Mergeit ApS
Open itMerge itDevelop it
 Home > Open it > Blogs
04.12.09 14:00 Alder: 239 dage

LDAP Authentication in TYPO3

Af: Claus Lavdal

Have spent some time getting LDAP Integration in TYPO3 to work.

The goal is to have BE and FE users validated by LDAP and not Typo3.

We have chosen to use the TYPO3 extension ldap_auth.

 

We use the following versions:

ldap_auth 0.2.1
ldap_lib 0.2.0
ldap_server 0.2.1

Typo3 version 4.2.9
PHP Version 5.2.5

Firstly ldap_auth uses only the short PHP open tag but only "<?" not "<?php" - which means that you must set "short_open_tag = on" in php.ini.

Furthermore, it is necessary to have PHP compiled with the LDAP support.

Follow the various guides to setup ldap_server and ldap_auth.

Remember to keep an admin user, white a username that is not in LDAP - So you still can enter the system when LDAP fails.

Next, I recommend that you have mastered LDAP structure with ldapsearch, ie:

typo3:# ldapsearch -x -h LDAP-domain.com -b ou=<users>,o=<organisation>

and perhaps with a filter:

typo3:# ldapsearch -x -h LDAP-domain.com -b ou=<users>,o=<organisation> "(&(objectClass=*)(uid=<username>))"

These are very useful to verify the configuration of ldap_server.

Next, I recommend that you start a tcpdump when trying to login:

typo3:# tcpdump host <LDAP-domain.com> -w /tmp/ldap.pcap -s 1400

Download the file into Wireshark and ananlyse the communication. Password is sent in clear text to the LDAP servers and the LDAP server response is also easy to find.

Look after:

LDAPMessage bindRequest(1) "cn=<username>,ou=users,o=<organisation>" simple

and a response to this:

LDAPMessage bindResponse(1) success

and not:

LDAPMessage bindResponse(1) invalidCredentials (NDS error: failed authentication (-669))

Your error might differ depending on the LDAP server used. Also note that more than one bindRequest, bindResults and unbindRequest.

Once you've come this far, you know that:

1. TYPO3 send password and username to LDAP server
2. and that you can successfully use basic LDAP authentication.

Then you must ensure that your configuration ldap_server is in order. I had to debug code in ldap_server to get my to work.

In addition to what was written in the manual, I had to have a

BEusers = LDAP_SYNC
BEusers {
         ........
         sync < BEusers
          ........
}

For my configuration would work.

I also use the following to ensure that the user was authorized by LDAP were admin in Typo3.

BEusers = LDAP_SYNC
BEusers {
          fields {
                   admin = MAP_OBJECT
                   admin.attribute = uid
                   admin.userFunc.defaultValue = 1
                   admin.userFunc = tx_ldapserver->setDefaultValue
                   }
         }

The total "conf" is the following:

BEusers = LDAP_SYNC
BEusers {
         enable = 1
         table = be_users
         basedn = ou=users,o=<organisation>
         handleNotFound = 1
         handleNotFound {
                  delete = 1
          }
         pid = root
         filter =(&(objectClass=inetOrgPerson)(groupMembership=cn=staff,ou=groups,o=<organisation>))
         uniqueField = tx_ldapserver_dn
         fields {
                   username = MAP_OBJECT
                   username.attribute = uid
                   username.userFunc = tx_ldapserver->getSingleValue
                   tx_ldapserver_dn = MAP_OBJECT
                   tx_ldapserver_dn.special = DN
                   admin = MAP_OBJECT
                   admin.attribute = uid
                   admin.userFunc.defaultValue = 1
                   admin.userFunc = tx_ldapserver->setDefaultValue
                   usergroup = MAP_OBJECT
                   usergroup.attribute = uid
                   usergroup.userFunc.defaultValue = 2
                   usergroup.userFunc = tx_ldapserver->setDefaultValue
                   lang = MAP_OBJECT
                   lang.attribute = uid
                   lang.userFunc.defaultValue = dk
                   lang.userFunc = tx_ldapserver->setDefaultValue
                   options = MAP_OBJECT
                   options.attribute = uid
                   options.userFunc.defaultValue = 3
                   options.userFunc = tx_ldapserver->setDefaultValue
                   realName = MAP_OBJECT
                   realName.attribute = givenName
                   realName.userFunc = tx_ldapserver->getSingleValue
                   fileoper_perms = MAP_OBJECT
                   fileoper_perms.attribute = uid
                   fileoper_perms.userFunc.defaultValue = 7
                   fileoper_perms.userFunc = tx_ldapserver->setDefaultValue
                   workspace_perms = MAP_OBJECT
                   workspace_perms.attribute = uid
                   workspace_perms.userFunc.defaultValue = 3
                   workspace_perms.userFunc = tx_ldapserver->setDefaultValue
                   workspace_preview = MAP_OBJECT
                   workspace_preview.attribute = uid
                   workspace_preview.userFunc.defaultValue = 1
                   workspace_preview.userFunc = tx_ldapserver->setDefaultValue
                   email = MAP_OBJECT
                   email.attribute = mail
                   email.userFunc = tx_ldapserver->getSingleValue
                   }
         sync < BEusers
         }
BEauth = LDAP_AUTH
BEauth {
         enable = 1
         table = be_users
         sync < BEusers
         }

Maybe someone can explain why "sync < BEusers" is needed in my LDAP_SYNC object?

Kommentarer ( 1 )
 

uggboots uggboots

Af: dsgf13@yahoo.com lørdag, 09-01-10 08:25

The information here is really helpful.
[modified]

 
 

Adding an entry to the guestbook
Skriv en kommentar
CAPTCHA billede for SPAM beskyttelse 
Udvid
nyheder

Følg VM kampene live på din SNOM telefon

I perioden under FIFA VM 2010, tilbyder snom en gratis resultats ticker til alle brugere af snom...

[mere]

Nyt samarbejde med nVidia

Brug af grafikkort (GPU'er) til supercomputing er på det seneste blevet et yderst prisbilligt og...

[mere]