Authentication
Last Modified: August 22, 2003 08:08AM
|
|
(Any)
|
Description
| $g_login_method |
MD5
LDAP
PLAIN
CRYPT
CRYPT_FULL_SALT
BASIC_AUTH
Some systems (mostly non-unix) do not have crypt support in PHP. MD5 will accomplish almost the same thing. PLAIN is plain text and there is no attempt to secure the password in the database. You will not be able to easily convert between encryption methods so this needs to be chosen at install time. CRYPT was the default until 0.17.0; MD5 is now the default. Try CRYPT_FULL_SALT if CRYPT is not working. |
| $g_ldap_server |
The ldap server (eg: ldaps://ldap.example.com |
| $g_ldap_port |
LDAP port (default 636). |
| $g_ldap_root_dn |
"dc=example, dc=com" |
| $g_ldap_organisation |
"organizationname=*Example)" |
| $g_use_ldap_email |
Use email address in LDAP rather than the email stored in the database. |
| $g_ldap_bind_dn |
"cn=Manager, dc=example, dc=com" |
| $g_ldap_bind_passwd |
|
| LDAP authentication method. |
|
User Contributed Notes
Authentication |
|
klitzing@pool.informatik.rwth-aachen.de
22-Dec-2003 6:23 |
#41
|
error in documentation (s and z):
use $g_ldap_organization instead of $g_ldap_organisation |
|
johnsmith1888@yahoo.fr
04-Mar-2004 11:20 |
#80
|
By default php uses protocol mode version 2 for ldap bind.
So LDAP auth fails miserably when the server is version 3 only.
New versions of openldap (v 2.1.5+) start up in version 3.
You can either use the ldap_set_option command to change the version that php expects (I added
@ldap_set_option($t_ds, LDAP_OPT_PROTOCOL_VERSION, 3);
on line 142 of core/ldap_api.php ) or set "allow bind_v2" in the slapd.conf file. |
|
moudsen@allshare.nl
09-Dec-2004 15:56 |
#283
|
LDAP is not functioning well. When authenticating against Novell NDS, an empty password lets anyone in. Found some redesign considerations for the way to authenticate; will post some additional code here when ready.
Some extra functionality like an LDAP import would be nice. Scan LDAP tree, present entries with checkbox, filtering out already established accounts. Send welcome e-mail to all checked/created accounts.
More (system/user) functions:
- LDAP cleanup. Delete accounts when deleted within LDAP.
- Must be member of certain group after authentication. |
|
rodolfo.novak@gmail.com
11-Mar-2005 21:14 |
#375
|
Hi,
How do i turn off "[Signup for a new account]" from login page |
|
thierry.vermeersch@nl.abb.com
14-Mar-2005 17:00 |
#379
|
I would really appreciate a bit more documentation on this subject.
I've enabled LDAP, and after struggling several hours, Mantis can now bind to my LDAP server....but actual authentification does not work.
I still don't understand what Mantis should do in the background. If a new user logins in, does Mantis create on the fly an user entry with a default role? Or does Mantis just use LDAP for a password/email lookup, but only one manually created accounts?
I've created an account in Mantis, say user abc. I've enabled debuging and this is the output when I try to log in:
1 0.0014 SELECT id FROM mantis_user_table WHERE cookie_string='9e3c778a6d4a102f86f897fba49aa2836473ad0692563479b7c9ccb41219f007'
2 0.0017 SELECT * FROM mantis_user_pref_table WHERE user_id='2' AND project_id='0'
3 0.0013 SELECT id FROM mantis_user_table WHERE username='administrator'
4 0.0012 SELECT * FROM mantis_user_table WHERE id='1'
5 0.0010 UPDATE mantis_user_table SET last_visit= '2005-03-14 22:39:36' WHERE id='2'
6 0.0012 SELECT * FROM mantis_user_table WHERE id='2'
I don't understand the "username='administrator'", it's like Mantis was ignoring the "abc" login I provided...
