggestion is add a new line
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

(I changed $conn to $ds, but both can't work).

BTW, I rermember somebody said use "samAccountName" for AD,

$g_ldap_uid_field= 'sAMAccountName'; # Use ‘sAMAccountName’ for Active Directory - this is the name of the attribute used to search a user
Title: Re: LDAP Bridge
Post by: Cyrolancer on June 13, 2012, 02:47:59 pm
Probably, I will implement adLDAP. It seems to be easier than putting and trying all PHP LDAP functions.
Title: Re: LDAP Bridge
Post by: Cyrolancer on June 14, 2012, 08:17:25 pm
I have updated the code and added some features. The updated code and the details are in the first post. Enjoy :)
Title: Re: LDAP Bridge
Post by: deserteagle on July 16, 2012, 11:50:26 am
sorry for reply so late, I have been sick for one month.

I tried the LDAP Bridge v2.0, still show the white page, can't login againsrt AD.
Title: Re: LDAP Bridge
Post by: Cyrolancer on July 17, 2012, 08:56:36 pm
sorry for reply so late, I have been sick for one month.

I tried the LDAP Bridge v2.0, still show the white page, can't login againsrt AD.

I hope you are better now.

Probably, Bridge 2.0 won't work with AD. I didn't add any AD-compatible code to this bridge. This doesn't mean that I won't add :)

Coppermine is not the only web software I am working with. Due to some urgent problems with our other software at work, I was coding upgrade and migration scripts for them. So, I was too busy and I couldn't work on CPG Bridge.

I will inform you personally when I update the script. Thank you for your consideration.
Title: Re: LDAP Bridge
Post by: LnQ on September 10, 2012, 02:45:02 pm
Hi,

What is the status on this bridge? is it working or?? does it still need some adjustment?

Look forward for this brigde
Title: Re: LDAP Bridge
Post by: Cyrolancer on September 11, 2012, 12:26:10 am
Bridge is tested to work on the latest version of Debian Squeeze OpenLDAP server - slapd (http://packages.debian.org/squeeze/slapd).

AD support is still in progress, I was too busy in my job and I couldn't work on AD part of the Bridge. I will release the AD Bridge as soon as possible.
Title: Re: LDAP Bridge
Post by: LnQ on February 07, 2013, 03:28:57 pm
Any update on this ....been looking around for at gallery which support ldap....
Title: Re: LDAP Bridge
Post by: Cyrolancer on February 20, 2013, 10:12:39 pm
Any update on this ....been looking around for at gallery which support ldap....

I am sorry, I have too much work to do and I couldn't find any time to work on LDAP bridge. I have updated it a bit, added some group and user management options and I am still working on AD support. From now on, adding an option to the bridge is not a problem but I don't have much time to work on this.

When I started this bridge, we were thinking that CPG is a good choice to build a multi-user gallery and sharing system in our university. CPG is still a good choice, but it doesn't fit to our automatic updating system which is built on several shell script combinations. As a result we had to change CPG to some other CMS. While we were using CPG, I have built LDAP bridge and several plugins for management, then started for the CAS integration but after abandoning the project, I needed to work for other projects rather than CPG.

I still love CPG and when I have time I will work for further development of LDAP bridge. But, if somebody is interested in developing this LDAP bridge, I will gladly send the latest code I have developed (it is not tested thoroughly and it is not ready for release).
Title: Re: LDAP Bridge
Post by: patrick.koza on July 16, 2013, 04:31:34 pm
Hi,

is there any update on this? We need the AD integration  ::) ;D :D
Title: Re: LDAP Bridge
Post by: deserteagle on August 13, 2013, 11:06:03 am
waiting for long time. have to find alternative solution, now I use joomla integration plugin to integrate CPG with joomla 1.7, then the joomla has been integrate with LDAP easyly.
Title: Re: LDAP Bridge
Post by: vimets on January 26, 2016, 12:26:19 pm
Hi there,
I'm using this bridge but I have one BIG problem.
When users login, everything works fine, can contact LDAP server and verify if user exist and password is correct. The problem comes when the user gets logged correctly, in the CPG_sessions table, the user_id that inserts is de uid form the ldap and not the id from the coppermine user table.
When this happens, the user doesn't appear to be logged.
If i delete de users and login with ldap, this works perfect, the problem is that these users already have albums assigned by id, so i can't delete the users.
Anyone is facing this problem? Some light would be appreciate it.
Thanks in advanced and sorry for my english.
Title: Re: LDAP Bridge
Post by: Αndré on February 03, 2016, 05:44:27 pm
I think the only solution will be to change the existing user_id in any table of the MySQL database.
Title: Re: Re: LDAP Bridge
Post by: vimets on February 16, 2016, 11:22:51 am
I think the only solution will be to change the existing user_id in any table of the MySQL database.
Hi there, thanks for your reply, finally i ended up doing it by hand.  I deleted all the users that didn't have any album or picture assigned, and those which had, i changed their user_ID to match the LDAP uid.
I did this because only a few users had albums assigned so it wasn't a big headache.
Thanks for your answer and your time again.
Take care.
Bless.