Stories
Slash Boxes
Comments

Slash Open Source Project

Slashcode Log In

Log In

[ Create a new account ]

dscottj (2927)

dscottj
  (email not shown publicly)

Journal of dscottj (2927)

Wednesday November 21, 01

Login screen

03:31 PM
Slash Plugins and Themes

This is the login screen that feeds the thing above:
<FORM NAME="LAYOUTFORM" ACTION="basicLogin.pl" METHOD="post">
        <INPUT TYPE="HIDDEN" NAME="returnto" VALUE="//namiexp.nami.org/index.pl">
        username:<input type="text" name="ldapuname" value="" maxlength="30">

        password:<input type="password" name="ldappassword" value="" maxlength="30">

        <INPUT TYPE=SUBMIT NAME="op" VALUE="userlogin" ID="FormsButton1">
</form>

LDAP authentication v .01

03:22 PM
Slash Plugins and Themes

Here is my first shot at getting LDAP to work with slash. Very much "crayon code", as I haven't been programming in perl that long. I will try to submit a story on this with more details:

#!/usr/bin/perl
# our attempt at working with logins
# configuration
# requires:
# ldapuname
# ldappassword
use CGI;
use Date::Manip;
use Slash;
use Slash::Display;
use Slash::Utility;
use Slash::Apache::User;
use Net::LDAP qw(:all);
use strict;

#set this if you want to see what's going on inside and don't
#want it to actually do anything. STDERR probably does the
#same thing but I'm too dumb to figure out how to use that.
my $debug=0;

#these are all variables you need to set up using the slash admin interface. fill
#in your own correct values.
my $ldapdirectory=getCurrentStatic('LDAPdirectory');
my $searchBindUser=getCurrentStatic('LDAPsearchBindUs er');
my $searchBindPwd=getCurrentStatic('LDAPsearchBindPwd ');
my $ldapSearchBase=getCurrentStatic('LDAPsearchBase') ;

my $form = getCurrentForm();
my ($slashdb, $user)="nobody";
my $ldap = Net::LDAP->new($ldapdirectory);
my (
$actualUID, $userExistsInSlash, $userIsLDAPAuthenticated, $resultCount, $recordsFound,
$userNameDN, $recordFound, $bindResult, $bindReply, $userEmail, $allAuthenticationComplete
)=0;

my $ldapuname=$form->{ldapuname};
my $ldappassword=$form->{ldappassword};

#bind to the directory server as the search user, so we can find
#the DN of the person trying to authenticate
$bindReply=$ldap->bind($searchBindUser, password => $searchBindPwd);
$bindResult=$bindReply->error;

#now, go find the DN of the person trying to authenticate
my $mesg=$ldap->search (
        base => "$ldapSearchBase",
        filter=>"(uid=$ldapuname)"
);

$recordsFound=$mesg->count;

if ($recordsFound){
#you found a username!
#the IF below is a sanity check. UIDs are supposed to be unique, and
#are for my LDAP server, but might not be for everyone else's. If
#it finds more than one, it won't authenticate any of them. Someone
#brighter than me could write some sort of exception that asked the user
#which DN to use. Most users won't know what a DN is though, so YMMV
        if ($recordsFound = 1){
                $recordFound=$mesg->entry(0);
                $userNameDN=$recordFound->dn();
                $userEmail=$recordFound->get_value("mail");

        }
}

#use that DN to try to bind against the server
$bindReply=$ldap->bind($userNameDN, password => $ldappassword);
$bindResult=$bindReply->error;
if ($bindReply->error eq 'Success'){
        $userIsLDAPAuthenticated=1;
}

if ($userIsLDAPAuthenticated){
#when you get here, you've got a valid, authorized LDAP user. Now
#you have to start talking to slash to turn them (*TING*) into a
#valid slash user. Good luck.
        $slashdb = getCurrentDB();
#first, see if the username actually exists in the system.
        $actualUID=$slashdb->getUserUID($ldapuname);
        if (!isAnon($actualUID)) {
                $userExistsInSlash=1;
                my($uid, $cookpasswd, $newpass) =
                $slashdb->getUserAuthenticate($actualUID, $ldappassword); #, 1
                if (!isAnon($uid)) {
#they're valid in both ldap and slash if you get here.
                        $allAuthenticationComplete=1;
                }else{
#if you get here, means that the LDAP password is different from the
#slash password. LDAP has priority. Change slash password then move on
                        my $passhash={passwd=>$ldappassword};
                        $actualUID=$slashdb->getUserUID($ldapuname);
                        $slashdb->setUser($actualUID, $passhash);
                        $allAuthenticationComplete=1;
                }

        }else{
                $userExistsInSlash=0;
#means they have an LDAP account but slash has never seen them before. Now
#you have to input them so slash knows about them.
                $actualUID = $slashdb->createUser($ldapuname, $userEmail, $ldapuname);
                my $passhash={passwd=>$ldappassword};
                $slashdb->setUser($actualUID, $passhash);
                $allAuthenticationComplete=1;
        }

}

#This is so primitive even I know it's not the best way. I just
#couldn't figure out how users.pl works, and got tired of trying (1 week).
#This is what the "real" slash login form does, and (for once) you can call
#it like the original form does and it works. What actualy needs to happen is
#the user needs to get authenticated and all the cookies and garbage set so
#that the rest of the slash site will recognize the user.
#Someone smarter than me can probably figure this bit out quickly.

if (!$debug){
        if ($allAuthenticationComplete){
                redirect ('http://namiexp.nami.org/users.pl?op=userlogin&un ickname='.$ldapuname.'&upasswd='.$ldappassword.'&r eturnto='.$form->{returnto});
        }else{
                redirect ('http://namiexp.nami.org/login.shtml');
        }
}

if ($debug){
print

Thank you

Thank you

username: $ldapuname

password: $ldappassword

Actual Bind result: $bindResult

Authenticated? $userIsLDAPAuthenticated

email: $userEmail

slashdb: $slashdb

actualUID: $actualUID

userExistsInSlash: $userExistsInSlash

LDAPdirectory: $ldapdirectory

EOF
}