[Working] LDAP and Gallery 1.5.2
|
pkarjala
Joined: 2005-06-14
Posts: 65 |
Posted: Tue, 2005-06-14 20:48
|
|
I am currently working on writing an LDAP integration into Gallery 1.5 that will alter the creation and handling of user account names and passwords in order to verify it against LDAP instead of the Gallery User DB. We're going to be hosting Gallery on an Apache server that will have direct local access to the LDAP server. At this time I've already written the LDAP verification method in PHP (against Netscape LDAP protocol v3) and I'm looking at the Gallery PHP code to do the following: 1. Remove the registration option completely. This is easily done by not allowing users to self-register via the built-in gallery settings. However, the ability to self-register is necessary for the method below. Thus, we basically just want to remove the Register button, not the code behind it. 2. Use only the login screen for getting into Gallery, and plug the self-registration into this part. This looks like the following abstraction:
// Username and Password are the same as the user's email username ( [username]@domain.com ) and password.
Authenticate = Login(Username, Password);
if(Authenticate)
{
UserExsists = SearchForUserInGallery(Username);
if(UserExsists)
{
LoginToGallery();
}
else
{
Create = AskToCreateUser();
if(Create)
{
CreateNewUser(Username, Password, FirstnameFromLDAP + LastNameFromLDAP);
}
else
{
exit();
}
}
}
else
{
handleAuthenticateError(ErrorMessageID);
}
To sum up, the user logs in with their Email username and password. The LDAP script authenticates this info against the LDAP server. If the info is not correct, it kicks back to the user with an error message. If it is correct, it checks the Gallery User DB to see if that user exsists. If they do, it logs them in. If they do not, it prompts the user to ask if they wish to create a new Gallery account with the username and password they provided. If they click yes, it creates the account using the First and Last Name from LDAP and logs them in. If they click no, it kicks them back out to the Login screen. The only exception to this is the Admin account. By removing the "Register" button and rolling the self-registration feature into the "Login" button, we enable the user to do everything needed through just one button click. 3. Not allow users to change their passwords in Gallery. If they do, it will be different from the LDAP password, which is what we want to avoid. This could be done by removing the Preferences button after the user has logged in, as the only thing that would be modified by the user would have already been handled by LDAP. The only other change we'd need to worry about would be if the user had a name change. It could either be written to check the LDAP info versus the Gallery info each time the user logs in, or just change the info in Gallery on a case-by-case basis. I am looking through the Gallery code right now, and am beginning to understand the basics of the registration and user account management. The main thing I'm looking for is how to search to see if a user currently has a Gallery account. Any assistance is greatly appreciated! I'll post here as the project continues. |
|
Posts: 65
Have disabled the Preferences and Registration buttons by commenting out the following lines of code in .\gallery\albums.php:
if ($gallery->userDB->canModifyUser()) { $iconText = getIconText('yast_sysadmin.gif', _("preferences")); $iconElements[] = popup_link($iconText, "user_preferences.php", false, true, 500, 500); } ... if (!strcmp($gallery->app->selfReg, 'yes')) { $iconText = getIconText('yast_sysadmin2.gif', _("register")); $iconElements[] = popup_link($iconText, "register.php", false, true, 500, 500); }Note that the gallery user information can still be changed if you login as the administrator and use the admin tools.
Posts: 65
I've made further progress, and now have the LDAP authentication up and working within Gallery. On the test install, if a user has an exsisting Gallery account, and logs in using their LDAP username and password, it will allow them to log in to Gallery.
However, I've run into a bit of a snag for creating Gallery accounts for users who log in via their LDAP info, but do not yet have an account in Gallery.
Where can I find the code for the method makeFormIntro(); ?
Posts: 65
Alright, a day and much soda later, further progress.
I've been migrating the registration methods from .\gallery\register.php over into .\gallery\login.php in order to allow all users to automatically be registered when they login to Gallery IFF they have certain LDAP roles (administrator, teacher, etc.). Otherwise, it will not allow them to log in and kick back an error.
This should be completed by tomorrow, at which point I'll polish the formatting and comments then zip up the files with instructions and post them for others to pick at.