Thierry |
|
dserodio@ec-corp.com.br
29-Mar-2005 16:22 |
#391
|
| How did you "enable debugging"? |
|
macosxuser@nospam.com
24-Apr-2005 14:57 |
#418
|
MacOSX Panther OpenDirectory auth instructions for v1.0.0a1-
Add:
@ldap_set_option($t_ds, LDAP_OPT_PROTOCOL_VERSION, 3);
To line 27 in core/ldap_api.php. (there is a previously contributed note that states 'ldap_set_options' as the function call - that won't work!)
Then, in your config_inc.php:
$g_login_method = LDAP;
$g_ldap_server = 'ldap://odserver.domain.com/';
$g_ldap_root_dn = 'cn=users,dc=domain,dc=com';
$g_ldap_organisation = '';
$g_ldap_uid_field = 'uid';
A few mistakes I made:
* i initially put LDAP in quotes. oops.
* i didn't provide $g_ldap_uid_field (and cn here does not work for Open Directory!)
* i didn't have a user already created inside the Mantis database
* I didn't include ldap:// in $g_ldap_server |
|
scopitone@club-internet.fr
21-Jun-2005 4:41 |
#479
|
Hello,
I'm trying to configure LDAP in Mantis and
when I'm trying to login into Mantis with a user
that exists in my Active Directory 2k3 with a good or wrong password
It opens a full clear page, not the homepage or any login error page...
Do you have an idead of what could be the problem in my case ?
in my config_inc.php :
# --- using openldap -------------
$g_login_method = LDAP;
$g_ldap_server = 'ldap://rcipl-pdc.rcipl.local/';
#$g_ldap_port = '636';
$g_ldap_root_dn = 'OU=RCIPL-Users,DC=RCIPL,DC=LOCAL';
#$g_ldap_organization = ''; # e.g. '(organizationname=*Traffic)'
$g_ldap_uid_field = 'sAMAccountName';
$g_ldap_bind_dn = 'CN=artur artur,OU=RCIPL-Users,DC=RCIPL,DC=LOCAL';
$g_ldap_bind_passwd = '*****';
$g_use_ldap_email = OFF; |
|
lowry@altern.org
17-Aug-2005 6:15 |
#568
|
scopitone@club-internet.fr, I tried different configuration options for AT at W2K3 and could not make it work as well.
Has anyone managed to successfuly authenticate agains W2K3 LDAP? |
|
kevin.downey@planetwidegames.com
19-Aug-2005 16:11 |
#575
|
The current code won't work for W2K servers using Active Directory as their LDAP. Currently the code searches for the returned 'dn', which it expects to be just something like 'dn=<USERNAME>', and then it uses the dn to attempt a bind to the ldap.
Problem: Active Directory 'dn' returned on the search is something like this 'search['dn']='cn=some user,ou=IT Department,dc=example,dc=com'
Solution: I could find no 'sAMAccountName' returned in the search - if you check the config-defaults it tells you to set the ldap parameter $g_ldap_uid_field to this for Active Directory. This setting should be changed instead to 'cn' NOT 'uid' and NOT 'sAMAccountName'. Also the code in the file 'ldap_api.php' function ldap_authenticate(...) would also have to be changed quite extensively to get it to work. I just commented it out and wrote my own function with same name and params:
In file ldap_api.php...
function ldap_authenticate( $p_user_id, $p_password ){
if (is_blank($p_password))
return false;
$t_ldap_root_dn = config_get('ldap_root_dn');
$t_ldap_host = config_get('ldap_server');
$t_ldap_port = config_get('ldap_port');
$t_ds = ldap_connect($t_ldap_host, $t_ldap_port) or die('Unable to connect to LDAP server<br />');
$t_user = user_get_field($p_user_id, 'realname'); //This checks the users Real Name instead of username
$t_authenticated = false;
if(@ldap_bind($t_ds,$t_user,$p_password))
$t_authenticated = true;
return $t_authenticated;
}
Then we call this function directly in 'authentication_api.php'
function auth_does_password_match($p_user_id, $p_test_password){
$t_configured_login_method = config_get('login_method');
//Here's our change
if(LDAP == $t_configured_login_method)
return ldap_authenticate($p_user_id, $p_test_password);
.
.
.
