[ZendTo] Antwort: Re: LDAPAuthorization for zendto

Tue Dec 14 14:17:27 GMT 2010

Hello Jules,

thank you for you fast response.

I tested the new configuration settings, but there seem to be some
additional changes needed:

What did i made:

   added "ErrorUnauthorizedUser = "Sorry, you are not authorized to use
   this service"" to /opt/zendto/config/zendto.conf
   changed /opt/zendto/config/preferences.php

//
  // Settings for the LDAP authenticator.
  //
   'authenticator'         => 'LDAP',
   'authLDAPAdmins'        => array('xxxxxx','xxxxxx'),
   'authLDAPBaseDN'        => 'o=kl',
//   'authLDAPServers'       => array('ldap2.kaufland'),
   'authLDAPServers'       => array('x.x.1.118','x.xx.1.117'),
//   'authLDAPAccountSuffix' => '@ecs.soton.ac.uk',
   'authLDAPUseSSL'        => false,
//   'authLDAPBindDn'        => 'o=MyOrganization,uid=MyUser',
//   'authLDAPBindPass'      => 'SecretPassword',
  // This is the list of LDAP properties used to build the user's full name
   'authLDAPFullName'      => 'givenName sn',
   'authLDAPMemberKey'      => 'groupMembership',
   'authLDAPMemberRole'     =>
'cn=citrix,ou=portal,ou=sslvpn,ou=roles,o=kl',

   Changed NSSLDAPAuthenticator.php to the new one

If the groupMembership exists, i can login successfully. If i changed
something on the string for authLDAPMemberRole so that the role does not
match, i got PHP-Error message "Fatal error: Call to a member function
getConfigVariable() on a non-object in
/opt/zendto/lib/NSSLDAPAuthenticator.php on line 299"

Content of line 299 -->
NSSError($smarty->getConfigVariable('ErrorUnauthorizedUser'),'Authorisation
Failed');

greetings

Patrick

http://www.kaufland.de

Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74149 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Amtsgericht Stuttgart HRA 104163

Diese Nachricht enthält vertrauliche Informationen und ist ausschließlich
für
den Adressaten bestimmt. Jeder Gebrauch durch Dritte ist verboten. Falls
Sie
die Daten irrtümlich erhalten haben, nehmen Sie bitte Kontakt mit dem
Absender auf und löschen Sie die Daten auf jedem Computer und Datenträger.
This message contains confidential information and is intended solely for
the
use by the addressee. Any use of this message by a third party is
prohibited.
If you receive this message in error, please contact the sender and delete
the
data from any computer and data carrier.

   Jules <Jules at zend.to>                                                   
   Gesendet von:                                                           
   zendto-bounces at zend.to                                                  
                                       ZendTo Users <zendto at zend.to>       

   14.12.2010 12:47                                                        
                                                                     Thema 
                                       [ZendTo] Re: LDAPAuthorization for  
   Bitte antworten an                  zendto                              
   ZendTo Users                                                            
   <zendto at zend.to>                                                        

Patrick,

I have changed your approach slightly, resulting in only changing
NSSADAuthentication.php and NSSLDAPAuthentication.php. I figured the AD
people might want the feature too, so it's implemented in both systems.

There are a couple of new preferences.php settings and one new zendto.conf
setting, so you never have to mess with the code to translate it or tweak
it.

Look in the attached zip file and you will find the 2 new files and a
README.txt which tells you how to install and configure it. Hopefully
you'll find that pretty simple.

I haven't got my own LDAP system, so I've only been able to test the AD
version. So please let me know if it works for you or not!

This will be included in the next release.

Cheers,
Jules.

On 13/12/2010 16:08, patrick.gaikowski at kaufland.com wrote:

      Hello,

      we like to use LDAP-Authentication in combination with
      LDAP-Authorization, means the user needs a special LDAP-Role to get
      access as authorized user.

      We changed NSSDropbox.php:

      919,921d918
      < } elseif ($result == 2){
      < $this->_authorizationFailed = TRUE;
      < $this->writeToLog("authorization attempt for not authorized user
      $uname - please add the group");

      We changed NSSLDAPAuthenticator.php:

      236,239d235
      < // Kaufland Added
      < // Benutzer status auf nicht autorisiert aendern
      < $result=2;
      <
      241d236
      < $ldapGroups = array(); // Kaufland Added
      243,246d237
      < // Kaufland Added
      < if ($key == "groupMembership") {
      < $ldapGroups = $value;
      < }
      253,261d243
      <
      < // Kaufland Added
      < foreach ($ldapGroups as $group){
      < // Gruppenmitgliedschaft des Benutzers pruefen
      < if ( $group == "cn=citrix,ou=portal,ou=sslvpn,ou=roles,o=kls") {
      < // Status des benutzers auf OK setzten
      < $result = 1;
      < }
      < }

      (See attached file: NSSLDAPAuthenticator.php)(See attached file:
      NSSDropbox.php)

      We know that this is a quick and dirty solution, but it works.

      Question from us is, if such a request can be implemented cleanly in
      the installation Source?

      Mit freundlichen Grüßen / Best regards

      Patrick Gaikowski
      Tel:     +49 7132 94 3568
      Fax:    +49 7132 94 73568
      E-Mail: patrick.gaikowski at kaufland.com
      KI 967800 IT International / Infrastruktur
      Office:
      Lindichstrasse 11
      D-74189 Weinsberg

      http://www.kaufland.de

      Kaufland Informationssysteme GmbH & Co. KG
      Postfach 12 53 - 74149 Neckarsulm
      Kommanditgesellschaft
      Sitz: Neckarsulm
      Registergericht: Amtsgericht Stuttgart HRA 104163

      Diese Nachricht enthält vertrauliche Informationen und ist
      ausschließlich für
      den Adressaten bestimmt. Jeder Gebrauch durch Dritte ist verboten.
      Falls Sie
      die Daten irrtümlich erhalten haben, nehmen Sie bitte Kontakt mit dem
      Absender auf und löschen Sie die Daten auf jedem Computer und
      Datenträger.
      This message contains confidential information and is intended solely
      for the
      use by the addressee. Any use of this message by a third party is
      prohibited.
      If you receive this message in error, please contact the sender and
      delete the
      data from any computer and data carrier.

      _______________________________________________
      ZendTo mailing list
      ZendTo at zend.to
      http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Jules

--
Julian Field MEng CITP CEng
www.Zend.To

Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
[Anhang "Authorization.zip" gelöscht von Patrick Gaikowski/IS/KI/KAUFLAND]
_______________________________________________
ZendTo mailing list
ZendTo at zend.to
http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20101214/1357be14/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20101214/1357be14/attachment.gif 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20101214/1357be14/attachment-0001.gif 