Posts: 65
Everything is done...except that the user is not properly being created by the script. I'm using the same block of code as listed in .\gallery\register.php, but it is not allowing the user's creation for some reason.
Is there anything that the following block of code from .\gallery\register.php uses to create accounts that I'm missing?
if (!$errorCount) { $password = generate_password(10); $tmpUser = new Gallery_User(); $tmpUser->setUsername($uname); $tmpUser->setPassword($password); $tmpUser->setFullname($fullname); $tmpUser->setCanCreateAlbums(($gallery->app->selfRegCreate == 'yes')); $tmpUser->setEmail($email); $tmpUser->origEmail=$email; $tmpUser->log("self_register"); $tmpUser->setDefaultLanguage($defaultLanguage); $msg = ereg_replace("!!PASSWORD!!", $password, ereg_replace("!!USERNAME!!", $uname, ereg_replace("!!FULLNAME!!", $fullname, ereg_replace("!!NEWPASSWORDLINK!!", $tmpUser->genRecoverPasswordHash(), welcome_email())))); $logmsg = sprintf(_("%s has registered. Email has been sent to %s."), $uname, $email); $logmsg2 = sprintf("%s has registered. Email has been sent to %s.", $uname, $email); if ($logmsg != $logmsg2) { $logmsg .= " <<<<>>>>> $logmsg2"; } if (gallery_mail($email, _("Gallery Self Registration"),$msg, $logmsg)) { $tmpUser->save(); echo "<p>".sprintf(_("An email has been sent to %s."), $email); echo '<br>'; echo _("Your account information is contained within the email."); } else { echo gallery_error(_("Email could not be sent. Please contact gallery administrator to register on this site")); } ?> <br><br> <form> <input type="button" value="<?php echo _("Dismiss") ?>" onclick='parent.close()'> </form> </center> </body> </html> <?php exit(); }Posts: 65
Found it-- Didn't have $tempUser->save(); moved over into the new registration module. Moving now and testing.
Posts: 65
Project completed. Currently testing the Gallery in-house and cleaning up error testing code, etc. I will be posting the instructions on how to set this up later on today after writing local documentation.
Posts: 65
INSTRUCTIONS (Updated for 1.5.2)
In order to set up this, you will need to edit the PHP files in the .\Gallery\ directory. This was developed on Apache 2.0.54 / PHP 5.0.4 / Windows XP SP1. It has also been tested and verified on IIS 6.0 / PHP 4.4.0 / Windows Server 2003. Your mileage may vary with different operating system / server configurations.
Step 1: Back up the original Gallery Files
Make a copy of the following files: .\Gallery\Albums.php and Login.php. Store these in a safe location outside of the .\Gallery directory.
Step 2: Edit Albums.php using a plain text editor to prevent registration and changing preferences by user.
Please change the following lines of code as directed.
Find and replace (removes the new album button; allows only admin to create new albums on top album page):
/* if ($gallery->user->canCreateAlbums() && !$gallery->session->offline) { $iconText = getIconText('folder_new.gif', gTranslate('core', "new album")); $iconElements[] = '<a href="' . doCommand("new-album", array(), "view_album.php") .'">'. $iconText .'</a>'; } */ if ($gallery->user->isAdmin() && !$gallery->session->offline) { $iconText = getIconText('folder_new.gif', gTranslate('core', "new album")); $iconElements[] = '<a href="' . doCommand("new-album", array(), "view_album.php") .'">'. $iconText .'</a>'; }Find and comment out (removes the user preferences button; admins can still change preferences):
if ($gallery->userDB->canModifyUser()) { $iconText = getIconText('yast_sysadmin.gif', gTranslate('core', "preferences")); $iconElements[] = popup_link($iconText, "user_preferences.php", false, true, 500, 500); }Find and comment out (removes the registration button; this is instead done through the integrated LDAP login):
if (!strcmp($gallery->app->selfReg, 'yes')) { $iconText = getIconText('yast_sysadmin2.gif', gTranslate('core', "register")); $iconElements[] = popup_link($iconText, "register.php", false, true, 500, 500); }Step 3: Edit the contents of Login.php
You will need to change settings where appropriate to connect to your LDAP server. I have typed items that should be changed in ALL CAPS.
