+ Post New Thread
Results 1 to 7 of 7
Web Development Thread, MRBS ldap in Coding and Web Development; Trying to get mrbs to talk to our cc4 server (should be no dif between cc3 and cc4) Got settings ...
  1. #1

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,976
    Thank Post
    735
    Thanked 557 Times in 372 Posts
    Blog Entries
    3
    Rep Power
    206

    MRBS ldap

    Trying to get mrbs to talk to our cc4 server (should be no dif between cc3 and cc4)

    Got settings as follows can't see what I am doing wrong.



    // 'auth_ldap' configuration settings
    // Where is the LDAP server
    //$ldap_host = "servername.Internal";
    // If you have a non-standard LDAP port, you can define it here
    //$ldap_port = 389;
    // If you do not want to use LDAP v3, change the following to false
    $ldap_v3 = true;
    // If you want to use TLS, change the following to true
    $ldap_tls = false;
    // LDAP base distinguish name
    // See AUTHENTICATION for details of how check against multiple base dn's
    //$ldap_base_dn = "ou=Teaching Staff,ou=LHS,ou=Establishments,dc=lhs, dc=internal";
    // Attribute within the base dn that contains the username
    //$ldap_user_attrib = "uid";
    // If you need to search the directory to find the user's DN to bind
    // with, set the following to the attribute that holds the user's
    // "username". In Microsoft AD directories this is "sAMAccountName"
    //$ldap_dn_search_attrib = "sAMAccountName";
    // If you need to bind as a particular user to do the search described
    // above, specify the DN and password in the variables below
    // $ldap_dn_search_dn = "cn=Search User,ou=Users,dc=some,dc=company";
    // $ldap_dn_search_password = "some-password";

    // 'auth_ldap' extra configuration for ldap configuration of who can use
    // the system
    // If it's set, the $ldap_filter will be combined with the value of
    // $ldap_user_attrib like this:
    // (&($ldap_user_attrib=username)($ldap_filter))
    // After binding to check the password, this check is used to see that
    // they are a valid user of mrbs.
    //$ldap_filter = "mrbsuser=y";

    Anyideas

  2. #2
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    896
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    83
    You are using a version of the above with the //'s removed from the relevant lines aren't you? eg...

    Code:
    // 'auth_ldap' configuration settings
    // Where is the LDAP server
    //
    // ** A space separated list of IP addresses works here for multiple servers. **
    // ** LHS-SR-001.internal LHS-SR-002.internal etc should also work if you get correct **
    // ** IP response when pinging those names at CLI via SSH **
    //
    $ldap_host = "10.x.x.1 10.x.x.2"; 
    
    // If you have a non-standard LDAP port, you can define it here
    $ldap_port = 389;
    
    // If you do not want to use LDAP v3, change the following to false
    $ldap_v3 = true;
    
    // If you want to use TLS, change the following to true
    $ldap_tls = false;
    
    // LDAP base distinguish name
    // See AUTHENTICATION for details of how check against multiple base dn's
    $ldap_base_dn = "ou=Teaching Staff,ou=LHS,ou=Establishments,dc=lhs, dc=internal";
    
    // Attribute within the base dn that contains the username
    $ldap_user_attrib = "uid";
    
    // If you need to search the directory to find the user's DN to bind
    // with, set the following to the attribute that holds the user's
    // "username". In Microsoft AD directories this is "sAMAccountName"
    $ldap_dn_search_attrib = "sAMAccountName";
    
    // If you need to bind as a particular user to do the search described
    // above, specify the DN and password in the variables below
    //
    // ** EG: create an Admin level account in CC4, and use it's credentials below...  **
    // ** I've set it below for a username of ldapbind with password as QAZwsx~[0 **
    //
    $ldap_dn_search_dn = "cn=ldapbind,ou=System Administrators,ou=LHS,ou=Establishments,dc=lhs, dc=internal";
    $ldap_dn_search_password = "QAZwsx~[0";
    Have denoted my added comments between **'s

    Alternative way is to secure a directory using .htaccess / LDAP, stick MRBS in there, and set it to remote authentication (I think)... Apache captures the user name and sets it as $_PHP_AUTH_USER, which MRBS then uses for userid for any entries booked during that session iirc. However, the OUs that Apache will let you use is restricted to a single branch (or I've never found a way to make it check multiple OUs). Sample .htaccess follows...

