LDAP Auth
374 views
Skip to first unread message
jbristow
Jul 19, 2012, 5:26:27 PM7/19/12
to phpvb...@googlegroups.com
Has there been any work done to use LDAP auth? I searched for LDAP in several places, and didn't get any results.
If there's not anything written, I'd like to contribute what I can to getting something written. Looking in in /lib/auth/ directory it looks like are already 3 types of authentication methods supported. I can work on modifying one of them to see if I can get something to work. Any info I need to know before I start working on that?
If there's not anything written, I'd like to contribute what I can to getting something written. Looking in in /lib/auth/ directory it looks like are already 3 types of authentication methods supported. I can work on modifying one of them to see if I can get something to work. Any info I need to know before I start working on that?
Ian Moore
Jul 19, 2012, 7:27:59 PM7/19/12
to phpvb...@googlegroups.com
Hello,
No one has started work on an ldap auth module. Feel free to start :). There are no gotchas that come to mind. Let me know if you hit any snags along the way.
No one has started work on an ldap auth module. Feel free to start :). There are no gotchas that come to mind. Let me know if you hit any snags along the way.
Jared Bristow
Jul 19, 2012, 8:32:59 PM7/19/12
to phpvb...@googlegroups.com
Got a couple questions for you.
I program a lot in perl and bash, and I'm pretty good at php, but there's a few things I'm unfamiliar with. Also, you might be able to guide me on some best practices.
I'm trying to include a file that defines all the variables for authenticating to LDAP. in the OpenMediaVault.php file I see that they use require_once to do this. However I don't see the .inc files anywhere, so I'm not sure if what the path they are using is relative to.
I tried using ldap/ldap.inc and putting the ldap folder in server places, but when I try to load the page, it says an unknown PHP error occurred.
Along those same lines, I'm getting that "PHP error occurred" message a lot - what's the best we for me to print out debug messages and such as I program this so I can tell what's going on?
Thanks for your help.
BTW - We love phpVB here at my work - we use it to manage all of our VB servers. I love it so much, I donated $100 to your project earlier today. Enjoy!
I program a lot in perl and bash, and I'm pretty good at php, but there's a few things I'm unfamiliar with. Also, you might be able to guide me on some best practices.
I'm trying to include a file that defines all the variables for authenticating to LDAP. in the OpenMediaVault.php file I see that they use require_once to do this. However I don't see the .inc files anywhere, so I'm not sure if what the path they are using is relative to.
I tried using ldap/ldap.inc and putting the ldap folder in server places, but when I try to load the page, it says an unknown PHP error occurred.
Along those same lines, I'm getting that "PHP error occurred" message a lot - what's the best we for me to print out debug messages and such as I program this so I can tell what's going on?
Thanks for your help.
BTW - We love phpVB here at my work - we use it to manage all of our VB servers. I love it so much, I donated $100 to your project earlier today. Enjoy!
Jared Bristow | IT Manager : Adaptive Computing
www.adaptivecomputing.com
Direct Line: 801-717-3718 | Fax: 801-717-3738
1712 S. East Bay Blvd. Suite #300
Provo, UT 84606
Ian Moore
Jul 20, 2012, 9:19:19 AM7/20/12
to phpvb...@googlegroups.com
Jared,
Thank you for the donation :)
I've attached a rough-draft LDAP authentication module. I don't have an LDAP server to test against, but using an LDAP module I wrote in the past for something else, this should work.
Don't use includes in your authentication module. The OpenMediaVault module uses includes so that it can include vital files from an OpenMediaVault installation. To inject configuration variables, use the $authConfig array in phpVirtualBox's config.php. All user configuration should go there. The phpvbAuthLDAP class has a $config array. These are your defaults.
var $config = array(
'host' => '127.0.0.1', // LDAP server host or URL
'bind_dn' => 'uid=%s, ou=people, dc=internal, dc=local' // %s will be replaced with login username
);
To override these, which would most certainly be done, the implementing user will add something like this to config.php:
var $authConfig = array(
'host' => 'ldaps://5.5.5.5/', // LDAP server host or URL
'bind_dn' => 'username=%s, ou=admins, dc=mycompany' // %s will be replaced with login username
);
In the attached file and with the above config set, when "bob" tried to log in, the ldap_bind would be attempted as:
"username=bob, ou=admins, dc=mycompany"
A PHP error is hard to debug from an auth module. If trying to debug the process, I would log to a file.
file_put_contents("/tmp/authdebug", "This is a debug message", FILE_APPEND);
If it is a syntax error or something that halts processing, navigating directly to config.php may print the error, depending on your php.ini settings. If not, the error may show up in apache's error logs, depending on your php.ini settings. It is possible that no error shows up anywhere at all, depending on your php.ini settings.