Find the following block of code:
if (!empty($username) && !empty($gallerypassword)) { $tmpUser = $gallery->userDB->getUserByUsername($username); if ($tmpUser && $tmpUser->isCorrectPassword($gallerypassword)) { // User is successfully logged in, regenerate a new // session ID to prevent session fixation attacks createGallerySession(true); // Perform the login $tmpUser->log("login"); $tmpUser->save(); $gallery->session->username = $username; gallery_syslog("Successful login for $username from " . $_SERVER['REMOTE_ADDR']); if ($tmpUser->getDefaultLanguage() != "") { $gallery->session->language = $tmpUser->getDefaultLanguage(); } if (!$gallery->session->offline) { dismissAndReload(); } else { echo '<span class="error">'. _("SUCCEEDED") . '</span><p>'; return; } } else { $error=_("Invalid username or password"); $gallerypassword = null; gallery_syslog("Failed login for $username from " . $_SERVER['REMOTE_ADDR']); } } elseif (!empty($login)) { $error=_("Please enter username and password."); }Replace this with the following (warning, this is long):
if (!empty($username) && !empty($gallerypassword)) { //------------------------------------------CODE MODIFIED HERE PK 20060123---------------------------------------------------// // We will need to set up the LDAP authentication method here to check if the user exsists in LDAP. // First, we always let the gallery administrator login using the normal Gallery interface. if($username == 'admin'){ // This Code Block is the original Gallery 1.5.2 code as supplied by the install------------------------------- $tmpUser = $gallery->userDB->getUserByUsername($username); if ($tmpUser && $tmpUser->isCorrectPassword($gallerypassword)) { // User is successfully logged in, regenerate a new // session ID to prevent session fixation attacks createGallerySession(true); // Perform the login $tmpUser->log("login"); $tmpUser->save(); $gallery->session->username = $username; gallery_syslog("Successful login for $username from " . $_SERVER['REMOTE_ADDR']); if ($tmpUser->getDefaultLanguage() != "") { $gallery->session->language = $tmpUser->getDefaultLanguage(); } if (!$gallery->session->offline) { dismissAndReload(); } else { echo '<span class="error">'. _("SUCCEEDED") . '</span><p>'; return; } } else { $error=_("Invalid username or password"); $gallerypassword = null; gallery_syslog("Failed login for $username from " . $_SERVER['REMOTE_ADDR']); } // End Code Block--------------------------------------------------------------------------------------------- } elseif ($ldapConnection=ldap_connect('SERVER', 'PORT')) { // echo "<p>LDAP Connection is " . $ldapConnection . "</p>"; // Before we can bind to the LDAP server, we need to format the username so that it // is the proper path for the LDAP server. This may vary depending on server configuration, // but is generally along the following format: // uid=[username],ou=People,o=Server $bindUserName = "uid=" . $username . ",ou=People,o=SERVER,o=cp"; // echo "<p>Binding to LDAP server using " . $bindUserName . " ...</p>"; // Next, we bind with the adjusted username and password $ldapBind = @ldap_bind($ldapConnection, $bindUserName, $gallerypassword); // echo "<p>LDAP Bind is " . $ldapBind . "</p>"; if($ldapBind) { // If we've bound to LDAP, then the authentication of the user was successful. // We then need to see if the user exsists in the Gallery database. // echo "<p>+++++LDAP Bind Successful!</p>"; // echo "<p>Verifying if user is already a Gallery user..."; $tmpUser = $gallery->userDB->getUserByUsername($username); if($tmpUser) { // Since we knows the user exsists in Gallery, we log them in as normal. // User is successfully logged in, regenerate a new // session ID to prevent session fixation attacks // echo "<br>User is confirmed as a Gallery user, logging in...</br>"; createGallerySession(true); // Perform the login $tmpUser->log("login"); $tmpUser->save(); $gallery->session->username = $username; gallery_syslog("Successful login for $username from " . $_SERVER['REMOTE_ADDR']); if ($tmpUser->getDefaultLanguage() != "") { $gallery->session->language = $tmpUser->getDefaultLanguage(); } if (!$gallery->session->offline) { dismissAndReload(); } else { echo '<span class="error">'. _("SUCCEEDED") . '</span><p>'; return; } // As we've retreived our necessary LDAP info at this point, we close the connection ldap_close($ldapconnection); // echo "LDAP connection safely closed<p>"; } elseif(!