Multiple LDAP Authentication Sources
Posted: 13 May 2016 15:57
Hi,
as we're using the feature "Linked Mailbox" from MS Exchange we have the need to check the user across two LDAP forests.
Cause of this I've now modified some php files to realize this.
Maybe you want to include these changes in the public release.
Changes:
- Conf.php
As you see I've commented some entries because I did not find any use in the functions.php.
LDAP_HOST is no longer requires as it uses the LDAP_DN to get correct LDAP-Server name. In Windows the domain name can be used to get (any) domain controller.
- functions.php
As you can maybe see all LDAP servers are contacted to verify the requesting user login.
At the first successfull login the function terminates and the script can continue. If no ldap server can authenticate the user the default authentication will continue.
With this kind of modification your're able to use multiple but also just one LDAP server for authentication.
So I think it's a nice feature and so maybe you want to include this in your public release.
Many thanks!
as we're using the feature "Linked Mailbox" from MS Exchange we have the need to check the user across two LDAP forests.
Cause of this I've now modified some php files to realize this.
Maybe you want to include these changes in the public release.
Changes:
- Conf.php
Code: Select all
// LDAP settings
define('USE_LDAP', true);
define('LDAP_SSL', false); // set to true if using LDAP with SSL encryption
define('LDAP_PORT', '389');
define('LDAP_DN', 'OU=Users,DC=Domain1,DC=local;OU=Users,DC=Domain2,DC=local');
define('LDAP_USER', 'LDAP UserName');
define('LDAP_PASS', 'LDAP UserPassword');
//define('LDAP_HOST', 'ldap.server.local');
//define('LDAP_SITE', 'default-site-name');
// can be set to 'proxyaddresses' or 'mail'. Please refer to your LDAP system manual for the right keyword
define('LDAP_EMAIL_FIELD', 'mail');
// Microsoft Active Directory compatibility support for searches from Domain Base DN
define('LDAP_MS_AD_COMPATIBILITY', true);
LDAP_HOST is no longer requires as it uses the LDAP_DN to get correct LDAP-Server name. In Windows the domain name can be used to get (any) domain controller.
- functions.php
Code: Select all
function ldap_authenticate($user, $password, $ldapDN = NULL)
{
$ldapDN = is_null($ldapDN) ? LDAP_DN : $ldapDN;
$ldapDNArray = explode(';', $ldapDN);
if (count($ldapDNArray) > 1){
foreach ($ldapDNArray as $ldapDNItem){
if (!$ldapDNItem || $ldapDNItem == '') continue;
try{
$retVal = ldap_authenticate($user, $password, $ldapDNItem);
if ($retVal) return $retVal;
} catch (Exception $e) { /* ignore exceptions here */ };
}
return null;
}
$ldapServer = strtolower($ldapDN);
$temp = strpos($ldapServer, 'dc=');
$ldapServer = substr($ldapServer, $temp);
$ldapServer = str_replace('dc=', '.', $ldapServer);
$ldapServer = str_replace(',', '', $ldapServer);
if ($ldapServer[0] == '.') $ldapServer = substr($ldapServer, 1);
/* ... */
At the first successfull login the function terminates and the script can continue. If no ldap server can authenticate the user the default authentication will continue.
With this kind of modification your're able to use multiple but also just one LDAP server for authentication.
So I think it's a nice feature and so maybe you want to include this in your public release.
Many thanks!
