Comments on: LdapAuth component for CakePHP http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/ If I have seen a little further it is by standing on the shoulders of Giants. - Newton Wed, 30 Jun 2010 21:07:12 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: Jay http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-1058 Jay Tue, 01 Jun 2010 14:35:03 +0000 http://www.analogrithems.com/rant/?p=40#comment-1058 I'm trying to use your ldap_auth (which is pretty slick, by the way)...but I'm having a problem in which the ldap lookup is getting sent a full array instead of the username during login, resulting in a login failure. I'm not sure how that's happening, but could use some help I’m trying to use your ldap_auth (which is pretty slick, by the way)…but I’m having a problem in which the ldap lookup is getting sent a full array instead of the username during login, resulting in a login failure. I’m not sure how that’s happening, but could use some help

]]> By: analogrithems http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-1051 analogrithems Sun, 23 May 2010 18:19:02 +0000 http://www.analogrithems.com/rant/?p=40#comment-1051 I added a new attribute that needs to be added to the database config, Here is my database.php This is to make the datasource work with different ldap servers operational attributes and know how to find the schemas that exists in different locations between them. vi config/core.php <pre> <?php class DATABASE_CONFIG { //This will be used for extensions/plugins. if you plugin needs a db, define it here. var $default = array( 'driver' => 'mysql', 'persistent' => false, 'host' => 'localhost', 'login' => 'user', 'password' => 'password', 'database' => 'database_name', 'prefix' => '', ); var $ldap = array ( 'datasource' => 'ldap', 'host' => 'localhost', 'port' => 389, 'basedn' => 'dc=analogrithems,dc=com', 'login' => '', //For Proxy Userdn 'password' => '', //For Proxy UserDN password 'database' => '', //Needed to prevent cakePHP from throwing errors about database missing 'tls' => '', //Set this to true if using tls 'type' => 'Netscape', //Type Can be either 'Netscape', 'OpenLDAP', 'ActiveDirectory' 'version' => 3 //LDAP Version 3 ); } ?> </pre> I added a new attribute that needs to be added to the database config, Here is my database.php This is to make the datasource work with different ldap servers operational attributes and know how to find the schemas that exists in different locations between them.

vi config/core.php

< ?php
 class DATABASE_CONFIG {
        //This will be used for extensions/plugins.  if you plugin needs a db, define it here.
        var $default = array(
                'driver' => 'mysql',
                'persistent' => false,
                'host' => 'localhost',
                'login' => 'user',
                'password' => 'password',
                'database' => 'database_name',
                'prefix' => '',
        );
        var $ldap = array (
                'datasource' => 'ldap',
                'host' => 'localhost',
                'port' => 389,
                'basedn' => 'dc=analogrithems,dc=com',
                'login' => '',     //For Proxy Userdn
                'password' => '',  //For Proxy UserDN password
                'database' => '',  //Needed to prevent cakePHP from throwing errors about database missing
                'tls' => '', //Set this to true if using tls
                'type' => 'Netscape', //Type Can be either 'Netscape', 'OpenLDAP', 'ActiveDirectory'
                'version' => 3 //LDAP Version 3
         );
 }
?>
]]> By: Sean Traynor http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-1047 Sean Traynor Fri, 14 May 2010 14:23:59 +0000 http://www.analogrithems.com/rant/?p=40#comment-1047 Hi Analogrithems, Firstly - thank you for this article and all of your efforts towards CakePHP's LDAP integration! I am having issues however. If I use the ldap_source listed in the article LDAP is properly queried however I have the issues above with blank output without debug and header already sent with debug on. With the latest version of ldap_source on github I recieve the message "-1: Can't contact LDAP server" - even though it works with the older version of ldap_source! Are there any changes that need to be made to the LdapAuth component to make it compatible with the latest version of the ldap_source datasource? Many thanks! Sean Hi Analogrithems,

Firstly – thank you for this article and all of your efforts towards CakePHP’s LDAP integration!

I am having issues however. If I use the ldap_source listed in the article LDAP is properly queried however I have the issues above with blank output without debug and header already sent with debug on.

With the latest version of ldap_source on github I recieve the message “-1: Can’t contact LDAP server” – even though it works with the older version of ldap_source! Are there any changes that need to be made to the LdapAuth component to make it compatible with the latest version of the ldap_source datasource?

Many thanks!
Sean

]]> By: Scott http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-1016 Scott Wed, 03 Mar 2010 22:34:14 +0000 http://www.analogrithems.com/rant/?p=40#comment-1016 You may want to consider adding the following to your component so that the Auth examples from the book still work as described. /** * Initialize method ensures Auth methods remain working as described in the book. */ function initialize(&$controller) { parent::initialize($controller); $controller->Auth =& $this; } Now every reference to $this->Auth is still valid. You may want to consider adding the following to your component so that the Auth examples from the book still work as described.

/**
* Initialize method ensures Auth methods remain working as described in the book.
*/
function initialize(&$controller) {
parent::initialize($controller);
$controller->Auth =& $this;
}

Now every reference to $this->Auth is still valid.

]]> By: Kit Peters http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-983 Kit Peters Mon, 16 Nov 2009 23:47:04 +0000 http://www.analogrithems.com/rant/?p=40#comment-983 it's worth noting that the call to __getLDAPSchema() will fail if you bind anonymously to an Active Directory 2003 server (see http://serverfault.com/questions/10208/disable-requiring-authentication-to-bind-in-active-directory). You can turn this behavior off in AD, but if you don't have access to the AD configuration, you'll have to do a bind with a username/password. it’s worth noting that the call to __getLDAPSchema() will fail if you bind anonymously to an Active Directory 2003 server (see http://serverfault.com/questions/10208/disable-requiring-authentication-to-bind-in-active-directory). You can turn this behavior off in AD, but if you don’t have access to the AD configuration, you’ll have to do a bind with a username/password.

]]> By: analogrithems http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-975 analogrithems Tue, 13 Oct 2009 00:18:41 +0000 http://www.analogrithems.com/rant/?p=40#comment-975 in the getDN function did you have to change the call to look for an attribute besides uid? I recall windows uses something different like userPrincipal. Can you post your code changes so i can make this component more universal? in the getDN function did you have to change the call to look for an attribute besides uid? I recall windows uses something different like userPrincipal. Can you post your code changes so i can make this component more universal?

]]> By: Shawn Parr http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-974 Shawn Parr Fri, 09 Oct 2009 15:06:47 +0000 http://www.analogrithems.com/rant/?p=40#comment-974 I got your auth working. A couple odd things were happening. For some reason on our AD domain, when just searching you can specify the root (dc=example, dc=edu) and it will find everything, however when using authentication it fails. This is especially weird since it is in the getDn function: $userObj$ = $this->ldap->find, which I would have imagined should work since it is seemingly identical to the code that does it when just doing lookups. To make things weirder, when that failed, it was returning nothing, which then got passed on to ldapauth, which for some reason would return 1 to the login function when the dn was empty. So I had a situation where anyone could log in with any username/password combo. To solve this I first changed the getDn function to individually search the two OU's set up in our AD where all valid users are stored (in sub OU's). I then added a statement to ldapauth to return a zero if the dn was empty. Technically the above getDn change I had already implemented in my controller and model due to the fact that our AD has a lot of extra stuff in many of the object records. As such a typical search someone would setup for ldap will return computer records and other special items (computers are tagged with objectclass=person for some odd reason), so I added a new line to the model that uses an array to hold multiple OU statements, then use a foreach loop to go through them, then a bit of logic to deal with getting the results back to something the system can deal with as it is. I want to thank you for: 1) creating these ldap tools. They work well, and are pretty well thought out 2) for creating full documentation for how to do something in cakephp. That second one is really what I appreciate most. As I start learning cakephp I tend to find plenty of articles and info on how to do things, but almost all of them require a pretty full knowledge of the logic behind cakephp. Having an article like this to reference which gives full working examples was EXTREMELY helpful. I got your auth working. A couple odd things were happening. For some reason on our AD domain, when just searching you can specify the root (dc=example, dc=edu) and it will find everything, however when using authentication it fails. This is especially weird since it is in the getDn function: $userObj$ = $this->ldap->find, which I would have imagined should work since it is seemingly identical to the code that does it when just doing lookups.

To make things weirder, when that failed, it was returning nothing, which then got passed on to ldapauth, which for some reason would return 1 to the login function when the dn was empty. So I had a situation where anyone could log in with any username/password combo.

To solve this I first changed the getDn function to individually search the two OU’s set up in our AD where all valid users are stored (in sub OU’s). I then added a statement to ldapauth to return a zero if the dn was empty.

Technically the above getDn change I had already implemented in my controller and model due to the fact that our AD has a lot of extra stuff in many of the object records. As such a typical search someone would setup for ldap will return computer records and other special items (computers are tagged with objectclass=person for some odd reason), so I added a new line to the model that uses an array to hold multiple OU statements, then use a foreach loop to go through them, then a bit of logic to deal with getting the results back to something the system can deal with as it is.

I want to thank you for:
1) creating these ldap tools. They work well, and are pretty well thought out
2) for creating full documentation for how to do something in cakephp.

That second one is really what I appreciate most. As I start learning cakephp I tend to find plenty of articles and info on how to do things, but almost all of them require a pretty full knowledge of the logic behind cakephp. Having an article like this to reference which gives full working examples was EXTREMELY helpful.

]]> By: Shawn Parr http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-972 Shawn Parr Tue, 06 Oct 2009 20:59:10 +0000 http://www.analogrithems.com/rant/?p=40#comment-972 I got your ldap_source working, and can do lookups against our Active Directory setup. However I just can't get this component to work at all. I'd like to give more info, but I'm getting the infamous 'Cannot modify header information - headers already sent by' error. I've done my research, and typically that is caused by white space after the ?> tag, but I've searched all my files and do not have any with the extra whitespace outside of my view template files. That being said, the one page that does load is my login page /users/login. When it is submitted I get the following on my mostly blank page: 1 search | scope: sub | cond: samaccountname=user | targetDn: dc=example,dc=com | order: 1: Operations error I'm pretty sure that Operations error is an issue, but I'm not sure what is causing it. I have a bind user and password set in my Ldap config in the database config file, and they are obviously working since ldap lookups work fine (trust me, if the bind user can't connect the lookups wouldn't work!). Any ideas? Any pointers? I'm going nuts trying to figure this out. Feel free to email me if you want more details or have other instructions. I should note that I'm pretty new to cakephp, but have done a little bit of MVC php development. I got your ldap_source working, and can do lookups against our Active Directory setup. However I just can’t get this component to work at all.

I’d like to give more info, but I’m getting the infamous ‘Cannot modify header information – headers already sent by’ error. I’ve done my research, and typically that is caused by white space after the ?> tag, but I’ve searched all my files and do not have any with the extra whitespace outside of my view template files.

That being said, the one page that does load is my login page /users/login. When it is submitted I get the following on my mostly blank page:

1 search | scope: sub | cond: samaccountname=user | targetDn: dc=example,dc=com | order: 1: Operations error

I’m pretty sure that Operations error is an issue, but I’m not sure what is causing it. I have a bind user and password set in my Ldap config in the database config file, and they are obviously working since ldap lookups work fine (trust me, if the bind user can’t connect the lookups wouldn’t work!).

Any ideas? Any pointers? I’m going nuts trying to figure this out. Feel free to email me if you want more details or have other instructions.

I should note that I’m pretty new to cakephp, but have done a little bit of MVC php development.

]]> By: analogrithems http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-907 analogrithems Mon, 13 Jul 2009 20:24:11 +0000 http://www.analogrithems.com/rant/?p=40#comment-907 This shouldn't be an issue, make it use the ldap datasource http://www.analogrithems.com/rant/2009/06/12/cakephp-with-full-crud-a-living-example/ then add the auth componet in this article. In your config/database.php place an entry for you active directory stuff. like any normal ldap connection. Active directory is just a standard ldap v3 (mostly). Also i believe you must use a proxy user account in your 'config/database.php' file for the inital dn lookup. (When you type in your username the script needs to translate that to a dn, it uses the proxy account you initially specify in config/database.php login & password fields to do the inital lookup then binds with the returned dn and the password you passed.) The only other thing I can think of is changing the attribute on line 156 `$dn = $this->getDn('uid', $uid);` to `$dn = $this->getDn('samaccountname', $uid);` if you want to use a regular username format of change it to `$dn = $this->getDn('userprincipalname', $uid);` if you are going to use username@domain format see http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm Let me know if you have any trouble and I'll to try to drum up an AD server to test my code against. This shouldn’t be an issue, make it use the ldap datasource http://www.analogrithems.com/rant/2009/06/12/cakephp-with-full-crud-a-living-example/ then add the auth componet in this article. In your config/database.php place an entry for you active directory stuff. like any normal ldap connection. Active directory is just a standard ldap v3 (mostly). Also i believe you must use a proxy user account in your ‘config/database.php’ file for the inital dn lookup. (When you type in your username the script needs to translate that to a dn, it uses the proxy account you initially specify in config/database.php login & password fields to do the inital lookup then binds with the returned dn and the password you passed.)

The only other thing I can think of is changing the attribute on line 156
`$dn = $this->getDn(‘uid’, $uid);` to `$dn = $this->getDn(‘samaccountname’, $uid);` if you want to use a regular username format
of change it to `$dn = $this->getDn(‘userprincipalname’, $uid);` if you are going to use username@domain format

see http://www.computerperformance.co.uk/Logon/LDAP_attributes_active_directory.htm

Let me know if you have any trouble and I’ll to try to drum up an AD server to test my code against.

]]> By: Robert http://www.analogrithems.com/rant/2009/06/13/ldapauth-component-for-cakephp/comment-page-1/#comment-901 Robert Wed, 08 Jul 2009 15:58:08 +0000 http://www.analogrithems.com/rant/?p=40#comment-901 Very cool component. I need to write a tiny cake-based app this week and need to authenticate users via Microsoft Active directory. I also want to lock down the app to allow only users in a certain group to use any of it. Any suggestions on where to add that logic? I'm a bit new to cake and have been picking things up via the manual. Thank You, Very cool component. I need to write a tiny cake-based app this week and need to authenticate users via Microsoft Active directory. I also want to lock down the app to allow only users in a certain group to use any of it. Any suggestions on where to add that logic? I’m a bit new to cake and have been picking things up via the manual.

Thank You,

]]>