Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Customising the CMS

LDAP/Active Directory Authentication for SilverStripe 3.0.1


Go to End
Reply

9 Posts   2677 Views

Avatar
B00mtastik™

27 August 2012 at 10:59am Community Member, 18 Posts

Hello to all fellow SilverStripers,

I was wondering if anyone out there has managed to get this working whether with or without a module, the current module to support this was the 'auth_external' module, but hasn't been updated to suit the new version, as the last version it ran on properly was 2.3 and 2.4.

I am currently trying to create this for my company intranet as they are based on Microsoft Exchange, but the web server I am working on is a Ubuntu Server which we want to keep separate from all else, and so is running on Apache. I'm still very new to SilverStripe so am getting the hang of it slowly. :)

Thanks for any help in advanced.

-B00mer

Avatar
svandragt

4 September 2012 at 10:33pm Community Member, 44 Posts

I'm looking at this also at the moment. I've only had half an hour to look at the moment, and I can see there is some changes needed.
I found what seems to be the latest version at https://github.com/hamishcampbell/silverstripe-auth-external (on the silverstripe modules page, I could only find a svn link, which is older).

However after installing this, following the installation instructions and running /dev/build there are deprecation error, indicating that this code has not been updated at all for SS3:

DataObjectDecorator is deprecated. DataObjectDecorator is deprecated. Use DataExtension instead.

Strict Standards: Declaration of ExternalAuthenticatedRole::canEdit() should be compatible with that of DataExtension::canEdit() in auth_external\code\ExternalAuthenticatedRole.php on line 16

Strict Standards: Declaration of ExternalAuthenticatedRole::extraStatics() should be compatible with that of DataExtension::extraStatics() in auth_external\code\ExternalAuthenticatedRole.php on line 16

Strict Standards: Declaration of ExternalAuthenticatedRole::updateCMSFields() should be compatible with that of DataExtension::updateCMSFields() in auth_external\code\ExternalAuthenticatedRole.php on line 16

You turn off this deprecation error (not fix the code, mind) you can open the framework/_config file and change line 60 to:

Deprecation::notification_version('3.0.0-dev');

Now the login box shows up, after submitting the login however there's another deprecation error:

Director::redirect is deprecated. Use Controller->redirect() instead. Called from ExternalLoginForm->dologin.

At this point I concluded that it's better use of my time to see if someone else has got this working, or attempt to fix the module myself. Hope this helps, keep me updated.

Avatar
B00mtastik™

5 September 2012 at 10:08am Community Member, 18 Posts

Hey mate,

Thanks for posting this, as it did help in the sense that I came to the same conclusions and came across the same deprecation messages.

I'm still a fair bit off from being able to rewrite this module to suit SilverStripe 3.0 but I think I'm going to attempt it anyways until I see something better, or the module is updated, or (unlikely) I manage to get the module working. Correctly mind you.

Good luck!

-B00mer

Avatar
svandragt

6 September 2012 at 3:53am Community Member, 44 Posts

I'll be trying to fork the github project and submit a pull request for any (if any) fixes. Keep us updated with any progress :)

Avatar
svandragt

12 September 2012 at 3:14am (Last edited: 12 September 2012 8:06pm), Community Member, 44 Posts

I've got some success, I am able to login to Silverstripe using my ActiveDirectory credentials.

This has only been tested by me.
I've submitted a pull request for the code changes: https://github.com/hamishcampbell/silverstripe-auth-external/pull/9

I'm using the following _config.php, this automatically creates user accounts and keeps them synced, make sure that any content authors are added to the SilverstripeContentAuthors Active Directory group in this case:

<?php
Authenticator::register_authenticator('ExternalAuthenticator');
ExternalAuthenticator::setUseAnchor(true);
ExternalAuthenticator::setAnchorDesc('Username');
ExternalAuthenticator::createSource('activedirectory','LDAP','Active Directory');
ExternalAuthenticator::setAuthSSLock('activedirectory',false);
ExternalAuthenticator::setAuthServer('activedirectory','<domaincontroller>');
ExternalAuthenticator::setOption('activedirectory', 'basedn', '<domaincontroller object name>');
ExternalAuthenticator::setOption('activedirectory', 'attribute', 'sAMAccountName');
ExternalAuthenticator::setOption('activedirectory', 'extra_attributes', array(
'objectclass' => 'user',
));
ExternalAuthenticator::setOption('activedirectory', 'passwd_expiration', true);
ExternalAuthenticator::setAutoAdd('activedirectory', true);
ExternalAuthenticator::setDefaultDomain('activedirectory', '<domain>');
ExternalAuthenticator::setOption('activedirectory', 'firstname_attr', 'givenName');
ExternalAuthenticator::setOption('activedirectory', 'surname_attr', 'sn');
ExternalAuthenticator::setOption('activedirectory', 'email_attr', 'mail');
ExternalAuthenticator::setOption('activedirectory', 'group_attr', 'memberOf');
ExternalAuthenticator::setAutoAdd('activedirectory', array(
'SilverstripeContentAuthors' => 'content-authors',
)
);
ExternalAuthenticator::setOption('activedirectory', 'bind_as','<cn for account>');
ExternalAuthenticator::setOption('activedirectory', 'bind_pw','<password>');

For information on the options see the _config.php that comes with the module.

Avatar
B00mtastik™

12 September 2012 at 4:36pm Community Member, 18 Posts

Mate that is some good news indeed! I shall pull down your files from github and give them a try with the _config.php settings you've shown but customed to what I need and get back to you on how they worked. It'll be a few days as I'm out on the road and get a chance to implement your changes but hopefully by either Friday or Monday I can have something to say about how my test run goes!

Cheers for this.

-B00mer

Avatar
radic

19 September 2013 at 4:35pm Community Member, 3 Posts

Hi guys,

I am evaluating to see if SilverStripe will be a valid option for us at the moment. I wanted to make sure that there is some support for LDAP either through a module or any other way.

I found this thread and I thought it might be good to ask you guys about it. Can anybody confirm to me if this module that is discussed here works with the latest version of SilverStripe which at the moment is 3.0.5?

Thanks

Avatar
svandragt

19 September 2013 at 10:21pm (Last edited: 19 September 2013 10:24pm), Community Member, 44 Posts

RE COMPATIBILITY
auth_external as you can tell from the Github repo readme is compatible with 3.0+, unfortunately not yet with 3.1. My patches so far have been accepted and I now have direct repo access now. Make sure you use https://github.com/hamishcampbell/silverstripe-auth-external

We're using it for several silverstripe sites at the college I work for, using Silverstripe 3.0.5 and it's working without any problems. if you are experiencing any problems please file an issue on https://github.com/hamishcampbell/silverstripe-auth-external/issues?state=open

RE 3.1 SUPPORT
Once we start moving to 3.1 (probably when other modules require it) I would suggest to branch the current version into a 3.0 compatible branch and supporting both 3.0 and 3.1.

I'm happy to accept patches if you'd like to contribute, I could start the branch process with a bit of notice before being able to develop on it.

RE YOUR SETUP
We are using silverstripe with the auth_external on a linux ubuntu server (with apache) in a Microsoft domain with Active Directory.

Hope that helps.

Go to Top