Plugin seems to be ignored

Question

Plugin seems to be ignored

branhendricks opened this issue 8 years ago · comments

I have YOURLS 1.7.1 installed along with the latest version of the plugin. We are using Active Directory as our LDAP server. I have the info in config.php the same as we used on other AD related systems. When attempting to login with AD credentials I get invalid username or password, but am successful if I use the password that was entered in config.php. (I also tried removing the user all together from config.php, but it made no difference.)

Dave Lang · Answer 1 · Fri Feb 05 2016 11:22:36 GMT+0800 (China Standard Time)

I haven't upgraded to 1.7.1, but from the changelog there doesn't seem to be anything that would break this plugin. You've definitely activated the plugin via the Manage Plugins screen?

If it's dieing for some reason it should output to the PHP log, I'd start with that, then add in some debugging output to make sure it's actually opening a connection

Brandon H. · Answer 2 · Sat Feb 06 2016 04:38:05 GMT+0800 (China Standard Time)

I started doing some output debugging. So far, it looks like the search user name and pass are not optional but required. The search function called further down cannot search unless the connection is bound to a user account.

Brandon H. · Answer 3 · Sat Feb 06 2016 06:41:33 GMT+0800 (China Standard Time)

I'm going to try to bind on the user credentials attempting to login rather than the search user. I'm just wondering if this could possibly create some security issue since the plugin wasn't written this way in the first place.

Dave Lang · Answer 4 · Wed Feb 10 2016 08:19:24 GMT+0800 (China Standard Time)

Off the top of my head I wouldn't think so - but I haven't looked over the code recently.

I've tested it with using anonymous binding before though, and it has worked. Might be your LDAP/AD setup requires a user account to bind?

Brandon H. · Answer 5 · Fri Feb 12 2016 03:35:10 GMT+0800 (China Standard Time)

Probably is the case of AD requiring a login first. I did get it to work using the method I mentioned. I can share the code if desired.

K3A · Answer 6 · Fri Feb 12 2016 13:12:25 GMT+0800 (China Standard Time)

Yes, share please. It may help others.

On February 11, 2016 11:35:10 AM PST, BrandonH-LSUHSC notifications@github.com wrote:

Probably is the case of AD requiring a login first. I did get it to
work using the method I mentioned. I can share the code if desired.

Reply to this email directly or view it on GitHub:
#9 (comment)

Jorrit Schippers · Answer 7 · Fri Jul 15 2016 15:08:07 GMT+0800 (China Standard Time)

In my experience, the following things have to be changed for Active Directory:

ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0); needs to be added
The code should try to bind as the logging in user before searching if LDAPAUTH_SEARCH_USER is not set. However, this needs to be changed such that a prefix or suffix can be added.
I use the field sAMAccountName to get the user name. In the $searchResult array this key is lowercased, so it should be lowercased when looking it up in $searchResult.

Wikimedia has an LDAP plugin that works: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

Jorrit Schippers · Answer 8 · Fri Jul 15 2016 15:21:38 GMT+0800 (China Standard Time)

Also, the following change is necessary:

if (!$searchResult) return $value; -> if (empty($searchResult)) return $value; in case there are no results for the search.