Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Archive /

Our old forums are still available as a read-only archive.

Moderators: martimiz, Sean, biapar, Willr, Ingo, simon_w

External Authenticator


Reply


53 Posts   63317 Views

Avatar
lancer

57 Posts

15 January 2008 at 12:52am

Just added multiple source support to the trunk. It is now possible to configure several AD/LDAP/POP3/IMAP/FTP sources and have the user choose a source on login, or do a sequential check against all sources until the first success.

This, plus extra query filter support for the LDAP driver, multi-basedn support for an individual LDAP source (already done) and default mail domains for the auto-add functionality will make up version 0.2, unless someone else has a burning desire to get some other functionality quickly. (Unit testing is scheduled for 0.3)

Avatar
xzelan

Community Member, 20 Posts

7 April 2008 at 6:03pm

Hi Lancer,

I’ve recently started using Silverstripe for my public website and really like it. Now I want to also use it for my intranet, so I’ve downloaded the Windows Installer "SilverStripeCMS-v2.2.1.exe" and successfully set that up on my computer. I also downloaded the "External Authentication (v0.2)" module so that I can authenticate against my ActiveDirectory. I've read the helpful documentation you wrote and setup my "_config.php".

However, when I put in my user name and password on the "External Account" tab, it doesn't log in but instead returns a blank page with the url "http://localhost:3000/Security/?executeForm=LoginForm". Any help would be hugely appreciated :)

Thanks heaps,
Xzelan

Avatar
lancer

57 Posts

7 April 2008 at 6:09pm

Check your webserver error logs. I think there must be a PHP error somewhere.

Also verify that all closing quotes and ; are present in _config.php

Avatar
xzelan

Community Member, 20 Posts

8 April 2008 at 12:15pm

Thanks I'll take a look at the log files. In case this helps, here is my _config.php file:

<?php

/**
* External Authentication server definitions
* Change the parameters below to suit your authentication server, or disable
* this authentication method altogether
*/
Authenticator::register_authenticator("ExternalAuthenticator");

/**
* Create your authentication source
* The first parameter is the Source ID. Set this to something you deem
* approriate to this source. It must be unique among all authentication
* sources, may not contain special characters or spaces and must be
* shorter that 50 characters
* The second parameters is the type of server.
* At the moment LDAP, FTP, IMAP and HTTP are supported
* The third parameter is a nice name for this source, to be showed in
* drop-down form fields to choose the source
*
* You can create multiple sources with different of same types
**/
ExternalAuthenticator::createSource('totaleyecare','LDAP','Total Eyecare');
   
/**
* On login, users can choose the authentication source they want, or all
* sources can be checked in sequence till success (or failure)
* In this is set to true, the source selection box on the login page
* disappears. So you might want to set this to true if you have only one
* source.
*
* WARNING: If you set this to true, accounts from the different sources can
* eclipse eachother. The process stops at the first success.
*
* NOTE: The order in which accounts are checked depends on the order of the
* createSource statements
**/
ExternalAuthenticator::setAuthSequential(false);

/**
* How do we call a user ID?
* This string is informational and will appear on the login page
*/
ExternalAuthenticator::setIdDesc('User Name');

/**
* Hostname of the authentication server
* you can specify it like a normal hostname or IP number.
* If you use SSL or TLS, use the name matching the server certificate here
*/
ExternalAuthenticator::setAuthServer('totaleyecare','ts.totaleyecare.com.au');

/**
* The DN where your users reside. Be as specific as possible
* to prevent unexpected guests in the CMS, so typically your
* directory's base dn (o=.... or dc=....,dc=....) augmented with
* the ou where the accounts are
* WARNING: AD trick here. In the Unix world chances are that the users are on an OU
* not so on AD.
**/
ExternalAuthenticator::setOption('totaleyecare', 'basedn', 'cn=Users,dc=totaleyecare,dc=com,dc=au');

/**
* LDAP protocol version to use
* If you have TLS enabled, the version must be 3. The default is 3
**/
//ExternalAuthenticator::setOption('totaleyecare', 'ldapversion', 3);

/**
* You can use any unique attribute to authenticate as, this
* mail, or uid, or any other unique attribute.
*
* SilverStripe will search the ldap for this attribute set to the ID entered
* on the basedn and below
**/
ExternalAuthenticator::setOption('totaleyecare', 'attribute', 'sAMAccountName');

/**
* You have to possibility to auto create non existing users that do exists
* within the LDAP database. Set the option below to the group name you want
* to add the user to (case sensitive) or to false if users should not be
* created automatically
*
* WARNING WARNING WARNING
* If you do not have control over the external authentication source, you no
* longer control who can log in. USE WITH CARE
**/
ExternalAuthenticator::setAutoAdd('totaleyecare', false);

/**
* If your directory doesn't support anonymous searches you can
* specify an account below that will be used to search for the
* attribute containing the user ID as (dn, passwd)
**/
ExternalAuthenticator::setOption('totaleyecare', 'bind_as','cn="silverstripe,cn=Users,dc=totaleyecare,dc=com,dc=au"');
ExternalAuthenticator::setOption('totaleyecare', 'bind_pw', 'secret');

/**
* If you want account auto creation, you should also set the following
**/
ExternalAuthenticator::setOption('totaleyecare', 'firstname_attr', 'givenName');
ExternalAuthenticator::setOption('totaleyecare', 'surname_attr', 'sn');
ExternalAuthenticator::setOption('totaleyecare', 'email_attr', 'userPrincipalName');

Avatar
xzelan

Community Member, 20 Posts

8 April 2008 at 12:51pm

I checked "lighttpd.error.log" but nothing is written to it when I try to log on. Anyway, below is the tail of the log:

2008-04-08 08:35:30: (log.c.75) server started
2008-04-08 08:37:34: (connections.c.296) connection closed - read failed: Software caused connection abort 113
2008-04-08 08:56:57: (connections.c.296) connection closed - read failed: Software caused connection abort 113
2008-04-08 08:56:58: (connections.c.1392) Warning: Either the error-handler returned status 404 or the error-handler itself was not found: /sapphire/main.php
2008-04-08 08:56:58: (connections.c.1394) returning the original status 404
2008-04-08 08:56:58: (connections.c.1396) If this is a rails app: check your production.log
2008-04-08 10:35:45: (connections.c.1392) Warning: Either the error-handler returned status 404 or the error-handler itself was not found: /sapphire/main.php
2008-04-08 10:35:45: (connections.c.1394) returning the original status 404
2008-04-08 10:35:45: (connections.c.1396) If this is a rails app: check your production.log
2008-04-08 10:35:45: (connections.c.296) connection closed - read failed: Software caused connection abort 113

Avatar
lancer

57 Posts

8 April 2008 at 6:45pm

Hmmm, I don't like the messages about the error handler. During login the external authentication module does something with the error handler to prevent it from intercepting LDAP error messages. (So we can create nice output, instead of an error screen)

1) Does your php have LDAP support compiled in (or as a module)? On Linux it is dependent on openldap libs and sasl libs, so those should be on your system as well I suppose
2) You could try to comment out all lines with
restore_error_handler();
and
Debug::loadErrorHandlers();
in auth_external/code/drivers/LDAP.php
to see if you get error messages then.

Avatar
xzelan

Community Member, 20 Posts

9 April 2008 at 2:17pm

I'm using the pre-configured lighttpd I downloaded from Silverstripe. Unfortunately, I haven't used lighttpd or php before so I don't know if it has LDAP support compiled in...

However, I did comment out all lines with restore_error_handler(); and Debug::loadErrorHandlers(); in auth_external/code/drivers/LDAP.php and did a http://localhost:3000/db/build?flush=1

This is what appeared in the log:

2008-04-08 12:10:30: (log.c.75) server started
2008-04-09 12:13:50: (connections.c.1392) Warning: Either the error-handler returned status 404 or the error-handler itself was not found: /sapphire/main.php
2008-04-09 12:13:50: (connections.c.1394) returning the original status 404
2008-04-09 12:13:50: (connections.c.1396) If this is a rails app: check your production.log
2008-04-09 12:13:53: (connections.c.1392) Warning: Either the error-handler returned status 404 or the error-handler itself was not found: /sapphire/main.php
2008-04-09 12:13:53: (connections.c.1394) returning the original status 404
2008-04-09 12:13:53: (connections.c.1396) If this is a rails app: check your production.log

Avatar
lancer

57 Posts

11 April 2008 at 3:44am

Unfortunately, I have no Windows PC available at the moment and I'm at a conference. I'll try and have a look next week, to see if LDAP support is compiled in.

(Unless someone at the forum knows already....)