}
NOTE: You can see in the above function ldap_authenticate(...) it's almost the same as mantis-default function but I got rid of the useless for loop and search - which was a faulty way to do authentication anyway. Also, I had to make some other minor changes as our Active Directory keeps names in the format "Mike Hunt" and will only bind to that string - so I check against the 'realname' in the database instead of 'name' - btw the realname has to match the LDAP. After implementing LDAP we found that it's almost completely useless - it really is an underdeveloped part of mantis right now as it's current use is to just bypass the login screen - all authentication checks are against the cookie & database, and you still need to create the database user/pass to use LDAP login and there's no method of tieing the regristration/creation of new accounts to your LDAP. I had to use the 'realname' field from the user account table to do the authenticatoin b/c there is no ldap table or field to link the two together.
My suggestion, avoid LDAP for mantis on all platforms, it's not viable yet.
|
|
adym.lincoln@libertymutual.com
21-Sep-2005 15:43 |
#621
|
Hi all,
Is there anyway to set the cookie_string on the mantis_user_table to a 'default' value. I am trying to add myself as a 'Mantis' administrator manually using straight SQL thru MySQL. I am an administrator on the MySQL instance where our Mantis databases are, but I am not a user on those 'Mantis' tables.
I was able to INSERT() a row onto the table, but now I keep getting an error :
<snip>
ERROR: Your browser either doesn't know how to handle cookies, or refuses to handle them.
</snip>
Thing is, it's not a cookie error because I can get to other Mantis sites at our company without a hitch.
thx in advance,
adym |
|
shawnwevans@gmail.com
18-Oct-2005 14:37 |
#650
|
Everything works with LDAP and the machine as far as authentication, but have been unable to get it to work with Mantis. POSIX, Samba, SSH, etc...
$g_ldap_server = 'ldap://ldap.machinename.com/';
$g_ldap_port = '389';
$g_ldap_root_dn = 'dc=machinename, dc=com';
$g_ldap_uid_field = 'uid'; # Use 'sAMAccountName' for Active Directory
$g_ldap_bind_dn = 'ou=People, dc=machinename, dc=com';
$g_ldap_bind_passwd = '*******';
ldapsearch returns
dn: uid=evanssh,ou=People,dc=machinename,dc=com |
|
shawnwevans@gmail.com
19-Oct-2005 16:53 |
#654
|
changed
$g_ldap_bind_dn = 'ou=People, dc=machinename, dc=com';
to
$g_ldap_bind_dn = 'ou=Manager, dc=machinename, dc=com';
and it works fine now, my mistake.
Is there anyway to do both MD5 for non LDAP users and LDAP only for valids users. The reason I am asking is that for our inhouse users this is great, but for users who only need access to Mantis, I would hate to create a user for them in LDAP... guess I just need to find an easier LDAP management tool.
Thanks |
|
rbalzard@inverse.ca
26-Jan-2006 9:13 |
#842
|
you can disable 'Signup for a new account' on the login page by adding:
$g_allow_signup = OFF;
to the config_inc.php |
|
gperreal@sqli.fr
23-Jun-2006 9:16 |
#1148
|
To authenticate against multibranch Active Directory on W2K, you'll need to setup two LDAP options in the function ldap_connect_bind(...) (core/ldap_api.php) :
Search for:
$t_ds = @ldap_connect ( $t_ldap_server, $t_ldap_port );
if ( $t_ds > 0 ) {
Add this after:
@ldap_set_option($t_ds, LDAP_OPT_REFERRALS, 0);
@ldap_set_option($t_ds, LDAP_OPT_PROTOCOL_VERSION, 3); |
|
y5wang@netscape.net
27-Oct-2006 17:15 |
#1280
|
| Any plan to support PAM authentication mechanism? We have a hybrid system, in which the user accounts are controlled by a Windows AD. |
|
jlvila@free.fr
26-Jan-2007 16:10 |
#1365
|
Hi all,
I just migrate 2 mantis databases from 4.1 to 5.0.27.
For the first database, all work fine.
For the second one, when i'm connect, i've got this message :
ERROR: Your browser either doesn't know how to handle cookies, or refuses to handle them.
What's wrong ? How to avoid this ?
Thanks for help,
Jean-Louis |
|
|
|
| Last updated: Tue, 14 Oct 2008 - 9:18:38 |
|
|