Let me know if you have any questions.
Thank you for the donation :)
I've attached a rough-draft LDAP authentication module. I don't have an LDAP server to test against, but using an LDAP module I wrote in the past for something else, this should work.
Don't use includes in your authentication module. The OpenMediaVault module uses includes so that it can include vital files from an OpenMediaVault installation. To inject configuration variables, use the $authConfig array in phpVirtualBox's config.php. All user configuration should go there. The phpvbAuthLDAP class has a $config array. These are your defaults.
var $config = array(
'host' => '127.0.0.1', // LDAP server host or URL
'bind_dn' => 'uid=%s, ou=people, dc=internal, dc=local' // %s will be replaced with login username
);
To override these, which would most certainly be done, the implementing user will add something like this to config.php:
var $authConfig = array(
'host' => 'ldaps://5.5.5.5/', // LDAP server host or URL
'bind_dn' => 'username=%s, ou=admins, dc=mycompany' // %s will be replaced with login username
);
In the attached file and with the above config set, when "bob" tried to log in, the ldap_bind would be attempted as:
"username=bob, ou=admins, dc=mycompany"
A PHP error is hard to debug from an auth module. If trying to debug the process, I would log to a file.
file_put_contents("/tmp/authdebug", "This is a debug message", FILE_APPEND);
If it is a syntax error or something that halts processing, navigating directly to config.php may print the error, depending on your php.ini settings. If not, the error may show up in apache's error logs, depending on your php.ini settings. It is possible that no error shows up anywhere at all, depending on your php.ini settings.
Let me know if you have any questions.
Jared Bristow
Oct 15, 2012, 11:57:08 PM10/15/12
to phpvb...@googlegroups.com
I finally got around to testing this. I've good good news and bad news.
First of all, I did have to install the php5-ldap package (on ubuntu 11.04 desktop) before it would work. Before I did that, when I went to login, the circle would just sit there spinning. I looked at my apache log and found this:
PHP Fatal error: Call to undefined function ldap_connect() in /var/www/lib/auth/LDAP.php on line 26, referer: <servername>
After installing php5-ldap, regular ldap auth worked like a charm! You'll probably want to leave a comment about needing that in the LDAP.php file.
Next, I tried LDAPS. Our LDAP uses a self-signed cert, so that may be part of the problem. To try it, I set the value of 'host' to "ldaps://<servername>:636" This string appears to work on my other ldap_connect() php stuff, but I don't remember if did something special to install the cert there.
Jared Bristow
Oct 17, 2012, 2:27:50 AM10/17/12
to phpvb...@googlegroups.com
We figured out why ldaps wasn't working - it was because of our self-signed cert. In /etc/ldap/ldap.conf we had to add these two lines:
TLS_CACERT /etc/ssl/certs/adcert.pem
TLS_REQCERT never
The next task for me was to limit logins to a certain group. Our LDAP is actually an Active Directory server, so I think group search may operate a little different.
The result is the attached AD.php file. I found some code here: http://samjlevy.com/2010/09/php-login-script-using-ldap-verify-group-membership/ that was very helpful.
Basically, I added the variables "admin_ou" and "domain". After authenticating the user, the code then checks the user's groups to see if they belong to the specified admin_ou.
The original code used a substr function, which didn't work if you included the "ou=" at the front of the group because it would return a 0. I used a case-insensitive regex instead, and also appended a comma and the bind_dn to end of the admin_ou. This is a better method for matching - our admin group is "it" and the previous method was matching on our "git" and "it-eg" groups.
I have tested this out, and verified that it works!
Ian Moore
Oct 17, 2012, 8:56:50 PM10/17/12
to phpvb...@googlegroups.com
Hi Jared,
Awesome! Thank you. I'm not that familiar with AD, but is that admin_ou really needed if you can just include it in the bind_dn?
Awesome! Thank you. I'm not that familiar with AD, but is that admin_ou really needed if you can just include it in the bind_dn?
Jared Bristow
Oct 18, 2012, 2:51:50 AM10/18/12
to phpvb...@googlegroups.com
That's a good question. There are a few reasons:
#1 Our company's AD has both the users and the groups in the Users CN. I'm not exactly sure why it was setup that way, but it think it causes what you're suggesting not to work. I tried what you suggested and it fails at the ldap_search command. I know it's always nice to have only a few options to fill in, but I've seen a lot of AD authentication implementations ask for every possible variable for connecting to the AD. This is a middle-ground where only the bare minimum parts that we care are about are required. Also the domain could technically be generated from the "dc=" strings in the bind_dn.
#2 If you ever wanted to add other groups for other sets of permissions, then this shows how to separate out a group as an example. I don't know if there are any features for this in VirtualBox, but I can think of several ways you could benefit from having different groups with different permissions.
#3 - the best reason - that's the way it was when I copied the code! Actually, the original code was that way so that different permissions could be give to different groups as in my #2 reason.
Jared Bristow | IT Manager : Adaptive Computing
www.adaptivecomputing.com
Direct Line: 801-717-3718 | Fax: 801-717-3738
1712 S. East Bay Blvd. Suite #300
Provo, UT 84606
Ian Moore
Oct 18, 2012, 3:03:25 PM10/18/12
to phpvb...@googlegroups.com
Hi Jared,
Please try the attached authentication module. I decided to separate it from the LDAP auth module. In config.php, place:
var $authLib = 'ActiveDirectory';
Config values are:
array(
'host' => '127.0.0.1', // host to connect to
'admin_group' => null, // users in this group are admins in phpvirtualbox
'admin_user' => null, // this user is an explicit admin regardless of group membership
'user_group' => null, // only users in this group can log in
'bind_dn' => 'CN=Users', // Bind DN. Most people will not need to change this
'domain' => 'internal.local', // active directory domain
'filter' => '(&(objectclass=User)(objectCategory=Person))' // only search for Users. This should not need to be changed.
);
A very simple config in your case would probably be something like this in config.php:
var $authConfig = array(
'host' => 'ldaps://your.server.ip',
'user_group' => 'admins',
'admin_group' => 'admins', // make everyone an admin
'domain' => 'mydomain.local'
);
Let me know how it goes.
Please try the attached authentication module. I decided to separate it from the LDAP auth module. In config.php, place:
var $authLib = 'ActiveDirectory';
Config values are:
array(
'host' => '127.0.0.1', // host to connect to
'admin_group' => null, // users in this group are admins in phpvirtualbox
'admin_user' => null, // this user is an explicit admin regardless of group membership
'user_group' => null, // only users in this group can log in
'bind_dn' => 'CN=Users', // Bind DN. Most people will not need to change this
'domain' => 'internal.local', // active directory domain
'filter' => '(&(objectclass=User)(objectCategory=Person))' // only search for Users. This should not need to be changed.
);
A very simple config in your case would probably be something like this in config.php:
var $authConfig = array(
'host' => 'ldaps://your.server.ip',
'user_group' => 'admins',
'admin_group' => 'admins', // make everyone an admin
'domain' => 'mydomain.local'
);
Let me know how it goes.
Jared Bristow
Oct 18, 2012, 5:56:28 PM10/18/12
to phpvb...@googlegroups.com
Hmmm...
I verified that I was able to authenticate a valid admin user after putting setting he admin_group.
I tried a non-admin user, and got an "Invalid Username or password" error. I would have expected a "You don't have permission" error. After trying that, things got a little strange.
Then I tired changing around the options in admin_group, admin_user, and user_group. Things seems to be correctly allowing or denying as expected. Then I started to be able to authenticate as any user, no matter what the file was configured for. I thought maybe I had something cached, so I booted up a livecd in a vm, but was still able to login as any user, even when all three options were set to null.
Any suggestions for what I should do to troubleshoot this?
I verified that I was able to authenticate a valid admin user after putting setting he admin_group.
I tried a non-admin user, and got an "Invalid Username or password" error. I would have expected a "You don't have permission" error. After trying that, things got a little strange.
Then I tired changing around the options in admin_group, admin_user, and user_group. Things seems to be correctly allowing or denying as expected. Then I started to be able to authenticate as any user, no matter what the file was configured for. I thought maybe I had something cached, so I booted up a livecd in a vm, but was still able to login as any user, even when all three options were set to null.
Any suggestions for what I should do to troubleshoot this?
Ian Moore
Oct 18, 2012, 7:52:19 PM10/18/12
to phpvb...@googlegroups.com
Hi Jared,
The logic goes like this:
If user_group is specified, anyone who attempts to log in must be a member of this group. If it is not specified, anyone with an AD account can log in.
If admin_group is specified, an authenticated user that is also in this group is an admin in phpvirtualbox. If it is not specified, it is ignored.
If admin_user is specified, an authenticated user by this name will be an admin in phpvirtualbox. If it is not specified, it is ignored.
I'll explain the following config:
'user_group' => '',
'admin_group' => '',
'admin_user' => 'james'
Anyone with an AD account can log in. Only 'james' is an admin in phpvirtualbox.
'user_group' => 'Dev Lab',
'admin_group' => '',
'admin_user' => 'susan'
Anyone in the Dev Lab group can log in. 'susan' is an admin in phpvirtualbox and must also be a member of the Dev Lab group to log in.
'user_group' => ''
'admin_group' => 'vbox admins',
'admin_user' =>''
Anyone with an AD account can log in. Users in the 'vbox admins' group are admins in phpvirtualbox.
'user_group' => 'Dev Lab Users',
'admin_group' => 'Dev Lab Admins',
'admin_user' => ''
Anyone in the Dev Lab Users group can log in. Users in Dev Lab Admins are admins in phpvirtualbox and must be a member of 'Dev Lab Users' to log in.
'user_group' => 'Dev Lab Users',
'admin_group' => 'Dev Lab Users',
'admin_user' => ''
Anyone in the Dev Lab Users group can log in. All of those users are admins.
'user_group' => '',
'admin_group' => '',
'admin_user => ''
Anyone with an AD account can log in, but no one will be an admin in phpvirtualbox.
If you find that the above is not the case, please let me know.
Another way to implement this, which may make more sense is that users in 'admin_group' and/or the user specified as 'admin_user' does not have to be in 'user_group' (if specified).
What are your thoughts?
The logic goes like this:
If user_group is specified, anyone who attempts to log in must be a member of this group. If it is not specified, anyone with an AD account can log in.
If admin_group is specified, an authenticated user that is also in this group is an admin in phpvirtualbox. If it is not specified, it is ignored.
If admin_user is specified, an authenticated user by this name will be an admin in phpvirtualbox. If it is not specified, it is ignored.
I'll explain the following config:
'user_group' => '',
'admin_group' => '',
'admin_user' => 'james'
Anyone with an AD account can log in. Only 'james' is an admin in phpvirtualbox.
'user_group' => 'Dev Lab',
'admin_group' => '',
'admin_user' => 'susan'
Anyone in the Dev Lab group can log in. 'susan' is an admin in phpvirtualbox and must also be a member of the Dev Lab group to log in.
'user_group' => ''
'admin_group' => 'vbox admins',
'admin_user' =>''
Anyone with an AD account can log in. Users in the 'vbox admins' group are admins in phpvirtualbox.
'user_group' => 'Dev Lab Users',
'admin_group' => 'Dev Lab Admins',
'admin_user' => ''
Anyone in the Dev Lab Users group can log in. Users in Dev Lab Admins are admins in phpvirtualbox and must be a member of 'Dev Lab Users' to log in.
'user_group' => 'Dev Lab Users',
'admin_group' => 'Dev Lab Users',
'admin_user' => ''
Anyone in the Dev Lab Users group can log in. All of those users are admins.
'user_group' => '',
'admin_group' => '',
'admin_user => ''
Anyone with an AD account can log in, but no one will be an admin in phpvirtualbox.
If you find that the above is not the case, please let me know.
Another way to implement this, which may make more sense is that users in 'admin_group' and/or the user specified as 'admin_user' does not have to be in 'user_group' (if specified).
What are your thoughts?
Jared Bristow
Oct 18, 2012, 11:18:40 PM10/18/12
to phpvb...@googlegroups.com
I see - my logic is the inverse: nobody gets rights to anything unless they are explicitly granted. Doesn't it make more sense that someone has to be granted rights, rather then implicitly giving it to them?
