{"id":13,"date":"2009-06-12T15:14:35","date_gmt":"2009-06-12T22:14:35","guid":{"rendered":"http:\/\/www.analogrithems.com\/rant\/?p=13"},"modified":"2011-08-25T19:49:37","modified_gmt":"2011-08-26T02:49:37","slug":"cakephp-with-full-crud-a-living-example","status":"publish","type":"post","link":"https:\/\/www.analogrithems.com\/rant\/cakephp-with-full-crud-a-living-example\/","title":{"rendered":"CakePHP: LDAP with full CRUD, a living example!"},"content":{"rendered":"

I’ve been using CakePHP<\/span> for a while now and I’ve been thinking for a while it was time to see if I could give something back. As an IT leader I’m in love with LDAP. It makes life so simple for me and my team. The big downside to LDAP is it’s not very easy to learn how all the objectClasses<\/span> and attributes work with various applications. Microsoft has eliminated this with the <\/span>Microsoft Management Console<\/em> (MMC<\/em>). It amazes me that no open source project has developed a tools such as this before. I’ve worked on a open source tool in the past that was a web interface wrapper around ldap<\/span> to do account management, so I’m familiar with the requirements such an application should have. Being that CakePHP<\/span> is so powerful, I wanted to see if I could do this with that.<\/span><\/p>\n

When I first started, I realized that CakePHP<\/span> didn’t have an LDAP data source officially supported yet. I did find two articles about some good attempts. One by <\/span>euphrate<\/span><\/span><\/span><\/a>, unfortunately this one was only for reading from ldap<\/span>. The second one was by <\/span>Gservat<\/span><\/span><\/a>, this one was a bit more complete, but was not really working for me and as i read from his comments many others. I think we wrote his for CakePHP<\/span> 1.1. Since I wanted to use Current cake 1.2.8xxx I set out to use this as my start and fix\/extend it.<\/span><\/p>\n

Before we get started I want to state the environment I was using to do my work was Redhat<\/span> Enterprise 5.2 & Fedora 10 (Work requirement) with redhat<\/span> directory server 8.1 and Fedora directory server 1.2. Now while LDAP is a standard protocol, some of the driver may have become centric to those platforms, so if this is the case, please leave me a comment and I will try to correct the ldap<\/span> data source I’m working on. My hope is to get ldap<\/span> as an offical<\/span> CakePHP<\/span> data source. With that said the reason i call this a living example is because I’ve continued to upgrade and improve this data source as well as this article. Some of the next features I want to implement is data associations. Basically has and belongs to many relations. This way when you<\/span> look up an user account it also shows you<\/span> all the groups that user is in. This will take some time but I’ll get there. This work is all being done in the hopes that I can use this data source and CakePHP<\/span> to build a really user friendly web interface for managing enterprise LDAP infrastructures without a whole lot of LDAP knowledge.<\/span><\/p>\n

6\/1\/2011 – This datasource<\/span> has gotten picked up by the CakePHP<\/span> core guys and they may be <\/span>officially<\/span> adding it in the future. \u00c2\u00a0I’ve also added some changes to support Active Directory better.<\/strong><\/p>\n

4\/15\/2010 – Made several changes to the code to hopefully play nicely with active directory.\u00c2\u00a0 Tested it with CakePHP<\/span>-1.3 everything looks good.\u00c2\u00a0 Please test and leave feedback.\u00c2\u00a0 The new datasource<\/span> requires you<\/span> to add a new field to the database.cfg<\/span> ldap<\/span> entry.\u00c2\u00a0 See the config<\/span> below<\/span>
\n<\/strong><\/p>\n

8\/20\/2009 – New Home for the source. I’ve got this datasource<\/span> in my github<\/span> tree now <\/span>http:\/\/github<\/span>.com\/analogrithems<\/span>\/idbroker<\/span>\/tree\/master\/models\/datasources<\/span><\/span><\/a> enjoy, and feel free to submit bugs or request there.<\/strong><\/p>\n

7\/13\/2009 – updated ldap<\/span>_source.php<\/span> to make better use of the debug describe code. Also fixed the way things update. Only update what has changed instead of whole record. This will help with LDAP aci<\/span> rules when logging in as non-admin users and trying to do things like update your userpassword<\/span> or email.<\/span><\/strong><\/p>\n

6\/20\/2009 – Updated ldap<\/span>_source.php<\/span> to work with OpenLDAP<\/span> 2.3 schema system. First it will try ‘cn<\/span>=schema’, if that doesn’t return any results then it looks for schemas<\/span> in ‘cn<\/span>=subschema’ this make sure the code will work with OpenLDAP<\/span> as well as the Netscape based versions like iPlanet<\/span>, Redhat<\/span> Directory Server, Fedora Directory Server etc.<\/span><\/strong><\/p>\n

First things first, here is my ldap<\/span> data source for CakePHP<\/span>. You<\/span> will need to download this <\/span>ldap<\/span>_source.php<\/span><\/span><\/a> to your ‘app\/models\/datasources<\/span>\/’ directory.<\/span><\/p>\n

So lets dive right in below is the database config<\/span> we will use.<\/span><\/p>\n

[php]
\n<?php
\nclass DATABASE_CONFIG {
\nvar $ldap = array (
\n \t\t‘datasource’ =–> ‘ldap’,
\n\t\t‘host’ => ‘localhost’,
\n\t\t‘port’ => 389,
\n\t\t‘basedn’ => ‘dc=examnple,dc=com’,
\n\t\t‘login’ => ”,
\n\t\t‘password’ => ”,
\n\t\t‘database’ => ”,
\n ‘tls’ => false,
\n ‘type’ => ‘Netscape’, \/\/Available types are ‘OpenLDAP’, ‘ActiveDirectory’, ‘Netscape’
\n\t\t‘version’ => 3
\n\t);
\n}
\n?>
\n[\/php]<\/p>\n

You<\/span> notice that the variables database, login<\/span> and password are blank. Keep at least database this way. You<\/span> can populate login<\/span> and password if don’t want your ldap<\/span> connections to be anonymous. I keep mine blank because I have written my own auth<\/span> component that uses ldap<\/span>, So once I’m authed<\/span> that gets passed to the datasource<\/span> instead. This is a ugly hack that I’ve written another <\/span>post about<\/a>.<\/p>\n

Please note that if you<\/span> are using Redhat<\/span> directory server, iPlanet<\/span> or Fedora Project 389 then the <\/span>type<\/strong> is Netscape as these all evolved off the Netscape LDAP server code base.\u00c2\u00a0 The other available types are ‘OpenLDAP’ or ‘ActiveDirectory’\u00c2\u00a0 (case matters).<\/p>\n

Here is our people model for accessing the users in your LDAP tree.
\n[php]
\n<?php
\nclass Person extends AppModel {
\n var $name = ‘Person’;
\n var $useDbConfig = ‘ldap’;<\/p>\n

\/\/ This would be the ldap equivalent to a primary key if your dn is
\n \/\/ in the format of uid=username, ou=people, dc=example, dc=com
\n var $primaryKey = ‘uid’;<\/p>\n

\/\/ The table would be the branch of your basedn that you defined in
\n \/\/ the database config
\n var $useTable = ”;<\/p>\n

var $validate = array(
\n ‘cn’ => array(
\n ‘alphaNumeric’ => array(
\n ‘rule’ => array(‘custom’, ‘\/^[a-zA-Z ]+$\/’),
\n ‘required’ => true,
\n ‘on’ => ‘create’,
\n ‘message’ => ‘Only Letters, Numbers and spaces\t can be used for Display Name.’
\n ),
\n ‘between’ => array(
\n ‘rule’ => array(‘between’, 5, 40),
\n ‘on’ => ‘create’,
\n ‘message’ => ‘Between 5 to 40 characters’
\n )
\n ),
\n ‘sn’ => array(
\n ‘rule’ => array(‘custom’, ‘\/^[a-zA-Z]*$\/’),
\n ‘required’ => true,
\n ‘on’ => ‘create’,
\n ‘message’ => ‘Only Letters and Numbers can be used for Last Name.’
\n ),
\n ‘userpassword’ => array(
\n ‘rule’ => array(‘minLength’, ‘8’),
\n ‘message’ => ‘Mimimum 8 characters long.’
\n ),
\n ‘uid’ => array(
\n ‘rule’ => array(‘custom’, ‘\/^[a-zA-Z0-9]*$\/’),
\n ‘required’ => true,
\n ‘on’ => ‘create’,
\n ‘message’ => ‘Only Letters and Numbers can be used for Username.’
\n )
\n );
\n}
\n?>
\n[\/php]
\nHere is a very basic controller to accompany our people model. It demonstrates the important core functions and should get you started on using this data source with your own application.<\/p>\n

[php]
\n<?php
\nclass PeopleController extends AppController {<\/p>\n

\tvar $name = ‘People’;
\n\tvar $components = array(‘RequestHandler’, ‘Ldap’);
\n\tvar $helpers = array(‘Form’,’Html’,’Javascript’, ‘Ajax’);<\/p>\n

\tfunction add(){
\n\t\tif(!empty($this->data)){
\n\t\t\t$this->data[‘Person’][‘objectclass’] = array(‘top’, ‘organizationalperson’, ‘inetorgperson’,’person’,’posixaccount’,’shadowaccount’);<\/p>\n

\t\t\tif($this->data[‘Person’][‘password’] == $this->data[‘Person’][‘password_confirm’]){
\n\t\t\t\t$this->data[‘Person’][‘userpassword’] = $this->data[‘Person’][‘password’];
\n\t\t\t\tunset($this->data[‘Person’][‘password’]);
\n\t\t\t\tunset($this->data[‘Person’][‘password_confirm’]);<\/p>\n

\t\t\t\tif(!isset($this->data[‘Person’][‘homedirectory’])&& isset($this->data[‘Person’][‘uid’])){
\n\t\t\t\t\t$this->data[‘Person’][‘homedirectory’] = ‘\/home\/’.$this->data[‘Person’][‘uid’];
\n\t\t\t\t}<\/p>\n

\t\t\t\t$cn = $this->data[‘Person’][‘cn’];
\n\t\t\t\tif ($this->Person->save($this->data)) {
\n\t\t\t\t\t$this->Session->setFlash($cn.’ was added Successfully.’);
\n\t\t\t\t\t$id = $this->Person->id;
\n\t\t\t\t\t$this->redirect(array(‘action’ => ‘view’, ‘id’=> $id));
\n\t\t\t\t}else{
\n\t\t\t\t\t$this->Session->setFlash("$cn couldn’t be created.");
\n\t\t\t\t}
\n\t\t\t}else{
\n\t\t\t\t$this->Session->setFlash("Passwords don’t match.");
\n\t\t\t}
\n\t\t}
\n\t\t$attributes = array(‘uidnumber’, ‘uid’, ‘homedirectory’);
\n\t\t$preset = $this->autoSet($attributes);
\n\t\tforeach($this->data[‘Person’] as $key => $value){
\n\t\t\t$preset[$key] = $value;
\n\t\t}
\n\t\t$this->data[‘Person’] = $preset;<\/p>\n

\t\t$groups = $this->Ldap->getGroups(array(‘cn’,’gidnumber’),null,’posixgroup’);
\n\t\tforeach($groups as $group){
\n\t\t\t$groupList[$group[‘gidnumber’]] = $group[‘cn’];
\n\t\t}
\n\t\tnatcasesort($groupList);
\n\t\t$this->set(‘groups’,$groupList);
\n\t\t$this->layout = ‘people’;
\n\t}<\/p>\n

\tfunction view( $id ){
\n\t\tif(!empty($id)){
\n\t\t\t$filter = $this->Person->primaryKey."=".$id;
\n\t\t\t$people = $this->Person->find(‘first’, array( ‘conditions’=>$filter));
\n\t\t\t$this->set(compact(‘people’));
\n\t\t}
\n\t\t$this->layout = ‘people’;
\n\t}<\/p>\n