    Code:
    Order deny,allow
    Deny from All
    AuthName "PLEASE USE YOUR REGULAR CURRICULUM NETWORK USERNAME AND PASSWORD"
    AuthType Basic
    AuthLDAPBindDN ldapbind
    AuthLDAPBindPassword QAZwsx~[0
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative off
    AuthLDAPUrl "ldap://10.126.96.33 10.126.96.34/ou=Teaching Staff,ou=HOR,ou=Establishments,dc=Horbury,dc=Internal?cn"
    
    #
    # --Uncomment next line for Group authentication
    #
    # Require ldap-group cn=HOR ITtechTeam,ou=HOR,ou=Establishments,dc=Horbury,dc=Internal
    Require valid-user
    Satisfy any
    I do also have a PHP system however that ties to LDAP happily, can explore whatever OUs you specify, and can then be used to set the $_REMOTE_AUTH_USER, which can then pass THAT onto MRBS or any other PHP app that uses session-based authentication to integrate any other similar apps into a single-sign-on kinda setup over the web. S'clunky, but functional... haven't put it into use yet due to lack of time to carry on working on it.

    Bear in mind the above examples use an administrative user account to bind to LDAP to allow it to perform searches... which means if your webserver is ever compromised, they potentially get an admin account on your network... I don't use the search functionality so have those disabled, pending time to set up a user that has full read-only access to the directory.
    Last edited by Marci; 29th April 2009 at 07:33 PM.

  3. #3

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,976
    Thank Post
    735
    Thanked 557 Times in 372 Posts
    Blog Entries
    3
    Rep Power
    206
    oh dear what newbie mistake no had not removed the comment lines.. doh

    Using iis as not got spare box for wamp. Anyway that was doh moment.

    Russ

  4. #4

    russdev's Avatar
    Join Date
    Jun 2005
    Location
    Leicestershire
    Posts
    6,976
    Thank Post
    735
    Thanked 557 Times in 372 Posts
    Blog Entries
    3
    Rep Power
    206
    Right still the same once put correct values in using the sample one you posted. Must be missing something obvious.

    Russ

  5. #5
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    896
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    83
    Further up in the same file... have you got an uncommented line specifying:

    Code:
    $auth["type"] = "ldap";
    ...cos you need to have to turn ldap auth on.

    Also, on inspection of my config file... within the ldap fields above you've got $ldap_user_attrib="uid"... for mine it's "cn" altho iirc you can also use "sAMAccountName"

    Code:
    // Attribute within the base dn that contains the username
    $ldap_user_attrib = "cn";
    If you're still having problems, LDAP port may not be open on your DCs, in which case, try aiming the query at the GlobalCatalog port (3268) instead...

    Code:
    // If you have a non-standard LDAP port, you can define it here
    $ldap_port = 3268;
    If still struggling from there, then check that PHP is compiled on your server with authldap support... shove a file up with contents as

    Code:
    <?php
    
    phpinfo();
    
    ?>
    ...and visit in a browser.

    Under the PHP "Configure Command" section, look for '--with-ldap' . If it ain't there, then PHP can't talk via LDAP no matter what you try. You may also need to install OpenLDAP on the server... but I'm not that clued up on hosting on Windows machines running IIS... I'm a FreeBSD/Apache fella meself when it comes to webservers.
    Last edited by Marci; 30th April 2009 at 09:53 AM.

  6. #6
    Marci's Avatar
    Join Date
    Jun 2008
    Location
    Wakefield, West Yorkshire
    Posts
    896
    Thank Post
    84
    Thanked 235 Times in 194 Posts
    Rep Power
    83
    Dunno if it's of use to you but been sniffing around... if (in IIS) you configure the folder/site that MRBS is within to use "Digest Authentication for Windows domain server", and then set MRBS to

    Code:
    $auth["session"] = "remote_user"; 
    $auth["type"] = "none";
    IIS passes the captured username as a SystemVariable (AUTH_USER), which can then be used for MRBS's authentication (again, I think) - should work if your webserver is a member of the domain.

    S'basically the same as using the .htaccess/Apache method I mentioned above.

  7. #7

    Join Date
    May 2009
    Posts
    1
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    mrbs with ldap

    hello frndz,
    im new to this site..i've followed the steps provided by u guys but still m not able to connect my MRBS through LDAP.
    please help
    is there any other file in which changes have to made apart from config.inc.php for LDAP to work??



SHARE:
+ Post New Thread

Similar Threads

  1. Help with MRBS and LDAP
    By bonjour in forum Network and Classroom Management
    Replies: 11
    Last Post: 8th October 2009, 09:23 AM
  2. MRBS HELP!!!!!!
    By Gavinc in forum Network and Classroom Management
    Replies: 7
    Last Post: 16th January 2009, 12:16 PM
  3. MRBS help
    By niknik in forum Web Development
    Replies: 0
    Last Post: 29th August 2007, 04:00 PM
  4. MRBS Help!
    By adamf in forum Network and Classroom Management
    Replies: 1
    Last Post: 22nd April 2007, 10:48 PM
  5. Authenticating MRBS against Active Directory using LDAP
    By Wizzer in forum Web Development
    Replies: 2
    Last Post: 26th January 2006, 05:21 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •