LDAP Authentication...


Joined: 2005-07-25
Posts: 6
Posted: Thu, 2006-12-07 17:42

Back over the Summer during Google's Summer of Code, I had seen some prospect of LDAP authentication being available for Gallery 2. Does anyone know what happened to that and if any LDAP support is planned or how hard it would be if I wanted to do it myself?


Joined: 2003-01-04
Posts: 32509
Posted: Sat, 2006-12-09 00:01

The student responsible for that project didn't show up. It was pretty disappointing to say the least.

There's noone working on LDAP integration as far as I know.
It shouldn't be too hard, but you'd have to get your hands dirty by learning some things about the gallery 2 framework and by writing some php code.


Joined: 2006-12-20
Posts: 5
Posted: Wed, 2006-12-20 17:32


My company is going to use G2 as its corporate image database, and therefore we need LDAP authentication, which means that I will write it and we will later contribute it to the project.

I had a look at G2's code today, and I'd like to discuss this with some more G2-experienced developer:

I'm not shure how to write it: is it possible to write a pluggable module for this (my guess: no?), or should I extend or modify the core-GalleryUser.class and GalleryUserHelper-classes?

The plan would be to authenticate a user with LDAP, and create this user as regular G2-user if he doesn't exist yet, but without his password. If LDAP authentication fails, I would try to authenticate the user with the regular G2 username/password mechanism, e.g. for the admin account.


Regards, Johannes


Joined: 2003-01-04
Posts: 32509
Posted: Thu, 2006-12-21 03:30

Yes, this can be done in a modular way, no need to change any G2 files.
That's speculative since I haven't thought this through to the end, but from my experience with G2 integrations, this should be possible.

If you want to discuss this, you can chat with developers in irc #gallery on irc.freenode.net.

One way to make LDAP work is through GalleryEmbed creating a wrapper around G2 that checks LDAP first.
See http://codex.gallery2.org/index.php/Gallery2:Embedding (docs -> development -> integration)

Another way is to use the authplugin (also used by the httpauth module in g2.2).


Joined: 2006-12-20
Posts: 5
Posted: Thu, 2006-12-21 06:42

Thanks for the hints, I'll have a look at it, and I think with some kind of module blueprint for that it won't be too difficult. I'll return to it next week...


Joined: 2007-02-12
Posts: 1
Posted: Mon, 2007-02-12 14:57

Hi. Any news on this issue? Johannesl, did you proceed / succeed in developing a LADP module for your company?


Joined: 2005-06-14
Posts: 65
Posted: Wed, 2007-04-11 19:38


I created a LDAP solution for Gallery 1.5.2 (thread at http://gallery.menalto.com/node/31761). I've been wanting to sit down and work on a working solution for 2.2 for some time now, so if someone with a populated LDAP server would like to coordinate on it, I'd love to do so.



Joined: 2005-04-27
Posts: 13
Posted: Wed, 2007-04-18 06:24

Any updates?h


Joined: 2007-05-22
Posts: 2
Posted: Tue, 2007-05-22 12:29
pkarjala wrote:

I created a LDAP solution for Gallery 1.5.2 (thread at http://gallery.menalto.com/node/31761). I've been wanting to sit down and work on a working solution for 2.2 for some time now, so if someone with a populated LDAP server would like to coordinate on it, I'd love to do so.


I'm trying to get Gallery2 work with OpenLDAP, for now I'm using the Http Auth plugin, the authentication against the LDAP directory works, but first I have to sync the Gallery users database and the LDAP directory, secund the users can edit their unused Gallery DB password... and that's far from perfect :)
It looks that your plugin did correct these problems... :)
So, if you want, I can help you setting up a working OpenLDAP directory on one of your box, or I can even set up temporally one of mine for test purpose, contact me by PM if you are interested by one of these propositions.

Best regards,


Joined: 2008-04-23
Posts: 2
Posted: Wed, 2008-04-23 09:32

My company is also intersted in LDAP for Gallery. How is the project going? May I help?



Joined: 2008-10-30
Posts: 2
Posted: Fri, 2008-12-05 10:22

Same over here, I deployed Gallery2 to our company intranet - its sooo nice, we use alot of the features - bus habe seperate users for the G2 which is kind of a mess. I'd really like to integrate G2 into our OpenLDAP .... any tuts or hints?

regards Chris


Joined: 2009-01-05
Posts: 2
Posted: Mon, 2009-01-05 11:11

Hi Guys,

We have similar setup in our company. Here's is a simple patch I applied to latest gallery (v 2.3) to get it work with our LDAP setup. It will create gallery user with info from LDAP when the user logs in for the first time (hence all further access control etc works as normal). LDAP auth and local gallery user auth works at the same time as well (so you can create G2 only users that aren't in LDAP if necessary - eg: separate G2 admin users).
The diff file I used is attached. Instruction for installation and setup:
1) Download the appropriate gallery package
2) Download the patch (attached with this post)
3) Extract the gallery package:
tar zxf gallery-2.3-xxxx-yy.zip (use the correct filename)
4) Extract the patch:
gunzip gallery2_v2.3_ldap.diff.gz
5) Change to gallery folder:
cd gallery2
6) Apply the patch:
patch -p1 <../gallery2_v2.3_ldap.diff
7) Edit the file: modules/core/UserLogin.inc
Search for string LDAP. Just below the comment "LDAP Code begin" line, you'll find the $ldap array with ldap server settings.
Change the values in the $ldap array to match your LDAP settings. Change the $filter variable to match your LDAP filter.
Save and exit.
8) Follow usual gallery2 installation procedure with this new patched gallery2.

Hope this helps someone in similar situation.


Joined: 2009-01-05
Posts: 2
Posted: Mon, 2009-01-05 11:08

Note: An additional '_' (underscore) somehow got into the filename while attaching it. Use the correct name. You may need to add a step before step 4:
3a) Rename the downloaded diff:
mv gallery2_v2.3_ldap.diff_.gz gallery2_v2.3_ldap.diff.gz


Joined: 2009-01-14
Posts: 6
Posted: Tue, 2009-01-27 16:25


Thanks for making this available it's exactly what I needed. However, when I try to login using an LDAP account, I get the following php error (I had to turn on debug mode to find it).

Notice: Undefined offset: 0 in /usr/share/gallery2/modules/core/UserLogin.inc on line 103

Warning: ldap_compare() [function.ldap-compare]: Compare: No such object in /usr/share/gallery2/modules/core/UserLogin.inc on line 103

From reading the php code, this seems to suggest I've filled in the ldap server settings incorrectly and it hasn't retrieved any listings to query the username against. I filled in the variables with the same info that I used to allow another LDAP browser to browse the directory (http://www.mcs.anl.gov/~gawor/ldap/), but obviously I'm going wrong somewhere.

Can you give more details (and possibly some examples) of what the variables do exactly.

Also, I don't do php on a regular basis, but is it possible to have more than one 'dn' entry in the ldap array (for example if I wanted to authenticate users in the Editors OU and the Design OU) or does it descend into the child OUs?

Gallery 3 comes out next week supposedly. I bet it's going to be more fun getting LDAP support in that!


Joined: 2009-01-14
Posts: 6
Posted: Wed, 2009-01-28 11:48

I've made some progress, it turns out the line:

$filter = "(&(uid=$username) (accountStatus=active))";

was actually filtering out all results, because in my Active Directory environment 'username' should be 'sAMAccountName' and I'm not sure what accountStatus should be.

In the end I just set it to

$filter = "(CN=*)";

as that will at least allow me to continue to debug until I come up with a filter that suits my needs.

However, now I get the following error:

Warning: ldap_compare() [function.ldap-compare]: Compare: No such attribute in /usr/share/gallery2/modules/core/UserLogin.inc on line 105

Now that I've taken the time to investigate this thoroughly, it seems you're using ldap_compare to compare the MD5 hashes of the passwords as a means of authentication. This may work for some, but I guess in Active Directory the password hashes aren't accessible that way. Also there is a comment on the ldap_compare page http://uk.php.net/ldap_compare that says you should not use ldap_compare to authenticate someone, and instead use ldap_bind.

I'm going to dive in and have a go at rewriting this to use ldap_bind, but php programming is not my day job, so if anyone with more experience has something similar that can just be pasted in, feel free to shout. :-)


Joined: 2009-02-04
Posts: 7
Posted: Wed, 2009-02-04 16:17

I am wondering if anyone has made any more progress with this? I agree with darkinnit in that ldap_bind should be used instead of ldap_compare. Our environment is Active Directory so by default we don't have MD5 passwords as an option. (For security reasons I would like to see it kept that way) I can bind to Active Directory like this:


In Active Directory the $username will have to be domain\username or

. Either works to bind.

Getting user information is not very hard either:


function user_info($username){
$_conn = ldap_connect("ldap://server.domain.local");
$fields=array("mail","displayname"); //or what ever else you want... just use ADSI EDIT on your DC to see what LDAP fields are available...
$entries = ldap_get_entries($_conn, $sr);

Sorry that's just a basic idea... I have been working with the adLDAP class I found on source forge a few weeks ago and that's were most of that came from.

I am rather unfamiliar with how Gallery is coded so if I could get some basic ideas from someone who knows that would be great.


Joined: 2009-02-04
Posts: 2
Posted: Wed, 2009-02-04 20:44

I've got it working using ldap_bind.

When the user attempts to log in, the module binds to the Active Directory as

to get information about the user. I don't know if it's strictly required to do that first, but it provides an opportunity to get the name and e-mail attributes. Then ldap_bind connects using the user's login and password.

While I was testing I noticed that ldap_bind succeeds if you don't specify a password, but a subsequent ldap_search will fail in that case. I'm using that search result to decide if the login was successful or not.

I've attached a patch file against the unmodified code. Thanks to sunjith for doing most of the work :)


Joined: 2009-01-14
Posts: 6
Posted: Thu, 2009-02-05 15:13

Thanks for that SolidElectronics, that's exactly what I was trying to do, and has saved me a lot of time! Thanks again to Sunjith for doing the initial work.

Now I just have the problem that if I make it authenticate against all domains in our organisation, our domains in the remote parts of the world cause the latency to be terrible at authentication for everyone... fun :-)

I think I will just use a temporary solution of having LDAP/AD Authentication for the local domain and make people on the other domains register their accounts using the Registration module. Unless some LDAP/Active Directory wizard knows a solution to that too? :-)


Joined: 2009-02-04
Posts: 7
Posted: Thu, 2009-02-05 16:26

Thats not working for me for some reason... It defiantly looks like it should. My security logs on the Domain Controllers show a successful authentication but Gallery its self is not letting me in with the LDAP users. Do you guys have the user name already in the g2_Users table for Gallery permissions reasons? I'm hopping its something simple I'm just over looking...

Also would you be able to just bind with the username and password that is coming from the log in form rather than having one hard coded in the $ldap array?

Thanks to you guys that put this together! :)


Joined: 2009-01-14
Posts: 6
Posted: Thu, 2009-02-05 16:36

If you put your Gallery into debug mode it helps you spot any errors that are occurring and makes it a lot easier to identify where things are going wrong.

I think the code could be shuffled so that the credentials of the user authenticating could be used to search LDAP for the user details, rather than using the hard coded ones, but it's nice to at least have a working prototype to start with. :-)


Joined: 2009-01-14
Posts: 6
Posted: Thu, 2009-02-05 16:39

Sorry forgot to mention, the code sunjith and solidelectronics have put together automatically creates a user matching the LDAP user in the g2_Users table upon successful authentication, so no, you don't need to create the users first.


Joined: 2009-01-14
Posts: 6
Posted: Thu, 2009-02-05 17:06

Gah one last post, just in case it helps you or anyone else.

You may be having a similar problem with the search filter that I had. I had to change the line:

$ldapSearchResult = ldap_search($ldapconn, $ldap['dn'], "(&(objectClass=user) sAMAccountName=".$username."))" );


$ldapSearchResult = ldap_search($ldapconn, $ldap['dn'], "(sAMAccountName=".$username.")");

For some reason the "objectClass=user" filter did not work for me, but the account I was testing with has four objectClass entries (top, user, person, and organisationalPerson), so perhaps this was causing problems?


Joined: 2009-02-04
Posts: 2
Posted: Thu, 2009-02-05 20:35

That's a good suggestion. I think my AD setup is a bit weird since it's undergone a couple schema updates and I'm using Services for UNIX to authenticate users under Linux.
I also found it really helpful to run WireShark on the server and watch the LDAP network traffic while it's trying to authenticate.


Joined: 2009-07-15
Posts: 1
Posted: Wed, 2009-07-15 20:29

hey people,

i was looking for LDAP support about 1 year ago .. but at this time nothing seemed to be available for gallery2.
checking for ldap the last weeks i found and downloaded the patch of 'sunjith' posted: Mon, 2009-01-05 11:11.

it was not really working for me :(
main-problem was logging in after the first successful login (when a user was already created) - the script "failed" directly after re-creating (of a user) because the user is already in the database.

so i adopted the script for my needs - only create a new user if it was not found in the database by the lines right before the "ldap-hack" (....fetchUserByUsername($form['username'])

another thing i changed is: that every user tries to bind with its username+password to the ldap server.

maybe somebody likes this quick hack :)

(its not a patch, go right to your .../modules/core/UserLogin.inc ..and paste the code somewhere near linke #85)

(yes i know error handling is not done nice .. i'm not into php nor galleryAPIs)

good luck


Joined: 2007-06-06
Posts: 3
Posted: Tue, 2009-11-17 08:43

Thanks to everyone who has posted code, I have taken bits from all of them and written some code that uses the adLDAP class functions (http://adldap.sourceforge.net/).

Diff file attached, (although this forum does weird things to attachments so I have renamed it to a txt file) or you can just copy and paste, it's just a block of code that slots into the existing modules/core/UserLogin.inc file at around line 91. This is based on Gallery v2.3, I have no idea if it will work in other versions. There is some error trapping, but I really didn't understand the Gallery error functions so I mostly just copied it from the code posted previously.

This code will first let Gallery do its authentication and if that works, then it ignores the LDAP section, if the user is in Gallery and the Gallery auth fails and the user is in LDAP, then it uses LDAP, if the user does not exist in Gallery but authenticates with LDAP, then it creates the user in Gallery, finally, if the user does not exist in Gallery and does not authenticate with LDAP, then login fails.