LDAP

Combining CAS and LDAP

After going over CAS and LDAP, I thought I would do an example where both are used together. I have some software like this, it allows users to log in and then LDAP can go and get their full name. The example is mostly the CAS example with some LDAP added on. All I did was add on the LDAP code into the section where a user is logged into CAS. I use CAS to get the username of the user and feed it into LDAP. Below is the new index of the CAS example, nothing else is changed:

<?PHP
//Dan Berkowitz LDAP tutorial, May 2013, Buildingtents.com

include_once(“./CAS-1.3.2/CAS.php”);
phpCAS::client(CAS_VERSION_2_0,’cas-auth.rpi.edu’,443,’/cas/’);
// SSL!
phpCAS::setCasServerCACert(“./CACert.pem”);//this is relative to the cas client.php file

if (phpCAS::isAuthenticated())
{

$LDAPCON = ldap_connect(“ldap.rpi.edu”); //Have to be internal to VCC or VCC firewall will block
$LDAPBIND = ldap_bind($LDAPCON);
$ResultArray = Array();
$filterArray = array(“givenname”, “sn”);
$LDAPSEARCH = ldap_search($LDAPCON, “dc=rpi, dc=edu”, “(uid=” . phpCAS::getUser() . “)”, $filterArray, 0 , 10);
$LDAPRESULTS = ldap_get_entries($LDAPCON, $LDAPSEARCH);
//print_r($LDAPRESULTS);
for ($i = 0; $i < $LDAPRESULTS[“count”]; $i++)
{
$tempRow = Array();
array_push($tempRow, $LDAPRESULTS[$i][“givenname”][0]);
array_push($tempRow, $LDAPRESULTS[$i][“sn”][0]);
array_push($ResultArray, $tempRow);
}
ldap_close($LDAPCON);

echo “User:” . phpCAS::getUser();
if (sizeof($ResultArray) == 1)
{
echo ” ” . $ResultArray[0][0] . ” ” . $ResultArray[0][1];
}
echo “<a href=’./logout.php’>Logout</a>”;
}else{
echo “<a href=’./login.php’>Login</a>”;
}

?>

Download: https://github.com/daberkow/daberkow.github.io/blob/master/CASExample.zip

LDAP Authentication RPI Tutorial (Part 3)

Now that we have gone over how to setup LDAP, and went into some more depth about how to search using it, we will now look at actually writing a web page in PHP that uses LDAP. As always, I will be using RPI as my example but this should work for anyone with an LDAP system. (Note to people at RPI, you need to VPN in unless you are in the VCC for this to work, I have had luck with doing this in Lally, but in the Union it failed) The first example will go over how to just use LDAP to return information; the second one will incorporate the CAS example that was done before, and search for the user that logs in, this will be put out in a few days. The LDAP servers I am using do not require authentication, if the one you are using does then you will need to go to http://www.php.net/manual/en/function.ldap-bind.php and look at using authentication on your bind command.

  1. Within a new PHP document, enter the following line with ‘ldap.rpi.edu’ replaced with your LDAP server. The variable can be named anything as long as you remember it is for the connection.
    • “$LDAPCON = ldap_connect(‘ldap.rpi.edu’);”
  2. Now we have to bind to the server, this is when credentials are given (if needed) and we fully connect. If the server is unreachable, or you are not permitted to connect this is where PHP will throw an error. As you can see, we create a new variable for the binding, and feed in our connection variable.
    • “$LDAPBIND = ldap_bind($LDAPCON);”
  3. We have seen before that LDAP can return vast amounts of information on a single item, and since many servers have a limit on how much they will return it is good practice to filter for just what we want back. Here I will be requesting the “givenname” and “sn” for each user. These items must be put into an array like shown.
    • “$filterArray = array(‘givenname’,’sn’);”
  4. The core of the search is the search command. Here we give all the different compounds we have made and put them together. First, we enter the connection to use; second, we enter the base for the search (described in part 1&2). Following that we enter a filter for how we want to search the directory, this is not the filter we setup one step ago but a filter to tell the central LDAP what we are looking for. I am searching for anyone with a UID that starts with ‘berkod’. Then we enter the filter we setup earlier for the types of data we want returned. The last two settings are setup per instance; start with a 0 or 1 for attributes only filter, 0 means return the full data, 1 means that you just want the type returned if data exists (this is for more of a fast exploratory search). To end the command you enter the number of results that should be returned; 0 is no limit, yet I am hoping to search usernames and get 1 result. I entered 10 just so if more than 1 user exists under my filter I will know.
    • $LDAPSEARCH = ldap_search($LDAPCON, “dc=rpi, dc=edu”, “(uid=berkod*)”, $filterArray, 0 , 10);
  5. The results from the search have to be stored in a separate variable
    • $LDAPRESULTS = ldap_get_entries($LDAPCON, $LDAPSEARCH);
  6. Now for a quick and dirty view of the result you can simply print out the data
    • “print_r($LDAPRESULTS);”
  7. But that just lets you quickly see if you are getting data back, to properly put the data into an array use the following code. This will get the two pieces we requested for each user (“givenname” and “sn”) and store them in an array; then put that array into another array. The final format is $variable[$user][0 for ‘givenname’/ 1 for ‘sn’]. This data can be used by other code or printed out.
    • $ResultArray = Array();
      for ($i = 0; $i < $LDAPRESULTS[“count”]; $i++)
              {
                  $tempRow = Array();
                  array_push($tempRow, $LDAPRESULTS[$i][“givenname”][0]); // 0 is used because my database just has one item per user
                  array_push($tempRow, $LDAPRESULTS[$i][“sn”][0]);
                  array_push($ResultArray, $tempRow);
              }
  8. Then for good practice close the LDAP connection
    • “ldap_close($LDAPCON);”

The next post will go over combining CAS and LDAP. Until then thanks for commenting and feel free to ask questions.

References:

http://www.php.net/manual/en/function.ldap-search.php

LDAP Authentication RPI Tutorial (Part 2)

Last time I spoke of how to setup ldap with PHP and briefly touched on using the “ldapsearch” command. I would like to go more in-depth on “ldapsearch”, and show you how you can use it to craft searches for your PHP application. Specifically for RPI, if the user has a RCS account, they can ssh into “rcs-ibm.rpi.edu” and run the following commands. (RCS-IBM puts you on either clark.server.rpi.edu or lewis.server.rpi.edu, these two have the commands you need on them and run AIX) To briefly review the command:

  • First we add the command, then enter the host you are searching, tell the server to try simple anonymous authentication. Next give the server a base to start the search (I am using RPI specific domain components), finally we have to give the heart of our search. I am looking for any Unique ID (username) that starts with “berk”, and ends with anything “*”.
  • ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘uid=berk*’”

The main part of the search we will be editing is the ending. Here we specify a filter to find the information we are attempting to access. Each LDAP server has different attributes it can give about each object. For example, the ldap.rpi.edu server gives out “givenName, objectClass, cn(full concatenated name, or common name), sn (surname), loginShell,” and many others; while at the same time “ldap1.server.rpi.edu” returns a much different lists of results.

Finding Which Attributes Will be Returned

The best way to find which fields are available is by doing a search without a filter. Just running the search below will return an unfiltered list of everything in the directory, up till you hit the individual servers limit. I am purposefully not publishing results from these searches for privacy reasons; here is some results for me with some data omitted.

  • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’”
  • # berkod2, accounts, rpi, edu
    dn: uid=berkod2,ou=accounts,dc=rpi,dc=edu
    sn: Berkowitz
    cn: Berkowitz, Daniel
    objectClass: top
    objectClass: posixAccount
    objectClass: inetOrgPerson
    objectClass: eduPerson
    objectClass: rpiDirent
    objectClass: mailRecipient
    objectClass: organizationalPerson
    objectClass: person
    uid: berkod2
    loginShell: /bin/bash
    uidNumber: #####
    mailAlternateAddress: berkod2@rpi.edu
    givenName: Daniel
    gecos: Daniel  Berkowitz
    rpiclusterhomedir: /home/berkod2
    description: PRIMARY-STU
    homeDirectory: /home/06/berkod2
    gidNumber: ###

Now that we have an idea about the data structure and what this server has on it we can reverse the lookup and tweak it. I know ‘uid’ will be the username, and I can get the users name from that! So using CAS I can log a user in and get their username, then I can lookup there LDAP information. (EXAMPLE 1) If a user enters a name, then a user can search for their UID doing the reverse. (EXAMPLE 2) The wild card can also be used if the full name is not known. (EXAMPLE 3) Last we can use multiple fields, combining these ideas to narrow down the result. (Example 4)

  • Example 1
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘uid=berkod2’”
  • Example 2
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘sn=Berkowitz’”
  • Example 3
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘sn=Berko*’”
  • Example 4
    • “ldapsearch -h ‘ldap.rpi.edu’ -x -b ‘dc=rpi, dc=edu’ ‘sn=Berko*’ ‘uid=berkod*'”

LDAP Authentication RPI Tutorial (Part 1)

After writing about how to use CAS with PHP, I thought I would write a post about how to use LDAP(Lightweight Directory Access Protocol) at RPI but these methods can be used anywhere. LDAP is a protocol to query user databases, this is a protocol that can be sed along with Active Directory, or another directory system for computers and user accounts. This protocol is widely used to allow different applications to interact with your user database. Here I will be showing how to implement search with LDAP to a web application. This guide will be using LDAP with PHP, this requires the LDAP module to be enabled within PHP; that will be the purpose of this article, then the next one will discuss how to actually query LDAP.

LDAP Linux (Debian/Ubuntu) Install

Linux is easy to get LDAP working with PHP, as long as you have a standard installation of Apache, with PHP 5 working.

  1. Install the LDAP module onto the machine, using either aptitude or apt-get
    • “sudo aptitude install php5-ldap”
    • OR “sudo apt-get install php5-ldap”
  2. PHP should now be able to use LDAP, if it is not working yet, you will need to restart Apache.
    • “sudo service apache2 restart”

LDAP Windows (XAMPP) Install

Xampp for Windows comes with LDAP, but there is a bug in their implementation and a file needs to be copied before LDAP will work. I am going to use “C:\xampp”, the default directory for Xampp in this example.

  1. Go into the PHP folder, C:\xampp\php\
  2. Edit the file “php.ini” with any text editor
  3. Find the line “;extension=php_ldap.dll”, and remove the semi-colon. “extension=php_ldap.dll”
  4. Now if you were to reboot Apache it should be working, but its not! Why not? There is a missing DLL. You need to
    copy libsasl.dll from c:\xampp\php\libsasl.dll to C:\xampp\apache\bin\.
  5. Now restart Apache

LDAP Search

Now that PHP can search LDAP we are going to want to start creating queries in PHP; but it is much easier to tweak the search in the command line, and then put that query into PHP. The following are steps that can be taken on a Linux computer (again Ubuntu/Debian) to install and use a ldap command line search.

  1. First we need to install the OpenLDAP utilities that will give us the “ldapsearch” command
    • “sudo aptitude install openldap-utils”
    • OR “sudo apt-get install openldap-utils”
  2. Now we are making our query
    • First we add the command, then enter the host you are searching, tell the server to try simple anonymous authentication. Next give the server a base to start the search (I am using RPI specific domain components), finally we have to give the heart of our search. I am looking for any Unique ID (username) that starts with “berk”, and ends with anything “*”.
    • ldapsearch -h “ldap.rpi.edu” -x -b “dc=rpi, dc=edu” “uid=berk*”
    • Now this gives one result, and this can be used to see what data will be returned from this server. You can also try “ldap1.server.rpi.edu” this returns a entirely different list of variables, and sometimes more users.
    • If you are interested in researching this command more, die.net has a great resource. http://linux.die.net/man/1/ldapsearch
    • Troubleshooting: For those of you here at RPI trying to follow this guide specifically, if you do not get any results or a error connecting, RPI firewalls the LDAP servers heavily. I have found a lot of the time I have to be in the VCC to make this work, you can also VPN in, then your network connection is within the VCC and it will work. I have VPNed in, while on campus in the Union to get LDAP to work.

UPDATE: I added a little about what LDAP is