View Issue Details

This bug affects 1 person(s).
 16
IDProjectCategoryView StatusLast Update
08369Feature requestsAuthenticationpublic2021-08-19 15:28
Reporterzmn Assigned Tomdekker  
PrioritynormalSeverityfeature 
Status closedResolutionreopened 
Summary08369: Possibility to use slapd for ldap authentication.
Description

I'd like to have a possibility to work with slapd in ldap plugin.

Currently LDAP plugin has two options:

  1. ldap server (ldap://127.0.0.1)
  2. domain name (@example.com)

It works with Active directory. But it don't work with slapd.

It can't work with slapd because in "user@domainname" format it cant work (or slapd not configured properly - I don't know).
But it can work with Distinguished Name like "uid=user,ou=Users,dc=domainname" instead of "user@domainname"

Additional Information

ldap_bind(): Unable to bind to server: Invalid DN syntax

./application/core/plugins/AuthLDAP/AuthLDAP.php(98): ldap_bind(resource, "user@.test.tst", "passw0rd")

093 return;
094 }
095
096 if($ldapconn) {
097 // binding to ldap server
098 $ldapbind = ldap_bind($ldapconn, $username.$domain, $password);
099 // verify binding
100 if (!$ldapbind) {
101 $this->setAuthFailure(100, ldap_error($ldapconn));
102 ldap_close($ldapconn); // all done? close connection
103 return;

TagsNo tags attached.
Attached Files
ldap_plugin.jpg (32,557 bytes)   
ldap_plugin.jpg (32,557 bytes)   
Bug heat16
Story point estimate
Users affected %

Users monitoring this issue

mdekker, mfaber, lemeur

Activities

rolando_isidoro

rolando_isidoro

2014-03-06 16:33

reporter   ~29125

I second this feature request and ask for anonymous binding to be considered when implementing this. The workflow for this LDAP auth scenario should be something like:

1 - Connect to the LDAP server;
2 - Perform an anonymous LDAP bind;
3 - Issue an LDAP search entry for the given username;
4 - Perform and second LDAP bind, this time with the DN of the entry found on the previous search + the given password.

DenisChenu

DenisChenu

2014-03-07 11:00

developer   ~29134

Hi,

For 'domain' did you try without ?
ldap_bind($ldapconn, $prefix . $username . $suffix, $password);
$prefix to "uid="
$sufix to ",ou=Users,dc=domainname"
Not sure it does the trick, but think yes.

We make a ldap bind with password given by user : why try to make an anonymous bind before ? To validate username ?

I have to some test, but think it's OK (i use slapd for my email)

DenisChenu

DenisChenu

2014-03-07 11:02

developer   ~29135

Menno, i set you in monitoring, because you are our specialist. I think it's already ok in LDAP plugin. Just need confirmation :).

Thanks

rolando_isidoro

rolando_isidoro

2014-03-07 11:30

reporter   ~29136

Denis, glad to see such a quick reaction regarding this topic. I found this image that shows what I meant with the bind and subsequent search: http://wiki.alfresco.com/images/d/d7/Search_and_bind.png

Just to strengthen the example, lets say we have this kind of LDAP implementation in limesurvey.org and rolando_isidoro is a user, that the authentication workflow would be something in the likes of:

1 - Connect to the limesurvey.org LDAP server;
2 - Perform an LDAP bind using the connection established in step 1 (this can be done anonymously or using credentials for a user with permissions to perform an LDAP search);
3 - Issue an LDAP search using a filter "uid=rolando_isidoro" which should return a single result entry;
4 - Perform a second LDAP bind, this time with the DN of the entry found on the previous search, something like uniqueIdentifier=12345,ou=agents,dc=limesurvey,dc=org and which doesn't contain rolando_isidoro anywhere, plus the given password.

Possible breakpoints to check on this workflow that would result in authentication failure would be:

1 - Failed to connect to LDAP server;
2 - Failed to bind anonymously or with the fixed search user credentials;
3 - No results or more than one entry on the LDAP search;
4 - Failed to bind with the user DN and given password.

DenisChenu

DenisChenu

2014-03-07 12:20

developer   ~29138

Yes, but : why do an anonymous connection ?

Why not , like now:

  • LDAP connextion => if error : setAuthFailure(1, gT('Could not connect to LDAP server.'));
  • LDAP bind user/pass => if error : setAuthFailure(100, ldap_error($ldapconn));
    etc ...

Why add an anonymous ldap connexion?

mdekker

mdekker

2014-03-07 13:01

reporter   ~29139

This report is asking for functionality already added in the current version of the plugin I think. I added a screenshot that shows the options currently available in 2.05+

Since we have a plugin system, you are free to take the code and create a personal plugin that fits your needs better. This plugin was made as an example and proof of concept. If you like to adopt the core plugin and enhance it and share that with the world, feel free to open a pull request on github. I am happy to assist with any difficulty you face talking to LimeSurvey.

DenisChenu

DenisChenu

2014-03-07 13:18

developer   ~29140

Thanks to mdekker : confirmation :already in core plugin .

Thank you

Mazi

Mazi

2014-03-10 12:18

updater   ~29158

Re-opened on user request.

rolando_isidoro

rolando_isidoro

2014-03-10 13:14

reporter   ~29161

mdekker: "This report is asking for functionality already added in the current version of the plugin I think."

I installed the latest LS version and can say without any doubt that this LDAP auth scenario is not possible.

Currently you can only authenticate in LS through LDAP if the user's DN contains the username provided it the login form. But that is not the case is a lot of LDAP setups.

Let me throw away 2 examples that hopefully will set apart the differences of the two methods. Lets assume I have a rolando_isidoro@limesurvey.org account on a LS LDAP setup and that my uid is rolando_isidoro.

Scenario 1 (possible by the current core plugin):

  • dn: uid=rolando_isidoro,ou=people,dc=limesurvey,dc=org
  • For this to work one would simply have to fill the "Username prefix" setting with "uid=" and the "Username suffix" with ",ou=people,dc=limesurvey,dc=org".

Scenario 2 (this feature request):

  • dn: uid=12345,ou=people,dc=limesurvey,dc=org
  • rolando_isidoro is not part of the dn, so there's no combination of prefix + suffix that would result in that dn.

DenisChenu: "Yes, but : why do an anonymous connection ?"

The first bind operation can be done anonymously as long as the LDAP setup allows for anonymous searches. This way there's no need for an entry of an user dedicated exclusively to perform searches.

DenisChenu: "This plugin was made as an example and proof of concept. If you like to adopt the core plugin and enhance it and share that with the world, feel free to open a pull request on github."

I really think that this enhancement as part of the core plugin would be a plus, since covering multiple LDAP authentication scenarios out-of-the-box could work as a boost to LS's user base.

I'm usually in #limesurvey as gerundio. Come by if you'd like to discuss this topic.

mdekker

mdekker

2014-03-10 14:00

reporter   ~29162

Ok to get things straight, current plugin is working fine for all logins when we know the uid. Is that right?

You would like to add functionality to lookup the uid by performing a search on the directory and using a result to do the authentication. If you would like to program that and add it to the core plugin you can always open a pull request. Please make sure the basic scenario should still be possible. If you feel that is too complicated, you can also create a separate plugin that only supports your scenario. We are working on setting up a directory for etensions on http://www.limesurvey.org/en/extensions to showcase what the community created.

We created a plugin system since we can not support setups we can not test. This way the people who need it can create their own extensions or modifiy existing ones and preserve the changes during upgrades. The current ldap authentication plugin is working for the basic scenario, and ofcourse it could be extended to support even more scenarios. We would like to leave that last step to the community so we can focus on improving the survey system.

Since the plugin functionality is new, we are here to help you when needed.If you need help in extending the plugin, or you miss hooks to get the things done that you want to do. Feel free to ask, we can support you with that. Just the actual coding of the functionality will not be done by the limesurvey team.

rolando_isidoro

rolando_isidoro

2014-03-10 15:07

reporter   ~29163

mdekker, thanks for the prompt reply. I don't have free time to develop it on my own for now, I'll try to talk to management so I can do it on working hours since we use LS here and that would only be fair to support the project.

Lets leave this feature request so that someone can read this and might pick up on the plugin enhancement.

lemeur

lemeur

2014-03-10 18:45

developer   ~29168

I've implemented this in
https://github.com/LimeSurvey/LimeSurvey/pull/175

Mazi

Mazi

2014-03-10 19:21

updater   ~29170

Hi Thibault, nice to see you back again!

Great work!

rolando_isidoro

rolando_isidoro

2014-03-10 19:35

reporter   ~29171

I had just created a fork on github to implement it, but no need for that now. Looking at the code it's very clear and checks for all the possible breakpoints.

Great job! How can we help so this can be pushed to master and hopefully get on the next release? :)

mdekker

mdekker

2014-03-11 08:43

reporter   ~29176

If you could test the code and report back here that would help. I can only do the merge tomorrow. I will certainly review and merge the pull. Thanks for the work done!

lemeur

lemeur

2014-03-11 09:27

developer   ~29178

Hi Menno,

Just to let you know that I tested it on both simplebind and search-and-bind setup.

I agree that it would be great if rolando_isidoro could test it as well.

Thibault

PS: Hi Mazi, good to hear from you again.

lemeur

lemeur

2014-03-11 10:07

developer   ~29179

@rolando_isidoro, I have not tested anonymous bind search, can you test it ?

TIA,
Thibault

rolando_isidoro

rolando_isidoro

2014-03-11 10:11

reporter   ~29180

Just tested it, anonymous bind search is working as expected. Nice work :)

DenisChenu

DenisChenu

2014-03-11 11:38

developer   ~29181

It's not a feature request , but why don't use 2 seperate core plugin here ?
Then user can activate 'ldap by ..' on 'ldap by bind' ?

Less parameters and less test for each user.

But : maybe it's a bad idea (and i don't found 2 great name for each plugin then it's surely a bad idea ;))

lemeur

lemeur

2014-03-11 11:47

developer   ~29182

Denis, I have thought about this possibility but the 2 plugins do the same things, just in different contexts...

It is just a pity that we have the best data-entry system in the world with relevance and so on, and that our settings system can't use it... otherwise I would have hidden the parameters for search-and-bind when simplebind is selected.

Unless you see how to do this easily ?

Thibault

DenisChenu

DenisChenu

2014-03-11 11:59

developer   ~29183

Hi Thibault,

No it's more a reflexion than a clear asking. LDAP access need plugin activation, then MAYBE we can have 2 different plugin.
BUT a lot of code are the same : we need to fix 2 times some code .... bad idea :)

rolando_isidoro

rolando_isidoro

2014-03-11 13:33

reporter   ~29187

My 5 cents on this one is that the number of parameters won't be issue. The form for setting up LDAP auth after this new feature development is quite compact and understandable.

I guess it won't be a problem for any user assigned to set LDAP auth, since they'll have some knowledge of what fields should or not be filled. In my experience, when they don't a simple contact to the LDAP admin does the trick.

mdekker

mdekker

2014-03-12 12:51

reporter   ~29206

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=13990

mdekker

mdekker

2014-03-12 13:42

reporter   ~29207

I made the options appear / disappear depending on the ldapmode.

lemeur

lemeur

2014-03-12 18:55

developer   ~29212

Great option.

I've used it to add the last missing option for a complete LDAP authentication plugin: the possibility to set start-tls.

Here is the Pull request:
https://github.com/LimeSurvey/LimeSurvey/pull/179

Is there a way to add "tips" to the settings so as to limit the size of the fields description and only add examples on tips ?

lemeur

lemeur

2014-03-12 21:53

developer   ~29215

Another question: what is the bes Yii-friendly way to log messages.
Indeed, it would be convenient to have meaningful warning/error messages in a log file when the ldap server is unreachable or when the bindn can't connect, ...

I'm not sure if Yii:trace is the correct way, I've seen little reference to this on th 2.x branch.

lemeur

lemeur

2014-03-12 21:54

developer   ~29216

@rolando_isidoro,

Can you test my last version ?

rolando_isidoro

rolando_isidoro

2014-03-13 11:26

reporter   ~29224

Last edited: 2014-03-13 11:27

@lemeur, done testing and it's working fine. Great work on making it cleaner and more usable.

I second your opinion that "tips" would be much more UI friendly that such long field descriptions.

rolando_isidoro

rolando_isidoro

2014-04-01 16:34

reporter   ~29637

2 new LS versions have been released since the development and tests of this feature ended without it being included. Is there anything left to do before the code can be pushed to master?

lemeur

lemeur

2014-04-01 17:40

developer   ~29641

@isidoro,
The feature has been included in the first release since the merging.
I just messed up the commit message, and thus it didn't appear in the changelog.

My mistake.

Related Changesets

LimeSurvey: master 55034bff

2014-03-12 11:51:02

mdekker

Details Diff
Merge pull request #175 from lemeur/master

Fixed 08369: Added search-and-bind feature for the core LDAP authentication plugin (Thibault Le Meur)
Affected Issues
08369
mod - application/core/plugins/AuthLDAP/AuthLDAP.php Diff File

LimeSurvey: master 801906a7

2014-03-12 12:37:33

mdekker

Details Diff
dev: added possibility to show/hide plugin settings for 08369
dev: Reordered methods in PluginsController and did a format on the code, other then that only check for submit button to save data
Affected Issues
08369
mod - application/controllers/PluginsController.php Diff File
mod - application/core/plugins/AuthLDAP/AuthLDAP.php Diff File
mod - application/extensions/SettingsWidget/SettingsWidget.php Diff File

LimeSurvey: master 1001b3e1

2014-03-12 12:41:25

mdekker

Details Diff
dev: small fix Affected Issues
08369
mod - application/core/plugins/AuthLDAP/AuthLDAP.php Diff File

Issue History

Date Modified Username Field Change
2013-11-14 13:43 zmn New Issue
2014-03-06 16:33 rolando_isidoro Note Added: 29125
2014-03-06 17:37 mfaber Issue Monitored: mfaber
2014-03-07 11:00 DenisChenu Note Added: 29134
2014-03-07 11:01 DenisChenu Issue Monitored: mdekker
2014-03-07 11:02 DenisChenu Note Added: 29135
2014-03-07 11:30 rolando_isidoro Note Added: 29136
2014-03-07 12:20 DenisChenu Note Added: 29138
2014-03-07 13:01 mdekker Note Added: 29139
2014-03-07 13:01 mdekker File Added: ldap_plugin.jpg
2014-03-07 13:18 DenisChenu Note Added: 29140
2014-03-07 13:18 DenisChenu Status new => closed
2014-03-07 13:18 DenisChenu Assigned To => mdekker
2014-03-07 13:18 DenisChenu Resolution open => fixed
2014-03-07 13:18 DenisChenu Fixed in Version => 2.05+
2014-03-10 12:18 Mazi Note Added: 29158
2014-03-10 12:18 Mazi Status closed => feedback
2014-03-10 12:18 Mazi Resolution fixed => reopened
2014-03-10 13:14 rolando_isidoro Note Added: 29161
2014-03-10 14:00 mdekker Note Added: 29162
2014-03-10 15:07 rolando_isidoro Note Added: 29163
2014-03-10 18:45 lemeur Note Added: 29168
2014-03-10 19:21 Mazi Note Added: 29170
2014-03-10 19:35 rolando_isidoro Note Added: 29171
2014-03-11 08:43 mdekker Note Added: 29176
2014-03-11 09:27 lemeur Note Added: 29178
2014-03-11 10:07 lemeur Note Added: 29179
2014-03-11 10:11 rolando_isidoro Note Added: 29180
2014-03-11 11:38 DenisChenu Note Added: 29181
2014-03-11 11:44 lemeur Issue Monitored: lemeur
2014-03-11 11:47 lemeur Note Added: 29182
2014-03-11 11:59 DenisChenu Note Added: 29183
2014-03-11 13:33 rolando_isidoro Note Added: 29187
2014-03-12 12:51 mdekker Changeset attached => LimeSurvey master 55034bff
2014-03-12 12:51 mdekker Note Added: 29206
2014-03-12 13:38 mdekker Changeset attached => LimeSurvey master 801906a7
2014-03-12 13:42 mdekker Changeset attached => LimeSurvey master 1001b3e1
2014-03-12 13:42 mdekker Note Added: 29207
2014-03-12 18:55 lemeur Note Added: 29212
2014-03-12 21:53 lemeur Note Added: 29215
2014-03-12 21:54 lemeur Note Added: 29216
2014-03-13 11:26 rolando_isidoro Note Added: 29224
2014-03-13 11:27 rolando_isidoro Note Edited: 29224
2014-04-01 16:34 rolando_isidoro Note Added: 29637
2014-04-01 17:40 lemeur Note Added: 29641
2021-08-19 15:28 galads Status feedback => closed