I'm trying to test your plugin (that is just what I search for a while ...)... but nothing work.
It's OK to install the plugin, and to activate it.
It's OK for parameters in user/config.php :
define( 'LDAPAUTH_HOST', 'ldap://serveur.reseauenscene.fr' );
define( 'LDAPAUTH_PORT', '389');
define( 'LDAPAUTH_BASE', 'cn=users,dc=serveur,dc=reseauenscene,dc=fr' );
define( 'LDAPAUTH_USERNAME_FIELD', 'uid');
But when I try to log... it's refused.
I had a look on php / apache logs but saw nothing that could help me ...
Could you help me ?

Hey,
I am not a LDAP expert myself unfortunately - when I was testing the plugin, it worked for me on the test server. Maybe your server needs an authentication to read the user data?

Anyway... look to the sources, ldap_connect seems to work for you if you don't see anything in PHP error log. A problem can be in ldap_search or down the source. You may try to add more echo "" commands to print what's going on.

It's a very basic implementation. If you have an other php software using ldap authentication which works for you, you may look there to see what's different. All ldap functions are documented in PHP itself so maybe you will be able to figure it out - http://php.net/ldap_search .

I had a similar issue with connecting to Active Directory. I found that I had to set the LDAPAUTH_USERNAME_FIELD to cn instead of the standard sAMAccountName to get it to work.

Hi Guys,

I have been trying to authenticate against AD. After installing, activating, configuring the plugin, nothing was happening at all. It simply won't log me in when I use my AD credentials.
Now after fiddling with the config.php file, it seems at least that it tries to authenticate against AD, but comes back with error Cannot connect to LDAP ldap//<SERVER.MYDOMAIN>
I can ping or AD from out Yourls server, and iptables is configured to accept traffic.
Not sure what to check. Below is the LDAP configuration in config.php:

define( 'LDAPAUTH_HOST', 'ldap//<SERVER.MYDOMAIN>' ); // LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
define( 'LDAPAUTH_PORT', '389' ); // LDAP server port - often 389 or 636 for TLS (LDAPS)
define( 'LDAPAUTH_BASE', 'cn=users,dc=SERVER,dc=DOMAIN,dc=local' ); // Base DN (location of users)
define( 'LDAPAUTH_USERNAME_FIELD', 'cn'); // (optional) LDAP field name in which username is store
define( 'LDAPAUTH_GROUP_ATTR', 'SECURITY_GROUP' ); // (optional) LDAP groups attr

There needs to be a colon ( :) before the //, so ldap://<SERVER.MYDOMAIN>.

Many Thanks, Jorrit.
I must have removed while I was fiddling with the config. Now I have added the missing ( : ) and seems to pass that error, but now it's complaining about bonding the search user:

Couldn't bind search user cn=administrator,dc=DOMAIN,dc=DOMAIN

This means ldap_bind() was not successful. http://php.net/manual/en/function.ldap-bind.php

Have a look in the code. There are two ways to bind:

1. you define define( 'LDAPAUTH_BIND_WITH_USER_TEMPLATE', '%s@myad.domain' ); In that case bind RDN will be made from the template by substituting %s by login form username. For password, provided login form password will be used. So binding is made for each user separately.

2. or you define LDAPAUTH_SEARCH_USER (something like a 'superuser' RDN) and LDAPAUTH_SEARCH_PASS to authenticate that user. So binding is done for one spcific RDN.

Let me know if that helped.

Hi,

I have added a privileged user and that seems to have fixed the search issue and now AD users can login with their credentials.
However, I stumbled on another issue with group permission. I have defined group to allow only certain users. below is the code :

define( 'LDAPAUTH_HOST', 'ldap://xx.xxxx.xxxx' ); // LDAP host name, IP or URL. You can use ldaps://host for LDAP with TLS
define( 'LDAPAUTH_PORT', '389' ); // LDAP server port - often 389 or 636 for TLS (LDAPS)
define( 'LDAPAUTH_BASE', 'cn=Users,dc=xxxx,dc=xxxx' ); // Base DN (location of users)
define( 'LDAPAUTH_USERNAME_FIELD', 'userPrincipalName'); // (optional) LDAP field name in which username is store
define( 'LDAPAUTH_SEARCH_USER', 'cn=xxxxxx,cn=Users,dc=xxxx,dc=xxxx' ); // (optional) Privileged user to search with
define( 'LDAPAUTH_SEARCH_PASS', 'xxxxxxxx'); // (optional) (only if LDAPAUTH_SEARCH_USER set) Privileged user pass
define( 'LDAPAUTH_GROUP_ATTR', 'XXX-XXX' ); // (optional) LDAP groups attr
define( 'LDAPAUTH_GROUP_REQ', 'XXX-XXX' ); // (optional) LDAP groups attr
define( 'LDAPAUTH_GROUP_SCOP', 'sub' ); // if not defined the default is 'sub', and will check for the user in all the subtree. The other option is 'base', that will search only me$
define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which caches users in the options table. 0 turns off cacheing. Other values are currently undefined, but may be $

If I keep the code as this, it prevents every user from login whether that user is a member of the group XXX-XXX or not, with error Not in admin group .
If I omit one of the two lines define( 'LDAPAUTH_GROUP_ATTR or define( 'LDAPAUTH_GROUP_REQ it allows all users to login regardless of the group membership.

I have also tried to use the group name all in lower-case, but the result was the same.

Hmm, it looks like group matching needs to be rewritten. Do you need it working very soon? I am ok to dedicate time for this over the weekend.

This group matching code was contributed by someone else so unfortunately I don't exactly know how it is supposed to work. And I don't have a working LDAP installation with memberOf groups.

But from the code it looks like:

LDAPAUTH_GROUP_ATTR and LDAPAUTH_GROUP_REQ both must be defined for group restriction to work.

LDAPAUTH_GROUP_ATTR describes an attribute on a group describing usernames of group members. It is probably "memberof" or "memberOf".

LDAPAUTH_GROUP_REQ describes semicolon-separated list of groups. Probably full path like cn=mygroup,ou=groups,dc=example,dc=com

Relevant part of code is at https://github.com/k3a/yourls-ldap-plugin/blob/master/plugin.php#L149 maybe it could be rewritten to one single ldap_search with complex filter but I can't do that as I don't have proper testing environment. :(

I actually wrote the group code - and have completely rewritten it for my own setup so it doesn't need to make multiple calls. I'll create a pull request with the changes, it'll take a little while as I haven't updated to the latest version of the plugin and need to check it doesn't break anything.

See #14 for an updated version that doesn't require a separate LDAP call for groups checks.

Can you test the new code, @kalamchi75? When constants are defined, it tests whether the user attempting to log in has LDAPAUTH_GROUP_ATTR attributes containing one of the semicolon-separated values from LDAPAUTH_GROUP_REQ.

Replacing plugin.php should be enough - https://raw.githubusercontent.com/k3a/yourls-ldap-plugin/master/plugin.php

Hi,

Still getting the same result "Not in LDAP group" whether the user is in the group or not. I have also tried to type in the group name in lower-case in the config.php file, but that wouldn't help. If I comment one of the lines below, it will all users to login regardless of the group:

define( 'LDAPAUTH_GROUP_ATTR', 'group' );
define( 'LDAPAUTH_GROUP_REQ', 'group' );

Below is the full code:

define( 'LDAPAUTH_PORT', '389' ); // LDAP server port - often 389 or 636 for TL$
define( 'LDAPAUTH_BASE', 'cn=Users,dc=domain,dc=domain' ); // Base DN (location o$
define( 'LDAPAUTH_USERNAME_FIELD', 'userPrincipalName'); // (optional) LDAP fie$
define( 'LDAPAUTH_SEARCH_USER', 'cn=AD Searcher,cn=Users,dc=domain,dc=domain' ); // $
define( 'LDAPAUTH_SEARCH_PASS', 'password'); // (optional) (only if LDAPAUTH_S$
//define( 'LDAPAUTH_GROUP_ATTR', 'group' ); // (optional) LDAP groups attr
define( 'LDAPAUTH_GROUP_REQ', 'group' ); // (optional) LDAP groups attr
define( 'LDAPAUTH_GROUP_SCOP', 'sub' ); // if not defined the default is 'sub',$
define( 'LDAPAUTH_USERCACHE_TYPE', 0); // (optional) Defaults to 1, which cache$

I am not sure if I am doing something wrong in the code. Please have a look.

Thanks

Do you really have "group" attribute on user objects as you specified in LDAPAUTH_GROUP_ATTR ? It is more common to use memberOf attribute for group membership.

It is difficult to help you without seeing your LDAP objects but I know these are private. I am also not a LDAP guru to immediately see where the problem is. I am afraid I can't help you. The code is public, PHP documentation for functions is available so you are free to debug / modify code to suit your needs..