$tmpUser) { // echo "<p>Running test query, searching for (uid=". $username . ")...</p>"; // Search for the user id $ldapSearchName = "uid=" . $username; // Get the given name, surname, and email address with search $ldapSearchInfo = array("givenName", "sn", "mail", "pdsRole"); $ldapRole = 0; // This will flag if the user has the correct role to create an LDAP account. $ldapFirstName = " "; $ldapSurname = " "; $ldapEmail = " "; if($ldapSearchResult=ldap_search($ldapConnection, "ou=People,o=punahou.edu,o=cp", $ldapSearchName, $ldapSearchInfo )) { // echo "+++++Search result is " . $ldapSearchResult . "<br />"; // echo "Number of entires returned is " . ldap_count_entries($ldapConnection, $ldapSearchResult) . "<br />"; // echo "Retreiving info from entries...<br />"; $ldapUserInfo = ldap_get_entries($ldapConnection, $ldapSearchResult); // echo "Data for " . $ldapUserInfo["count"] . " items retrieved: <br />"; // Loop through the results for($i=0; $i<$ldapUserInfo["count"]; $i++) { // Print out user's DN first. // echo $ldapUserInfo[$i]["dn"] . "<br>"; // Loop through this dn for($ii=0; $ii<$ldapUserInfo[$i]["count"]; $ii++) { // echo " " . $ldapUserInfo[$i][$ii] . ": "; // Print name of attribute $attrib = $ldapUserInfo[$i][$ii]; // Set attribute switch ($attrib) { case "pdsrole": // echo $ldapUserInfo[$i][$attrib]["count"]; for($iii=0; $iii<$ldapUserInfo[$i][$attrib]["count"]; $iii++) { if(($ldapUserInfo[$i][$attrib][$iii] == "Employee") || ($ldapUserInfo[$i][$attrib][$iii] == "employee")) // Must be an employee to make an account { $ldapRole = 1; } // echo $ldapUserInfo[$i][$attrib][$iii] . " "; // Print attribute value } break; case "givenname": $ldapFirstName = $ldapUserInfo[$i][$attrib][0]; break; case "sn": $ldapSurname = $ldapUserInfo[$i][$attrib][0]; break; case "mail"; $ldapEmail = $ldapUserInfo[$i][$attrib][0]; break; } // echo $ldapUserInfo[$i][$attrib][0]; // Print attribute value } } // Create the Full Name based off of First and Surname $ldapFullName = $ldapFirstName . " " . $ldapSurname; // As we've retreived our necessary LDAP info at this point, we close the connection ldap_close($ldapconnection); // echo "LDAP connection safely closed<p>"; // echo "<p>Info from LDAP: " . $ldapFullName . ", " . $ldapEmail . ", " . $ldapRole . "</p>"; if($ldapRole) { // If the user has the proper role in LDAP as defined above, //echo "<p>From here we create an account!</p>"; $newUser = new Gallery_User(); $newUser->setUsername($username); $newUser->setPassword($gallerypassword); $newUser->setFullname($ldapFullName); $newUser->setCanCreateAlbums(($gallery->app->selfRegCreate == 'yes')); $newUser->setEmail($ldapEmail); $newUser->origEmail=$ldapEmail; $newUser->log("self_register"); $newUser->setDefaultLanguage("en"); $newUser->save(); $checkRegistered = $gallery->userDB->getUserByUsername($username); if($checkRegistered) { //echo "<p>Account successfully created!</p>"; createGallerySession(true); // Perform the login $checkRegistered->log("login"); $checkRegistered->save(); $gallery->session->username = $username; gallery_syslog("Successful login for $username from " . $_SERVER['REMOTE_ADDR']); if ($checkRegistered->getDefaultLanguage() != "") { $gallery->session->language = $checkRegistered->getDefaultLanguage(); } if (!$gallery->session->offline) { dismissAndReload(); } else { echo '<span class="error">'. _("SUCCEEDED") . '</span><p>'; return; } parent.close(); } else { // Error in creating the actual account for the user. //echo "<p>Account was not created.</p>"; //echo $checkRegistered; $error=_("Error in creating new Gallery account. Please contact system administrator."); $gallerypassword = null; gallery_syslog("Failed login for $username from " . $_SERVER['REMOTE_ADDR']); } } else { // Must have the employee role in order to create an account. //echo "<p>Sorry, but that user is not an employee! Throw an error message.</p>"; $error=_("<center>You do not have access rights to edit this Gallery. Please contact the Helpdesk if you should not have received this message.