yourls-ldap-plugin icon indicating copy to clipboard operation
yourls-ldap-plugin copied to clipboard

Published 20 hours ago verified publisher icon k3a

Plugin seems to be ignored

Open branhendricks opened this issue 9 years ago • 8 comments

I have YOURLS 1.7.1 installed along with the latest version of the plugin. We are using Active Directory as our LDAP server. I have the info in config.php the same as we used on other AD related systems. When attempting to login with AD credentials I get invalid username or password, but am successful if I use the password that was entered in config.php. (I also tried removing the user all together from config.php, but it made no difference.)

branhendricks avatar Feb 03 '16 20:02 branhendricks

I haven't upgraded to 1.7.1, but from the changelog there doesn't seem to be anything that would break this plugin. You've definitely activated the plugin via the Manage Plugins screen?

If it's dieing for some reason it should output to the PHP log, I'd start with that, then add in some debugging output to make sure it's actually opening a connection

dave-lang avatar Feb 05 '16 03:02 dave-lang

I started doing some output debugging. So far, it looks like the search user name and pass are not optional but required. The search function called further down cannot search unless the connection is bound to a user account.

branhendricks avatar Feb 05 '16 20:02 branhendricks

I'm going to try to bind on the user credentials attempting to login rather than the search user. I'm just wondering if this could possibly create some security issue since the plugin wasn't written this way in the first place.

branhendricks avatar Feb 05 '16 22:02 branhendricks

Off the top of my head I wouldn't think so - but I haven't looked over the code recently.

I've tested it with using anonymous binding before though, and it has worked. Might be your LDAP/AD setup requires a user account to bind?

dave-lang avatar Feb 10 '16 00:02 dave-lang

Probably is the case of AD requiring a login first. I did get it to work using the method I mentioned. I can share the code if desired.

branhendricks avatar Feb 11 '16 19:02 branhendricks

Yes, share please. It may help others.

On February 11, 2016 11:35:10 AM PST, BrandonH-LSUHSC [email protected] wrote:

Probably is the case of AD requiring a login first. I did get it to work using the method I mentioned. I can share the code if desired.

Reply to this email directly or view it on GitHub: https://github.com/k3a/yourls-ldap-plugin/issues/9#issuecomment-183027069

k3a avatar Feb 12 '16 05:02 k3a

In my experience, the following things have to be changed for Active Directory:

  • ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0); needs to be added
  • The code should try to bind as the logging in user before searching if LDAPAUTH_SEARCH_USER is not set. However, this needs to be changed such that a prefix or suffix can be added.
  • I use the field sAMAccountName to get the user name. In the $searchResult array this key is lowercased, so it should be lowercased when looking it up in $searchResult.

Wikimedia has an LDAP plugin that works: https://www.mediawiki.org/wiki/Extension:LDAP_Authentication

jorrit avatar Jul 15 '16 07:07 jorrit

Also, the following change is necessary:

if (!$searchResult) return $value; -> if (empty($searchResult)) return $value; in case there are no results for the search.

jorrit avatar Jul 15 '16 07:07 jorrit