Jump to:

17452 Posts in 4473 Topics by 1971 members

Archive

SilverStripe Forums » Archive » External Authenticator

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

Page: 1 2 3 4 5 6 7
Go to End
Author Topic: 62613 Views
  • lancer
    Avatar
    57 Posts

    Re: External Authenticator Link to this post

    Just added multiple source support to the trunk. It is now possible to configure several AD/LDAP/POP3/IMAP/FTP sources and have the user choose a source on login, or do a sequential check against all sources until the first success.

    This, plus extra query filter support for the LDAP driver, multi-basedn support for an individual LDAP source (already done) and default mail domains for the auto-add functionality will make up version 0.2, unless someone else has a burning desire to get some other functionality quickly. (Unit testing is scheduled for 0.3)

  • xzelan
    Avatar
    Community Member
    20 Posts

    Re: External Authenticator Link to this post

    Hi Lancer,

    I’ve recently started using Silverstripe for my public website and really like it. Now I want to also use it for my intranet, so I’ve downloaded the Windows Installer "SilverStripeCMS-v2.2.1.exe" and successfully set that up on my computer. I also downloaded the "External Authentication (v0.2)" module so that I can authenticate against my ActiveDirectory. I've read the helpful documentation you wrote and setup my "_config.php".

    However, when I put in my user name and password on the "External Account" tab, it doesn't log in but instead returns a blank page with the url "http://localhost:3000/Security/?executeForm=LoginForm". Any help would be hugely appreciated

    Thanks heaps,
    Xzelan

  • lancer
    Avatar
    57 Posts

    Re: External Authenticator Link to this post

    Check your webserver error logs. I think there must be a PHP error somewhere.

    Also verify that all closing quotes and ; are present in _config.php

  • xzelan
    Avatar
    Community Member
    20 Posts

    Re: External Authenticator Link to this post

    Thanks I'll take a look at the log files. In case this helps, here is my _config.php file:

    <?php

    /**
    * External Authentication server definitions
    * Change the parameters below to suit your authentication server, or disable
    * this authentication method altogether
    */
    Authenticator::register_authenticator("ExternalAuthenticator");

    /**
    * Create your authentication source
    * The first parameter is the Source ID. Set this to something you deem
    * approriate to this source. It must be unique among all authentication
    * sources, may not contain special characters or spaces and must be
    * shorter that 50 characters
    * The second parameters is the type of server.
    * At the moment LDAP, FTP, IMAP and HTTP are supported
    * The third parameter is a nice name for this source, to be showed in
    * drop-down form fields to choose the source
    *
    * You can create multiple sources with different of same types
    **/
    ExternalAuthenticator::createSource('totaleyecare','LDAP','Total Eyecare');
       
    /**
    * On login, users can choose the authentication source they want, or all
    * sources can be checked in sequence till success (or failure)
    * In this is set to true, the source selection box on the login page
    * disappears. So you might want to set this to true if you have only one
    * source.
    *
    * WARNING: If you set this to true, accounts from the different sources can
    * eclipse eachother. The process stops at the first success.
    *
    * NOTE: The order in which accounts are checked depends on the order of the
    * createSource statements
    **/
    ExternalAuthenticator::setAuthSequential(false);

    /**
    * How do we call a user ID?
    * This string is informational and will appear on the login page
    */
    ExternalAuthenticator::setIdDesc('User Name');

    /**
    * Hostname of the authentication server
    * you can specify it like a normal hostname or IP number.
    * If you use SSL or TLS, use the name matching the server certificate here
    */
    ExternalAuthenticator::setAuthServer('totaleyecare','ts.totaleyecare.com.au');

    /**
    * The DN where your users reside. Be as specific as possible
    * to prevent unexpected guests in the CMS, so typically your
    * directory's base dn (o=.... or dc=....,dc=....) augmented with
    * the ou where the accounts are
    * WARNING: AD trick here. In the Unix world chances are that the users are on an OU
    * not so on AD.
    **/
    ExternalAuthenticator::setOption('totaleyecare', 'basedn', 'cn=Users,dc=totaleyecare,dc=com,dc=au');

    /**
    * LDAP protocol version to use
    * If you have TLS enabled, the version must be 3. The default is 3
    **/
    //ExternalAuthenticator::setOption('totaleyecare', 'ldapversion', 3);

    /**
    * You can use any unique attribute to authenticate as, this
    * mail, or uid, or any other unique attribute.
    *
    * SilverStripe will search the ldap for this attribute set to the ID entered
    * on the basedn and below
    **/
    ExternalAuthenticator::setOption('totaleyecare', 'attribute', 'sAMAccountName');

    /**
    * You have to possibility to auto create non existing users that do exists
    * within the LDAP database. Set the option below to the group name you want
    * to add the user to (case sensitive) or to false if users should not be
    * created automatically
    *
    * WARNING WARNING WARNING
    * If you do not have control over the external authentication source, you no
    * longer control who can log in. USE WITH CARE
    **/
    ExternalAuthenticator::setAutoAdd('totaleyecare', false);

    /**
    * If your directory doesn't support anonymous searches you can
    * specify an account below that will be used to search for the
    * attribute containing the user ID as (dn, passwd)
    **/
    ExternalAuthenticator::setOption('totaleyecare', 'bind_as','cn="silverstripe,cn=Users,dc=totaleyecare,dc=com,dc=au"');
    ExternalAuthenticator::setOption('totaleyecare', 'bind_pw', 'secret');

    /**
    * If you want account auto creation, you should also set the following
    **/
    ExternalAuthenticator::setOption('totaleyecare', 'firstname_attr', 'givenName');
    ExternalAuthenticator::setOption('totaleyecare', 'surname_attr', 'sn');
    ExternalAuthenticator::setOption('totaleyecare', 'email_attr', 'userPrincipalName');

  • xzelan
    Avatar
    Community Member
    20 Posts

    Re: External Authenticator Link to this post

    I checked "lighttpd.error.log" but nothing is written to it when I try to log on. Anyway, below is the tail of the log:

    2008-04-08 08:35:30: (log.c.75) server started
    2008-04-08 08:37:34: (connections.c.296) connection closed - read failed: Software caused connection abort 113
    2008-04-08 08:56:57: (connections.c.296) connection closed - read failed: Software caused connection abort 113
    2008-04-08 08:56:58: (connections.c.1392) Warning: Either the error-handler returned status 404 or the error-handler itself was not found: /sapphire/main.php
    2008-04-08 08:56:58: (connections.c.1394) returning the original status 404
    2008-04-08 08:56:58: (connections.c.1396) If this is a rails app: check your production.log
    2008-04-08 10:35:45: (connections.c.1392) Warning: Either the error-handler returned status 404 or the error-handler itself was not found: /sapphire/main.php
    2008-04-08 10:35:45: (connections.c.1394) returning the original status 404
    2008-04-08 10:35:45: (connections.c.1396) If this is a rails app: check your production.log
    2008-04-08 10:35:45: (connections.c.296) connection closed - read failed: Software caused connection abort 113

  • lancer
    Avatar
    57 Posts

    Re: External Authenticator Link to this post

    Hmmm, I don't like the messages about the error handler. During login the external authentication module does something with the error handler to prevent it from intercepting LDAP error messages. (So we can create nice output, instead of an error screen)

    1) Does your php have LDAP support compiled in (or as a module)? On Linux it is dependent on openldap libs and sasl libs, so those should be on your system as well I suppose
    2) You could try to comment out all lines with
    restore_error_handler();
    and
    Debug::loadErrorHandlers();
    in auth_external/code/drivers/LDAP.php
    to see if you get error messages then.

  • xzelan
    Avatar
    Community Member
    20 Posts

    Re: External Authenticator Link to this post

    I'm using the pre-configured lighttpd I downloaded from Silverstripe. Unfortunately, I haven't used lighttpd or php before so I don't know if it has LDAP support compiled in...

    However, I did comment out all lines with restore_error_handler(); and Debug::loadErrorHandlers(); in auth_external/code/drivers/LDAP.php and did a http://localhost:3000/db/build?flush=1

    This is what appeared in the log:

    2008-04-08 12:10:30: (log.c.75) server started
    2008-04-09 12:13:50: (connections.c.1392) Warning: Either the error-handler returned status 404 or the error-handler itself was not found: /sapphire/main.php
    2008-04-09 12:13:50: (connections.c.1394) returning the original status 404
    2008-04-09 12:13:50: (connections.c.1396) If this is a rails app: check your production.log
    2008-04-09 12:13:53: (connections.c.1392) Warning: Either the error-handler returned status 404 or the error-handler itself was not found: /sapphire/main.php
    2008-04-09 12:13:53: (connections.c.1394) returning the original status 404
    2008-04-09 12:13:53: (connections.c.1396) If this is a rails app: check your production.log

  • lancer
    Avatar
    57 Posts

    Re: External Authenticator Link to this post

    Unfortunately, I have no Windows PC available at the moment and I'm at a conference. I'll try and have a look next week, to see if LDAP support is compiled in.

    (Unless someone at the forum knows already....)

    62613 Views
Page: 1 2 3 4 5 6 7
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.