</center>"); $gallerypassword = null; gallery_syslog("Failed login for $username from " . $_SERVER['REMOTE_ADDR']); } } else { // Output Error # and message //echo "-----LDAP-Errno: " . ldap_errno($ldapConnection) . "<br>\n"; //echo "-----LDAP-Error: " . ldap_error($ldapConnection) . "<br>\n"; //die('-----Error in search on LDAP server.'); $error=_("Invalid username or password"); $gallerypassword = null; gallery_syslog("Failed login for $username from " . $_SERVER['REMOTE_ADDR']); } } } else { // Output Error # and message //echo "-----LDAP-Errno: " . ldap_errno($ldapConnection) . "<br>\n"; //echo "-----LDAP-Error: " . ldap_error($ldapConnection) . "<br>\n"; //echo "-----Cannot Bind to LDAP server. Please report this error to the system administrator.<br>\n"; $error=_("Invalid username or password"); $gallerypassword = null; gallery_syslog("Failed login for $username from " . $_SERVER['REMOTE_ADDR']); } } else { // Output Error # and message //echo "-----LDAP-Errno: " . ldap_errno($ldapConnection) . "<br>\n"; //echo "-----LDAP-Error: " . ldap_error($ldapConnection) . "<br>\n"; //echo "-----Cannot Connect to LDAP server. Please report this error to the system administrator."; $error=_("Unable to connect to LDAP Server, please contact the system administrator."); $gallerypassword = null; gallery_syslog("Failed LDAP connection for $username from " . $_SERVER['REMOTE_ADDR']); } } elseif (!empty($submitted)) { $error=_("Please enter username and password."); } elseif (!empty($username)) { $error=_("Please enter a password."); } elseif (!empty($gallerypassword)) { $error=_("Please enter a username."); $gallerypassword = null; } //------------------------------------------END CODE MODIFIED PK 20060123----------------------------------------------------//Below this, find the following block of code, and comment it out:
if (isset($gallery->app->emailOn) && $gallery->app->emailOn == 'yes') { ?> <div class="popuphead"><?php echo _("Forgotten your password?") ?></div> <div class="popup" align="center"> <?php echo makeFormIntro('login.php', array('name' => 'forgot_form')); if (!empty($forgot)) { $tmpUser = $gallery->userDB->getUserByUsername($username); if ($tmpUser) { $wait_time=15; if ($tmpUser->lastAction == "new_password_request" && time() - $tmpUser->lastActionDate < $wait_time * 60) { echo gallery_error(sprintf(_("The last request for a password was less than %d minutes ago. Please check for previous email, or wait before trying again."), $wait_time)); } else if (check_email($tmpUser->getEmail())) { if (gallery_mail( $tmpUser->email, _("New password request"), sprintf(_("Someone requested a new password for user %s from Gallery '%s' on %s. You can create a password by visiting the link below. If you didn't request a password, please ignore this mail. "), $username, $gallery->app->galleryTitle, $gallery->app->photoAlbumURL) . "\n\n" . sprintf(_("Click to reset your password: %s"), $tmpUser->genRecoverPasswordHash()) . "\n", sprintf(_("New password request %s"), $username))) { $tmpUser->log("new_password_request"); $tmpUser->save(); echo sprintf(_("An email has been sent to the address stored for %s. Follow the instructions to change your password. If you do not receive this email, please contact the Gallery administrators."),$username) ?> <br><br> <form> <input type="button" value="<?php echo _("Dismiss") ?>" onclick='parent.close()'> </form> <?php } else { echo gallery_error(sprintf(_("Email could not be sent. Please contact %s administrators for a new password"),$gallery->app->galleryTitle )); } return; } else { echo gallery_error(sprintf(_("There is no valid email for this account. Please contact %s administrators for a new password"),$gallery->app->galleryTitle )); } } else { echo gallery_error(_("Not a valid username")); } } ?> <table align="center"> <tr> <td><?php echo _("Username") ?></td> <td><input type="text" name="username" class="popupform" value="<?php echo $username ?>"></td> </tr> </table> <p align="center"><input type="submit" name="forgot" value="<?php echo _("Send me my password") ?>"></p> </form> </div> <?php } /* End if-email-on */ /* if ($gallery->app->selfReg == 'yes') { ?> <div class="popuphead"><?php echo _("No account at all?") ?></div> <div class="popup" align="center"> <a href="<?php echo makeGalleryUrl('register.php') ?>"><?php echo _("Register a new account."); ?></a> </div> <?php } */4. Input the appropriate information that pertains to your LDAP server.
What this does is check for a user in LDAP. If that user is authenticated with the password that they login with, it then checks if they're in Gallery. If they're NOT in Gallery, it pulls the appropriate roles from LDAP and checks those. If they have a role in LDAP that should allow them to create an account, it auto-generates the account and logs them in.
5. Dance!
This is by no means perfect; I wrote it in a week after having only first seen the Gallery program on the Friday before. All input is much appreciated!
Posts: 65
User dcain1 ran into an issue with the code wherein users will be created by the auto-create changes, but will not be logged into gallery; subsequently, it confirms that they exsist, but no navigation options are presented afterwords. They were able to fix the issue by commenting out the following lines of code in session.php:
// If we're requesting a new session, generate a new session id # if ($newSession) { # session_regenerate_id(); # }YMMV, but I hope this helps anyone troubleshooting a similar issue!
Posts: 65
Additional info-- If you are running this under IIS, you will need to make sure to do the following (from http://us3.php.net/manual/en/ref.ldap.php):
Note to Win32 Users: In order to enable this module on a Windows environment, you must copy several files from the DLL folder of the PHP/Win32 binary package to the SYSTEM folder of your windows machine. (Ex: C:\WINNT\SYSTEM32, or C:\WINDOWS\SYSTEM). For PHP <= 4.2.0 copy libsasl.dll, for PHP >= 4.3.0 copy libeay32.dll and ssleay32.dll to your SYSTEM folder.
Posts: 65
This setup has now been verified to work on Windows 2003 with IIS 6.0 and PHP 4.4.0. Will test with PHP 5.x later on.
Posts: 65
Updated the install of Gallery to 1.5.1 and moved LDAP code changes over. Looks good as ever and still works for LDAP authentication. We have been using this for a staff of about 200+ for a few months now, and it runs without hitch.
-Patrick
Posts: 1
I've played with this for the past few days and finally got it working.
One thing to note is that echo statements in the code cause the login to fail.
I attached my working version. It is slightly modified for my server. I also attached ldap_tools.P9.php which contains the testGroupMembership function I use to determine if a user can login and if new users should be admins. The other file I'm not attaching is config.P9.php which contains global settings. They are just globals at this point. Also note mine checks for a secure server.
This probably won't work for anyone but me. I'm posting it so people can see a full login.php for comparison if they are having problems.
Posts: 65
Thanks for the contribution! Glad to hear that it's working out.
Since I didn't have much experience working with LDAP before making this, I know I probably left some things out. One thing I noticed while scanning your version was the inclusion of a ldap_close(); statement, which I'll work into the code above.
-Patrick
Posts: 65
Currently working on the 1.5.2 update!
-Patrick
Posts: 65
Instructions updated for 1.5.2
-Patrick
Posts: 65
It's been some time since I've sat down and looked at this, and I wanted to take some time to set it up and test it for Gallery 1.5.6. Unfortunately, I no longer am working where I was with an easily accessible and populated LDAP server to test against, so it will take some time to set one up, populate it, and then begin testing against it.
If someone who is using Gallery 1.5.6 has an installation that they want to get working with LDAP, please let me know, and I'd be glad to work with you on it.
-Patrick