| Anonymous | Login | Signup for a new account | 21-11-09 01:58 GMT |
| Main | My View | View Issues | Change Log | Roadmap | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Print ] | |||||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | |||||||
| 0009816 | [phplist] Authentication System | feature | always | 23-04-07 05:25 | 20-10-09 16:51 | |||||||
| Reporter | bpeabody | View Status | public | |||||||||
| Assigned To | ||||||||||||
| Priority | normal | Resolution | open | |||||||||
| Status | new | Product Version | 2.10.4 | |||||||||
| Summary | 0009816: LDAP Authentication Patch | |||||||||||
| Description |
here is a patch for using LDAP as the backend for authentication of phplist admin users. it has support for two different types of admin accounts: a) everyone who matches the criteria you specify in your config is automatically an admin, with the records in the database being created as the user logs in the first time, b) everyone who matches your criteria is a potential admin, but only those who already have an admin record in the phplist database are able to log in. you can use one or both of these methods at the same time. the text file in the attached package contains more info. feedback is welcome |
|||||||||||
| Additional Information | ||||||||||||
| Tags | No tags attached. | |||||||||||
| Attached Files |
 phplist-ldap-0.1.patch [^] (11,626 bytes) 23-04-07 05:25 phplist-ldap-0.1.txt [^] (4,753 bytes) 23-04-07 05:26 phplist-ldap-0.1a.patch [^] (11,910 bytes) 16-08-07 22:37 |
|||||||||||
|
|
||||||||||||
 Relationships |
||||||
|
||||||
|
Notes |
|
|
(0026148) michiel (administrator) 23-04-07 16:50 |
Interesting, thanks Instead of patching phplist_auth.inc wouldn't it be easier to write a new ldap_auth.inc and then set the config file to use that one? That way the developments can go their own way. That was initially the idea when creating the phplist_auth.inc file. |
|
(0026168) bpeabody (reporter) 23-04-07 23:37 |
Yes, you're right. It definitely seems better to put this in a separate file (I missed that line in the config, sorry). The only thing is that the LDAP code can fall back on the regular auth for specific users that you define (for example, you may want to keep the "admin" account local - not authenticating via LDAP, so in the event that your LDAP server is down, or there is some other connection issue, you can still get in;). This feature is currently implemented by renaming your existing validateLogin function to localValidateLogin and just calling in when needed. Perhaps this could be resolved by implementing a new class called "ldap_admin_auth" which extends from "admin_auth" and lives in a separate "ldap_admin_auth.inc" file? But then I'm not sure how the rest of PHPList would know to use an instance of "ldap_admin_auth" instead of "admin_auth" - just including the file wouldn't quite do it. Or I could just copy the existing admin_auth.inc to ldap_admin_auth.inc and make the mods to it. But that's a little less resilient to change, since ldap_admin_auth.inc would have to track with and carry over any relavent changes from admin_auth.inc as it evolves, instead of letting the language do that for us via inheritance. Your call - whichever you think is best. |
|
(0026188) michiel (administrator) 24-04-07 13:34 |
yes, good point, I'll have a think. I'm not sure how soon, I'll be able to merge it into the main code, but in the meantime we can leave it as a patch |
|
(0030653) amichel (reporter) 16-08-07 22:36 |
I made some small changes to this patch to account for anonymous binding. Our ldap server allows anonymous binds for searching. I recreated the entire patch with my changes, so this isn't an incremental patch, it's the full contents of the original patch plus my minor contribution, all rolled into one. I'm new to generating patch files and whatnot, so if this is wrong, do what you must. |
|
(0050757) goverd (reporter) 20-10-09 16:51 |
I recommend using strtolower when checking the login as the uid attribute is sometimes derived from the entry's name when created in the tree and would honor the case. (e.g jdoe in phplist should match with JDoe from ldap tree) --- phplist_auth.inc 2009-10-20 12:50:13.000000000 -0400 +++ phplist_auth.inc.orig 2009-10-20 12:49:45.000000000 -0400 @@ -110,7 +110,7 @@ ); // check to see if it worked - if (strval(strtolower($myResult[0])) == $login) { + if (strval($myResult[0]) == $login) { @@ -154,7 +154,7 @@ ); // check to see if it worked this time - if (strval(strtolower($myResult[0])) == $login) { + if (strval($myResult[0]) == $login) { |