\tfunction delete($id = null) {
\n\t\t$this->Person->id = $id;
\n\t\treturn $this->Person->del($id);
\n\t}<\/p>\n

\t\/**
\n\t* The AuthComponent provides the needed functionality
\n\t* for login, so you can leave this function blank.
\n\t*\/
\n\tfunction login() {
\n\t}<\/p>\n

\tfunction logout() {
\n\t\t$this->redirect($this->LdapAuth->logout());
\n\t}<\/p>\n

\t\/\/Very Ugly, fix this.,
\n\tfunction isAuthorized() {
\n\t\treturn true;
\n\t}<\/p>\n

}
\n[\/php]<\/p>\n

So lets talk about somethings here, in our model we define $primaryKey<\/span><\/span><\/strong> & $useTable<\/span><\/span><\/strong> variables. The $useTable<\/span><\/span><\/strong> is the branch of the ldap<\/span> server. For this models purpose we define our table as <\/span>‘ou=people’<\/strong>. This makes sure that objects we create (I.E. Users\/people) will be added under the organization unit people. It also makes sure that when you pass something like ‘jdoe’ to the delete action it will search that branch for the user object to delete. The $primaryKey<\/span><\/span><\/strong> also helps in the creation and deleting of users. It makes sure that the dn<\/span> is created as uid<\/span>, this is helpful to make sure that a user doesn’t already have that user name. Also since ldap<\/span> is case insensitive you<\/span> don’t have to worry about the possible variations of the object names when checking the existence.<\/span><\/p>\n

Now your model isn’t limited to one branch or object type. If you wanted to create a browser for example your could define a model like the following.<\/p>\n

You’ll notice here we set our $useTable<\/span><\/span><\/strong> to nothing (important, you<\/span> get errors about no db defined from CakePHP<\/span> if this missing). The really interesting part here is that we set <\/span>$primaryKey<\/strong> to dn<\/span>. This is the ultimate primary key for our type or data source. The difference here is that when we create\/delete an object we have to pass it the full dn<\/span>.<\/span><\/p>\n

Our new data source also adds some new options to the find function.
\n$options[‘targetDN’] :<\/strong> This is more like the point in the tree we want to start our search. If you<\/span> don’t define it it defaults to the $useTable<\/span>.$config<\/span>[$useDbConfig<\/span>][‘basedn’] if your $useTable<\/span> variable is empty it defaults to the basedn<\/span> configured in your database config<\/span>.<\/span><\/p>\n

$options[‘scope’] :<\/strong> If you’ve worked with ldap<\/span> before then you<\/span> are familiar with the concept of search scopes. You<\/span> have three search scopes, ‘sub’, ‘one, & ‘base’. Basically <\/span>sub<\/strong> means search from this point down the tree. one<\/strong> means search one level below this point and base<\/strong> means search just this point. For example if you<\/span> wanted to see if a user already existed you<\/span> could set the targetDn to uid<\/span>=jdoe<\/span>,ou<\/span>=people,dc=example,dc=com and it will check if this object already exists. The default scope is <\/span>sub<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

I’ve been using CakePHP for a while now and I’ve been thinking for a while it was time to see if I could give something back. As an IT leader I’m in love with LDAP. It makes life so simple for me and my team. The big downside to LDAP is it’s not very easy […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,44,3],"tags":[170,168],"class_list":["post-13","post","type-post","status-publish","format-standard","hentry","category-cakephp","category-featured","category-ldap","tag-cakephp","tag-ldap"],"_links":{"self":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/13","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/comments?post=13"}],"version-history":[{"count":51,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/13\/revisions"}],"predecessor-version":[{"id":481,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/posts\/13\/revisions\/481"}],"wp:attachment":[{"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/media?parent=13"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/categories?post=13"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.analogrithems.com\/rant\/wp-json\/wp\/v2\/tags?post=13"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}