I also don't agree with the admins to be in the users group. If I specify the "IT" group as admins, and the "Developers" group as users, then IT won't be able to login unless they are also in the developers group. Anyone in the admin group should be allowed to login whether or not they are in the users group.
In my case, the first thing I'm concerned with is only allowing the IT admins to be able to login while making sure nobody else can mess with anything. I'd prefer that anyone not specified in the settings get a permission denied error. Right now, if I specify the admin_group and the user_group as "IT" then users not in "IT" get an "invalid username or password" error.
I like the option of being able to make a specific user an admin. Then again, normal usage would probably be to make a phpvb-admins group on the AD server, and then add any users to that group who need admin rights. The admin_user option doesn't seem to be able to handle more than one user either. I guess if you had a single admin, then this option makes sense.
BTW - what features come with being an admin vs. a regular user? I saw this: http://code.google.com/p/phpvirtualbox/wiki/Authentication#Access_Levels, but it only mentions user management (which of course isn't applicable when using AD/LDAP).
After playing around for a bit, I did notice a couple differences between the admin user and regular user - the regular user didn't have rights to add a group. Also, they couldn't start one vm, but they could create a new one and start it, but not stop it. Are these rights specified somewhere?
I would be interested in having a group for "view only" rights.
Ian Moore
Oct 19, 2012, 8:34:57 AM10/19/12
to phpvb...@googlegroups.com
Hi Jared,
It does make more sense that someone has to be granted rights, and you have the ability to do that. I believe you are assuming that the person who is configuring authentication in phpVirtualBox has access to manage AD groups and users. In my organization (I'm sure in others, too) this is not the case. AD is controlled by a group on the other side of the country. Tracking down and contacting this group would be a chore - not to mention getting them to add an AD group and assign users to it. I believe the configuration as-is grants the most flexibility. In my case I would set the authentication module to look in OU=Development, ignore user group assignments, and specify one user (me) to be an administrator.
I agree that admins should be explicitly allowed regardless of any other settings, and that has been changed.
"Invalid username or password" is the generic error displayed when any authentication fails. I can throw an exception stating "Permission denied" in the authentication module where appropriate. The only draw-back is that one would have to refresh the page to see the login form again. Small price to pay, but it should be noted.
In a default configuration, admin users can administer other users and make changes that affect VM groups and VM order. With an auth module in place, this just means that admin users can make changes that affect VM groups and VM order. I am not really interested in creating a user1 has access to VM foo and user2 has access to VM bar type of control in phpVirtualBox. A user of phpVirtualBox had contributed code to enforce VM ownership that should not be activated unless explicitly specified in phpVirtualBox's configuration. Your comments made me re-evaluate the code and I see some places where it has not been cleanly separated. This will be fixed in the next version of phpVirtualBox.
Please try the attached auth module and let me know what you think.
It does make more sense that someone has to be granted rights, and you have the ability to do that. I believe you are assuming that the person who is configuring authentication in phpVirtualBox has access to manage AD groups and users. In my organization (I'm sure in others, too) this is not the case. AD is controlled by a group on the other side of the country. Tracking down and contacting this group would be a chore - not to mention getting them to add an AD group and assign users to it. I believe the configuration as-is grants the most flexibility. In my case I would set the authentication module to look in OU=Development, ignore user group assignments, and specify one user (me) to be an administrator.
I agree that admins should be explicitly allowed regardless of any other settings, and that has been changed.
"Invalid username or password" is the generic error displayed when any authentication fails. I can throw an exception stating "Permission denied" in the authentication module where appropriate. The only draw-back is that one would have to refresh the page to see the login form again. Small price to pay, but it should be noted.
In a default configuration, admin users can administer other users and make changes that affect VM groups and VM order. With an auth module in place, this just means that admin users can make changes that affect VM groups and VM order. I am not really interested in creating a user1 has access to VM foo and user2 has access to VM bar type of control in phpVirtualBox. A user of phpVirtualBox had contributed code to enforce VM ownership that should not be activated unless explicitly specified in phpVirtualBox's configuration. Your comments made me re-evaluate the code and I see some places where it has not been cleanly separated. This will be fixed in the next version of phpVirtualBox.
Please try the attached auth module and let me know what you think.
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages