TODO: add in LDAP integration from LIBREGEEK

[RussH]

https://sourceforge.net/projects/sandglass/files/opencats/

[JohnTheodore]

+1, having this built in would be great.

@RussH or @libregeek Are there instructions for applying this patch to the latest version of opencats?

[RussH]

Hi - Libregeek / Manilal (one of the OpenCATS project admins) has the (old) code here;

https://sourceforge.net/projects/sandglass/files/opencats/

"Please note that this code is not tested for AD and it is tested only in LDAP(OpenLDAP). You may need to customize it to make it work." .. questions to Manilal please!

---

Russ

On 30 September 2015 at 00:46, JohnTheodore notifications@github.com wrote:

+1, having this built in would be great.

@RussH https://github.com/RussH do you know where I can download the code/patches for this? and the instructions for setting it up?

— Reply to this email directly or view it on GitHub https://github.com/opencats/OpenCATS/issues/11#issuecomment-144222423.

[JohnTheodore]

I tried this, it errors 500.. nothing prints to /var/log/apache2/error.log. The login page shows, I try to login with admin/admin (which worked before I applied these changes).

I can see in access.log 10.17.6.243 - - [10/Feb/2016:23:53:07 +0000] "POST /cats/index.php?m=login&a=attemptLogin HTTP/1.1" 500 389 "http://100.73.151.78/cats/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.103 Safari/537.36"

I'm assuming it will be a long time before ldap is integrated with opencats as part of the main branch.

[RussH]

@libregeek do you have any updates on this?

[RussH]

@JohnTheodore did you follow this guidance? http://forums.opencats.org/viewtopic.php?f=9&t=42

[JohnTheodore]

yes, I followed that forum post. and there were a couple lines in the readme too.

On Thu, Feb 11, 2016 at 7:37 AM, RussH notifications@github.com wrote:

@JohnTheodore https://github.com/JohnTheodore did you follow this guidance? http://forums.opencats.org/viewtopic.php?f=9&t=42

— Reply to this email directly or view it on GitHub https://github.com/opencats/OpenCATS/issues/11#issuecomment-182920023.

[libregeek]

@JohnTheodore Please check your LDAP config. Make sure that you are using the correct protocol version.

[JohnTheodore]

@libregeek

root@opencats-85eb:~# cat /var/www/html/cats/config.php|tail -12 /* LDAP Authentication Configuration _/ //define ('AUTH_MODE', 'sql'); // Currently supports ldap, sql define ('AUTH_MODE', 'ldap'); // Currently supports ldap, sql define ('LDAP_HOST', 'ldap.mydomain.com'); define ('LDAP_PORT', '389'); define ('LDAP_BASEDN', 'ou=People,dc=mydomain,dc=net'); define ('LDAP_UID', 'uid'); define ('LDAP_CONNECT_DN', 'uid=proxy,ou=Special Users,dc=mydomain,dc=net'); define ('LDAPPASSWORD', 'password'); / ----------------------------------*/

?>

Which part of this do I make sure is the correct protocol version? in thos LDAP_HOST ?

I tried LDAP_HOST as 'ldap://ldap.mydomain.com' or 'ldaps://ldap.mydomain.com' or 'ldap.mydomain.com' and that doesn't work. Are there logs for errors in this code being written anywhere? one problem is it's difficult to debug, nothing is going to /var/log/apache2/error.log, even though apache is giving 500 errors from the browser.

[libregeek]

The config looks good. 500 error may not be related to the LDAP patch, it might be due to some special characters which got copied to the source file when you applied the patch. Please double check your modifications in the other source files.

BTW, I'm working on integrating adLDAP library which has much more features than the one in patch. Hope to complete within couple of days.

[JohnTheodore]

@libregeek So I did a search of all files with php and tpl to see if they have any non-ascii characters. so special characters or hidden characters that could mess things up. The list is below:

`root@opencats-85eb:/var/www/html/cats# grep --include=.tpl --include=.php --color='auto' -P -n "[\x80-\xFF]" -R .

./lib/artichow/BarPlotPipeline.class.php:420: // ça bidouille à fond ici ! ./lib/artichow/BarPlotDashboard.class.php:442: // ça bidouille à fond ici ! ./lib/artichow/inc/Drawer.class.php:866: // Gauche->droite : 90° ./lib/artichow/inc/Font.class.php:48: trigger_error("You can only use 0° and 90°", E_USER_ERROR); ./lib/artichow/BarPlot.class.php:316: // ça bidouille à fond ici ! ./lib/HashUtility.php:201: * Martin Stigge, Henryk Plötz, Wolf Müller, Jens-Peter Redlich`

So the only files with special characters, don't include the files as part of your patch. Which includes say config.php

Also are the new changes with adLDAP in your personal forked opencats repository under some branch?

[JohnTheodore]

also are you adLDAP changes going to be.. I have to add each user I want to use the opencats system. Or if anyone is in ldap, they have access to opencats by default, or part of some group, etc.

This avoids the need to add users all the time as they joint he ldap ou. (similar for AD)

[libregeek]

@JohnTheodore I'm working on adLDAP now. I hope I can find time this weekend to work on it.

[libregeek]

@JohnTheodore I tried to implement adLDAP library, but unfortunately it doesn't work with OpenLDAP. So I decided to integrate the old patch with the master. The new version is available as my fork.

[JohnTheodore]

@libregeek I wiped the mysql database and did a fresh install of your opencats repository (master).

I did a chmod of the attachments directory, then I modified config.php and only changed these variables:

define ('LDAP_HOST', 'ldap.forumsys.com'); define ('LDAP_BASEDN', 'dc=example,dc=com'); define ('LDAP_BIND_DN', 'cn=read-only-admin,dc=example,dc=com'); define ('LDAP_BIND_PASSWORD', 'password');

Then I went through the install process. It verified/validated everything in the install process (it was all green). Then I 'started' opencats. When I go to login for the first time, I use admin/admin, then I get a 500 error after I click login. I check /var/log/apache2/error.log .. nothing in there.

Note I can install opencats without ldap and that works fine, and I can login to admin/admin. As a test, I duplicated a variable in config.php and restarted apache2, then loaded the server. I can see /var/log/apache2/error.log prints an error about a duplicate variable. So I know errors are being written to the apache2 error log.

from this box.. I did an ldapsearch command with the same 4 variables listed above.. and I was able to talk to ldap from this VM and get a good bind and results from a search.

I tried setting the apache2 config LogLevel to debug... but no more information is written from opencats with that change than was with LogLevel info.

Do you have any environment specific things setup that I need to copy? is there a way you can catch errors or exceptions and log them as errors?

Have you been able to deploy your own repository and get it working? Or do you have a custom app that isn't the same as what's in your repository?

If I get this working, I'll send a PR with documentation on how to set this up so others after me have an easier time.

[JohnTheodore]

@libregeek I found one of the steps I was missing, I had to apt-get install php5-ldap. I thought lib/LDAP.php included that, but then I realized you're just doing calls the to default php ldap library.

Now I get errors to /var/log/apache2/error.log

I tried to login as admin/admin or admin/cats, neither work. I get this in error.log when I try to login:

[Sat Feb 13 22:03:40.276765 2016] [:error] [pid 6468] [client x.x.98.20:58221] PHP Notice: Undefined offset: 0 in /var/www/html/cats/lib/LDAP.php on line 76, referer: http://x.x.151.78/cats/index.php?m=login&a=attemptLogin

[JohnTheodore]

root@opencats-85eb:/var/www/html/cats# tail -1 /var/log/apache2//error.log [Sat Feb 13 22:57:33.694633 2016] [:error] [pid 6766] [client x.x.98.20:58810] PHP Fatal error: Call to undefined method Users::searchLDAPUser() in /var/www/html/cats/modules/settings/SettingsUI.php on line 867, referer: http://x.x.151.78/cats/index.php?m=settings&a=addUser root@opencats-85eb:/var/www/html/cats# grep "searchLDAPUser" -Ri . ./modules/settings/SettingsUI.php: if ($users->searchLDAPUser($username) == NULL)

These are new errors. Since I couldn't login as admin, I switched AUTH_MODE to sql.. then logged in as admin. then I switched the config.php back to AUTH_MODE ldap. This way I have a cookie that lets me be admin (perhaps?). When I went to go add an ldap user, it gives me this error above.

I think you are calling a class method that doesn't exist. I can't find the searchLDAPUser method that is part of the user class

[JohnTheodore]

also what's the deal with this from the original tarball patch:
define('PASSWORD_PADDING', 'L2Wrvkinuj3H4qG51yg6');

Is that a hardcoded salt? are there still hard coded salts in opencats? not that it matter for ldap auth, but it seems strange.

[JohnTheodore]

This variable in config.php: define ('LDAP_USE_REC_GROUPS', ''); .. I don't see any other references to it. What was that supposed to be?

[JohnTheodore]

I commented out this whole section:

    /* Check if username exists in LDAP
    if (AUTH_MODE == "ldap")
    {
        if ($users->searchLDAPUser($username) == NULL)
        {
            $this->fatal('The user doesn\'t exists in LDAP Database');
        }
    } */

inside ./modules/settings/SettingsUI.php

and then I was able to add an ldap user. and the ldap user can be auth'd through ldap and login. So it works, but there are some code changes required still.

[libregeek]

1. PASSWORD_PADDING was a config item from an older version of CATS (catsone version). It has nothing to do with LDAP. It is not included now.
2. LDAP_USE_REC_GROUPS is part of adLDAP library. I removed it from the config.
3. I missed to add searchLDAPUser to lib/Users.php. I have added it now. This helps us to select users from ldap database directly.

The last two changes are now in the repository. I will also update the installer to check for the php-ldap extension. Will do this later today.

[libregeek]

@JohnTheodore I installed a fresh clone of my fork on a system (Fedora 23 with Apache, MariaDB) without php-ldap and the installation went well without any issues. I was able to login to opencats with admin/admin. However, I have added a checking in the installation wizard for php-ldap.

[JohnTheodore]

@libregeek how is someone supposed to bootstrap ldap users? It seems like admin/admin doesn't work once you turn AUTH_MODE to 'ldap'.

[libregeek]

It's tricky for the time being. First you need to set AUTH_MODE to sql and then login using the admin acocunt. Then change the AUTH_MODE to ldap and add the users.

I don't know what should be the default role of the user if the users are automatically synced from LDAP. I'm happy to implement if you can suggest a better way :)