Loading...
 

Category: External Authentication (LDAP, AD, PAM, CAS, etc)

External Authentication (LDAP, AD, PAM, CAS, etc)
Show subcategories objects

Name Type
"Prevent automatic/robot registration:" interferes with OpenID
Problem noticed here:
http://www.wiki-translation.com/tiki-view_forum_thread.php?forumId=2&comments_parentId=39

{img src=images/code.png}%%% {CODE()}
I'm trying to log in with my OpenID. I don't have a wiki-translation.com account yet.

After validating my OpenID, I'm taken to a Tiki page that prompts me to create a new account on wiki-translation.com to associate with my OpenID. I enter a username and password, but then get the following error:

Wrong registration code
{CODE}


__Duplicate of {wish id=2204}__
tracker item
PAM authentication broken
An attempt to log in using PAM (php-auth-pam) gives the following error message:

Notice: Undefined variable: error in /var/www/tikiwiki/tikiwiki-1.9.7/lib/userslib.php on line 554

Warning: Error variable must be passed by reference in /var/www/tikiwiki/tikiwiki-1.9.7/lib/userslib.php on line 554

Warning: Cannot modify header information - headers already sent by (output started at /var/www/tikiwiki/tikiwiki-1.9.7/lib/userslib.php:554) in /var/www/tikiwiki/tikiwiki-1.9.7/tiki-login.php on line 292


I'm using:
- php5-auth-pam-0.4-9.2 (Debian package)
- tikiwiki-1.9.7 (source)
tracker item
Humphrey
Contributors
tracker item
LDAP login error causes blank page instead of "Login error" page
We are running Tiki 6.2 (clean install), on a Windows 2003 Server, Apache 2.2.16 w SSL, PHP 5.3.3, remote MySQL 5 database. This bug is across all browsers.

Our organization has LDAP (Active Directory) enabled. If a user does not type in the correct password or has chosen to remember an old password (that has since been resent by AD) they will not be able to login and there is no screen to tell them why not. On login error, I can see in the LDAP logs:

Error: Bind failed: Invalid credentials

but a blank page is presented. Since the user does not think their invalid login is the problem, they keep trying and blame the system.
tracker item
LDAP authentication doesn't support special characters like "æ,ø,å" in CN name.
If CN contains any character of; æ,ø,å the login fails with "Invalid password" error.

tracker item
Active Directory domain users are not recognized by TikiWiki
Domain Users are not recognized by TikiWiki when using IIS and Webserver auth against AD.

substr function in tiki-setup_base.php mistakenly removing first char of the login name during substracting domain part. For example "DOMAIN\username" is truncated "sername".

I've fixed the issue with the patch below.
tracker item
Add SAML support
((SAML))

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
http://simplesamlphp.org/
tracker item
Adding NTLM authentication support
NTLM is an authentication protocol which is widely used in Microsoft based network environments. By using it with HTTP you can use that method for single-sign-on (SSO) authentication within your web browser.
This means that without needing to enter additional username or passwords, you can be authenticated at the website you're visiting. This is quite convenient especially for company intranets. NTLM should work with all major browsers (Internet Explorer, Firefox and Opera).
tracker item
After setting auth to active directory/ldap - can't log in as admin now
Upgraded a test/development site from 1.9.9 to 1.10beta1. Trying to get ldap authentication working to an active directory server. After configuring for ldap auth to AD - with 'use tiki for admin auth' checked - now I cannot log in as the admin user. The AD server is taking a really long time to respond, it's at another location - so it always times out. Unfortunately the Tiki site seems to keep trying LDAP and timing out before it will check internally for the admin user. The net result... I'm currently locked out of my development/test Tiki site. LDAP times out and I can't get in as admin either.
tracker item
amette
Contributors
tracker item
binddb and bindpw not used when binding to LDAP
TikiWiki 1.9.8, 1.9.9, 1.9.10, 1.9.11 does not provide binddn and bindpw, when initializing LDAP auth object in userslib.php.

So Tiki can't use authorized LDAP requests...
tracker item
Cannot manually create user when using LDAP
When using LDAP External authentication, I am unable to create a new user on the user administration page.

It does not require a password to create the user, but when you click Add, you receive the error message "Password should be at least characters long"


Users are created when they login the first time, but I need to configure permissions before they login.
tracker item
cnd
Contributors
tracker item
Community Currencies
wiki
Config login with ADS on Tikiwiki 1.9.7
Hi,

I attempted to configure tikiwiki to use PEAR:Auth authentication posted by this link http://doc.tikiwiki.org/tiki-index.php?page=Login%20Config.

However, I still get error "invalid username or password". Is there any way I can debug this?

My installed PHP version 4.4.6 with PEAR:Auth installed.
My Apache version 2.0.59 configured with LDAP.

Any suggestion is appreciated.
tracker item
Display Realname instead of login at "Switch user" for admins through module login_box
tracker item
Extend include_path for Net/LDAP2.php
tracker item
Fatal Error in lib/auth/ldap.php
tracker item
Fix CAS authentication in 1.9.x
[http://sourceforge.net/tracker/index.php?func=detail&aid=1325010&group_id=64258&atid=506846]

tracker item
imap/ldap authentication problem
Hello,
Installed tikiwiki 1.9 on a CentOS 4.4.
Assigned autenthication to external LDAP server ( Windows AD ) , but the problem
remains even with IMAP.
Login with admin works
Login with external users presents again the login screen ( no "bad password" just the login screen again and again )

I debugged the code and found the both IMAP and LDAP modeles correctly check the user
and at the end of tiki-login.php the "tiki-user-tikiwiki" Cookie is set with the IMAP/LDAP username, but then at start of "tiki-index.php" the $user variable is empty.
A further check states that session_id() at the end of tiki-login.php is different from session_id() at start of tiki-index.php ( and this explains why the value of variables are different ).
10 correct authentication produce 10 different PHPSESS file with correct username but tiki-index.php always load the first one ( without username set ).

This has been reproduced with php-4.3.9-3.22 on a Centos 4.2, 4.3 and 4.4

tracker item
IMAP/POP3/vpopmail no longer works
After upgrading from 1.9.7 to 2.0 I am no longer able to configure IMAP authentication.

templates/tiki-admin-include-login.tpl no longer contains any mention of IMAP, POP3 or vpopmail as it did in 1.9.7.

(Note: this renders tikiwiki unuseable for my organization)
tracker item
Limit users from CAS
While CAS authentication is great, it allows multiple users to login if you have a widely common CAS server.
For example, SecurePass [1] strong authentication allow ALL securepass users to login through their CAS.
The need is to optionally limit which users or users domain can login to tikiwiki through CAS.

[1] www.secure-pass.net
tracker item
LDAP Group Synchronisation broken
With revision 31581 the LDAP group synchronisation has been limited to only happen 60 seconds after the login:

http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/trunk/lib/userslib.php?r1=31565&r2=31581&pathrev=31581

So far as I can see this method is only called during the LDAP login procedure, so the if-statement in line 1415 will always be false, thus no synchronisation will happen.

I checked this problem with 7.1, 7.2 and 8.3 and never succeded to get the groups from an AD although the LDAP login worked. After disseminating the code and removing this if-statement the feature works again.

I wonder what the the use of this if-statement was? The commit message refers to webdav changes - how does it affect this?
Can this statement be removed so LDAP group synchronisation works or is there another way to fix this?
tracker item
Fix dependency of LDAP group sync to external directory
LDAP group synchronisation is dependent on the "corresponding user attribute", a setting which is only needed if an external directory is used for group synchronisation.

The fix is simple - the combination of if-staments just need to be adjusted slightly - see patch.
tracker item
Enhancement: Add option to select whether LDAP group synchronisation creates new groups or only sync existing ones
When groups are synchronised with a big LDAP organisation many empty groups may end up in Tikiwiki.

This enhancement / patch adds an option to let the administrator of a tikiwiki instance decide whether during synchronisation of groups only the user assignments to existing groups will be done or if non-existent groups will be created in tikiwiki.

The default behaviour - as of now - is that when a LDAP user logs in all the groups he belongs to will be created in tikiwiki and he is being added as a member of these groups.

This enhancement adds the preference "ldap_create_groups_tiki" which is "y" by default - which corresponds to the current behaviour.

If "ldap_create_groups_tiki" is set to "n" and a LDAP user logs in the group synchronisation process will silently ignore groups that exist in LDAP but not in tikiwiki. Existing groups will be synced, though.
tracker item
MEbneter
Contributors
tracker item
LDAP/Active Directory Multiple Domain Support
I am referencing forum post: https://tiki.org/tiki-view_forum_thread.php?comments_parentId=43682&topics_offset=1

I would like the ability for users in child domains to access the TikiWiki site the same way users in the parent site are able to access it. According to the forum post, "Tiki is not currently capable of authenticating against multiple domains (or multiple LDAP servers)" and "The code could be modified to search, say, the global catalog for the user's DN and then authenticate against the corresponding domain, but this would be custom coding"

I would like an option to specify multiple domains, or a custom code I could use to search the global catalog for the user's DN.

Basically I want all of my users in all of my offices to access the Tiki site. Not just the home office users.
tracker item
LDAP Group Sync in Tiki-9 Broken
I was unable to get group sync for ldap working, and after changing two lines of code in userslib.php I was able to get it working.

The changes I made are the __procedure__ section, and I have included my settings also in case someone is having a similar issue, or is just trying to set up LDAP group sync and would like to see a working example, and in case it is useful in your troubleshooting.
tracker item
LdaP External Groups Being Flagged as Internal
When editing an external group (a group created automatically by tiki when syncing groups with ldap) the isExternal flag which should be set to Y is set to N.

Context:
User logs in, and tiki groups are syncing with a OU on the AD, so a group is added. Say this group is "tiki-admin".
We want users part of the group tiki-admin on the AD to have admin perms on the wiki, so we edit the group in tiki and set it to inherit permissions from the local Admin group. When you hit the "Save" button after editing the group (you don't have to change anything) the group's isExternal flag is set to "n", meaning it will not sync like an external group.

Users added to the group in the AD will be added to it in tiki, but users removed from it in the AD will not be removed from the group in tiki.
tracker item
Security
Features Classification
tracker item
Kerberos authentication
Should already be supported since we use PEAR::AUTH
http://pear.php.net/package/Auth

Needs testing and confirmation.
tracker item
LDAP - forced to login twice
tracker item
LDAP auth does not really connect to LDAP in order to authenticate (only does it on the first login)
Hello all.

Almost by chance I noticed a behavior which seems wrong regarding the LDAP authentication on TikiWiki 2.0. I'm not sure if it was already present in 1.9.11 but I don't think so. We migrated last week.

Regarding the TW configuration:

- authentication method is "Tiki+PEAR::Auth"
- users cannot register and cannot change password
- "Create user if not in Tiki?" is on
- "Create user if not in Auth?" is off
- "Just use Tiki auth for admin?" is on
- The LDAP auth configuration paramters are correct, the auth itself works well, as it worked in 1.9.11. When TW connects to the LDAP server (OpenLDAP 2.1.30) the authentication works as expected.

This means that a Tiki account is created when LDAP users login for the first time. As expected, in presence of such a user, TW connects to LDAP, authenticates, creates Tiki account and logs the user in (I have some doubts in this last item though). However, when users log in again after this, I would expect that authentication is still delegated completely to the LDAP and is not done through Tiki. Instead, I have confirmed by looking at my LDAP logs that when TW finds a Tiki account, it authenticates the user through Tiki and never connects to the LDAP. This is not the expected behavior, because it means that passwords are being stored on the TW database and actually used for authentication. As a consequence, when a user changes his password on the LDAP, this is not "seen" by TW.

I'm pretty sure this is not the intended behavior also because if I go to Admin Users, both the "edit user" and the "add user" boxes show the following:

"No password is required
Tikiwiki is configured to delegate the password managment to LDAP through PEAR Auth."

And actually, the "edit user" box also says "Warning: changing the username will require the user to change his password" which is a contradiction since the password should be managed by LDAP and my TW is configured to disallow users from being able to change their passwords.

Paulo
tracker item
ldap auth external groups
tracker item
LDAP authentication and email field
We are using LDAP authentication at our site and the email field is not being automatically filled in. This means we must manually setup our email for each user for the page change notifications to work.


Note we are connecting to an ActiveDirectory LDAP database which does not like anonymous binds so had to make a patch based on the following suggestion:

http://tikiwiki.org/tiki-view_forum_thread.php?topics_offset=58&forumId=6&comments_parentId=14021
tracker item
LDAP authentication by binding user credentials
Our Active Directory is configured not to allow arbitrary LDAP searches for unprivileged users. However, these users can successfully bind to AD's LDAP interface. This would be enough for authentication and we would not need a special account for checking authentication.

I therefore removed parts of the function fetchData in /lib/pear/Auth/Container/LDAP.php:

{img src=images/code.png}%%% {CODE()}
function fetchData($username, $password)
{
$this->log('Auth_Container_LDAP::fetchData() called.', AUTH_LOG_DEBUG);
$err = $this->_prepare();
if ($err !== true) {
return PEAR::raiseError($err->getMessage(), $err->getCode());
}

$err = $this->_getBaseDN();
if ($err !== true) {
return PEAR::raiseError($err->getMessage(), $err->getCode());
}

// UTF8 Encode username for LDAPv3
if (@ldap_get_option($this->conn_id, LDAP_OPT_PROTOCOL_VERSION, $ver) && $ver == 3) {
$this->log('UTF8 encoding username for LDAPv3', AUTH_LOG_DEBUG);
$username = utf8_encode($username);
}

/* // make search filter
$filter = sprintf('(&(%s=%s)%s)',
$this->options['userattr'],
$this->_quoteFilterString($username),
$this->options['userfilter']);

// make search base dn
$search_basedn = $this->options['userdn'];
if ($search_basedn != '' && substr($search_basedn, -1) != ',') {
$search_basedn .= ',';
}
$search_basedn .= $this->options['basedn'];

// attributes
$searchAttributes = $this->options['attributes'];

// make functions params array
$func_params = array($this->conn_id, $search_basedn, $filter, $searchAttributes);

// search function to use
$func_name = $this->_scope2function($this->options['userscope']);

$this->log("Searching with $func_name and filter $filter in $search_basedn", AUTH_LOG_DEBUG);

// search
if (($result_id = @call_user_func_array($func_name, $func_params)) === false) {
$this->log('User not found', AUTH_LOG_DEBUG);
} elseif (@ldap_count_entries($this->conn_id, $result_id) >= 1) { // did we get some possible results?

$this->log('User(s) found', AUTH_LOG_DEBUG);

$first = true;
$entry_id = null;

do {

// then get the user dn
if ($first) {
$entry_id = @ldap_first_entry($this->conn_id, $result_id);
$first = false;
} else {
$entry_id = @ldap_next_entry($this->conn_id, $entry_id);
if ($entry_id === false)
break;
}
$user_dn = @ldap_get_dn($this->conn_id, $entry_id);

// as the dn is not fetched as an attribute, we save it anyway
if (is_array($searchAttributes) && in_array('dn', $searchAttributes)) {
$this->log('Saving DN to AuthData', AUTH_LOG_DEBUG);
$this->_auth_obj->setAuthData('dn', $user_dn);
}

// fetch attributes
if ($attributes = @ldap_get_attributes($this->conn_id, $entry_id)) {

if (is_array($attributes) && isset($attributes['count']) &&
$attributes['count'] > 0) {

// ldap_get_attributes() returns a specific multi dimensional array
// format containing all the attributes and where each array starts
// with a 'count' element providing the number of attributes in the
// entry, or the number of values for attribute. For compatibility
// reasons, it remains the default format returned by LDAP container
// setAuthData().
// The code below optionally returns attributes in another format,
// more compliant with other Auth containers, where each attribute
// element are directly set in the 'authData' list. This option is
// enabled by setting 'attrformat' to
// 'AUTH' in the 'options' array.
// eg. $this->options['attrformat'] = 'AUTH'

if ( strtoupper($this->options['attrformat']) == 'AUTH' ) {
$this->log('Saving attributes to Auth data in AUTH format', AUTH_LOG_DEBUG);
unset ($attributes['count']);
foreach ($attributes as $attributeName => $attributeValue ) {
if (is_int($attributeName)) continue;
if (is_array($attributeValue) && isset($attributeValue['count'])) {
unset ($attributeValue['count']);
}
if (count($attributeValue)<=1) $attributeValue = $attributeValue[0];
$this->log('Storing additional field: '.$attributeName, AUTH_LOG_DEBUG);
$this->_auth_obj->setAuthData($attributeName, $attributeValue);
}
}
else
{
$this->log('Saving attributes to Auth data in LDAP format', AUTH_LOG_DEBUG);
$this->_auth_obj->setAuthData('attributes', $attributes);
}
}
}
@ldap_free_result($result_id);


// need to catch an empty password as openldap seems to return TRUE
// if anonymous binding is allowed
*/ $user_dn = $username;
if ($password != "") {
$this->log("Bind as $user_dn", AUTH_LOG_DEBUG);

// try binding as this user with the supplied password
if (@ldap_bind($this->conn_id, $user_dn, $password)) {
$this->log('Bind successful', AUTH_LOG_DEBUG);
// check group if appropiate
if (strlen($this->options['group'])) {
// decide whether memberattr value is a dn or the username
$this->log('Checking group membership', AUTH_LOG_DEBUG);
$return = $this->checkGroup(($this->options['memberisdn']) ? $user_dn : $username);
$this->_disconnect();
return $return;
} else {
$this->log('Authenticated', AUTH_LOG_DEBUG);
$this->_disconnect();
return true; // user authenticated
} // checkGroup
} // bind
} // non-empty password
// } while ($this->options['try_all'] == true); // interate through entries
// } // get results
// default
$this->log('NOT authenticated!', AUTH_LOG_DEBUG);
$this->_disconnect();
return false;
}
{CODE}

If would be nice to have a checkbox in the LDAP part of the admin page for selecting this behaviour.
tracker item
LDAP authentication should use LDAPv3 (or at least have configurable support for it)
LDAPv2 is obsolete, and the use of LDAPv3 is now standard practice. In fact, the [http://www.openldap.org/faq/data/cache/822.html|latest releases of OpenLDAP don't even support LDAPv2 properly anymore]. However, PHP's ldap_connect() and PEAR::Auth [http://www.openldap.org/lists/openldap-software/200204/msg00046.html|default to LDAPv2].

The patch to use LDAPv3 is attached. It shouldn't be difficult to make the LDAP protocol version a configurable preference.
tracker item
LDAP authentication to AD broken
tracker item
LDAP authentication with StartTLS
tracker item
LDAP authentification sur LD
Hi All,

I’m working on the Tikiwiki 2.2 with a LDAP authentication.

In the login option, I see it is possible to automatically give someone access in the Tiki if this person is in LDAP directory.

My question is: Is it possible to define access with a Distribution List group and not with the entire LDAP directory?

On another note, do you know why “LDAP Member is DN” can not be set to “yes?”

Thanks for your response

tracker item
LDAP configuration not functioning
in file tiki-admin_include_login.php
if (isset($_REQUEST["auth_pear"])) {
check_ticket('admin-inc-login');
simple_set_toggle('auth_create_user_tiki');
............
....
.....
missing 2 lines below.
simple_set_value('auth_ldap_emailattr');
simple_set_value('auth_ldap_countryattr');

Missing database entries for ldap email and country
tracker item
LDAP debugging causes error?
System environment:
Tiki 6
Windows Server 2008 64bit
Apache x64 2.2.11
PHP x64 5.2.5 (lib/smarty/libs/internals/core.is_secure.php patched to make it work)

LDAP authentication against AD does work once configured properly
BUT
Debugging the configuration was hard because turning on logging caused errors!
When logging is off, all is well. When logging is on and line 346 of lib/auth/ldap.php is commented out, all is well.
It seems that when logging is active, "$filter->asString()" on that line causes an error on our system. The same call is made on line 262 with a simpler filter and works OK.

Perhaps when checking groups, asString is returning too much for the logging system to handle?
tracker item
LDAP group syncing bug solved
tracker item
LDAP groups not syncing correctly
tracker item
LDAP sync broken in 12.3
tracker item
LDAP Sync Not working Correctly
tracker item
Login with user "admin" doesn't work when CAS authentication is enabled
tracker item
Password will not be accepted when using @ > or < in the password string (with or without LDAP)
tracker item
mod: phpcas not installing (source at cvs under subdirs...)
That's what the mod descritpion says:
{CODE()}
author: mcfarland
last modification: 2006/12/22 01:49:26
by: mcfarland
features/phpcas/COPYRIGHT -> lib/phpcas/COPYRIGHT
features/phpcas/README -> lib/phpcas/README
features/phpcas/source/CAS/CAS.php -> lib/phpcas/source/CAS/CAS.php
features/phpcas/source/CAS/PGTStorage -> lib/phpcas/source/CAS/PGTStorage
features/phpcas/source/CAS/PGTStorage/pgt-db.php -> lib/phpcas/source/CAS/PGTStorage/pgt-db.php
features/phpcas/source/CAS/PGTStorage/pgt-file.php -> lib/phpcas/source/CAS/PGTStorage/pgt-file.php
features/phpcas/source/CAS/PGTStorage/pgt-main.php -> lib/phpcas/source/CAS/PGTStorage/pgt-main.php
features/phpcas/source/CAS/client.php -> lib/phpcas/source/CAS/client.php
features/phpcas/source/CAS/domxml-php4-php5.php -> lib/phpcas/source/CAS/domxml-php4-php5.php
features/phpcas/source/CAS/languages/english.php -> lib/phpcas/source/CAS/languages/english.php
features/phpcas/source/CAS/languages/french.php -> lib/phpcas/source/CAS/languages/french.php
features/phpcas/source/CAS/languages/greek.php -> lib/phpcas/source/CAS/languages/greek.php
features/phpcas/source/CAS/languages/languages.php -> lib/phpcas/source/CAS/languages/languages.php
{CODE}

And that's what it says to me when attempting to install it:
{CODE()}
Warning: mkdir(lib/phpcas/source/CAS/PGTStorage): File exists in c:\archivos de programa\easyphp1-8\www\branch-1-9\lib\mods\modslib.php on line 68

Warning: copy(mods/features/phpcas/source/CAS/PGTStorage/pgt-db.php): failed to open stream: No such file or directory in c:\archivos de programa\easyphp1-8\www\branch-1-9\lib\mods\modslib.php on line 375
features/phpcas/source/CAS/PGTStorage/pgt-db.php to lib/phpcas/source/CAS/PGTStorage/pgt-db.php impossible to copy
{CODE}
tracker item
natokpe
tracker item
not able to authenticate user with e-Directory LDAP
Scenario:
TikiWiki version 4.1
Auth against LDAP
LDAP being used: Novell eDirectory

Problem:
user can not log in unless the complete DN of the user is specified.
In my scenario the users are spread across the complete tree, so no chance to provide a specific "User DN", additionally a "Base DN" needs to be specified in order restrict the search to the city where the service runs. Finally only the default option provided at the "LDAP Bind Type" seems to be correct for eDirectory.

How this has been solved:
1.- The code modified has been: lib/auth/ldap.php
2.- If the LDAP connect operation fails, then a try to search for the user is triggered
3.- if the user is found then the LDAP, the his/her DN is extracted and a new LDAP connect is performed.

Here the diff of the modified code:
{CODE(colors="php")}diff -uN ldap.php ldap.php.new
--- ldap.php 2009-10-30 16:53:31.000000000 +0100
+++ ldap.php.new 2010-01-13 22:28:18.000000000 +0100
@@ -200,6 +200,50 @@

$this->ldaplink= Net_LDAP2::connect($options);
if(Net_LDAP2::isError($this->ldaplink)) {
+ /* This modification is placed in order to add a kind of e-Directory compatibility.
+ For e-Directory and according to what I found about documentation - please consider I'm not an expert on this matter -
+ e-Directory will only get a positive result for the user search (with is password) only if the dn is pointing to the place where
+ the user object has been created, so we need first to find this data.
+ In the next lines the user data will be searched, and once found (if found) the info related to binddn will be updated
+ */
+ // filters to locate the user
+ $filter1=Net_LDAP2_Filter::create('objectClass','equals',$this->options['useroc']);
+ $filter2=Net_LDAP2_Filter::create($this->options['userattr'],'equals',$this->options['username']);
+ $filter=Net_LDAP2_Filter::combine('and',array($filter1,$filter2));
+ if(Net_LDAP2::isError($filter)) {
+ $this->add_log('ldap','LDAP Filter creation error: '.$filter->getMessage().' at line '.__LINE__.' in '.__FILE__);
+ return false;
+ }
+ $searchoptions=array('scope' => $this->options['scope']);
+ // unset the binddn, if set then the connect will fail
+ unset ($options['binddn']);
+ $this->ldaplink= Net_LDAP2::connect($options);
+ if(Net_LDAP2::isError($this->ldaplink)) {
+ $this->add_log('ldap','Error: '.$this->ldaplink->getMessage().' at line '.__LINE__.' in '.__FILE__);
+ return($this->ldaplink->getCode());
+ }
+ $searchresult = $this->ldaplink->search($this->options['basedn'],$filter,$searchoptions);
+ if($searchresult->count()!=1) {
+ // More then 1 user ... problem
+ $this->add_log('ldap','Error: ldap search found this amount of useres:'.$searchresult->count().' which is not 1. at line '.__LINE__.' in '.__FILE__);
+ return false;
+ }
+ $entry=$searchresult->shiftEntry();
+ if (Net_LDAP2::isError($entry)) {
+ $this->add_log('ldap','Error fetching user entries: '.$entry->getMessage().' at line '.__LINE__.' in '.__FILE__);
+ return($this->ldaplink->getCode());
+ }
+ // Set the binddn again
+ $options['binddn']=$entry->dn();
+ // Try again now with the correct binddn
+ $this->ldaplink= Net_LDAP2::connect($options);
+ if(Net_LDAP2::isError($this->ldaplink)) {
+ $this->add_log('ldap','Error: '.$this->ldaplink->getMessage().' at line '.__LINE__.' in '.__FILE__);
+ // return Net_LDAP2 Error codes. No need to redefine this.
+ return($this->ldaplink->getCode());
+ }
+ // The rest of the code gets encapsulated in the else
+ }else {
$this->add_log('ldap','Error: '.$this->ldaplink->getMessage().' at line '.__LINE__.' in '.__FILE__);
// return Net_LDAP2 Error codes. No need to redefine this.
return($this->ldaplink->getCode());
@@ -371,5 +415,5 @@
if($this->options['debug'])
$this->logslib->add_log($facility,$message);
}
-
+
}
{CODE}

References:
[http://tikiwiki.org/tiki-view_forum_thread.php?topics_offset=19&topics_sort_mode=lastPost_desc&forumId=17&comments_parentId=32433|Info in TikiForum]
[http://www.codeproject.com/KB/system/eDirectoryAuthentication.aspx|Info about eDirectory]

Hope this could be a kind of contribution
TalindoChe
tracker item
OpenID registration does not work with CAPTCHA
When using OpenID + Registration CAPTCHA...
With Tiki 2.2...

I attempted to register using my OpenID:

#On the Login page, I entered my OpenID.
#My OpenID was validated and Tiki shows the page where I can either associate my OpenID with an existing Tiki account, or register as a new user.
#I completed the registration form (including the correct CAPTCHA), but Tiki keeps saying that the Anti-bot code was incorrect.

Additionally, the registration form presented with the OpenID __does not__:
*Display the password minimum requirements (such as number of characters).
*Allow for the selection of groups.


__Duplicate of {wish id=1505}__
tracker item
OpenID support using the provided PHP library
For sites with open content it's very important that a visitor who came through a link from search engine or somewhere else would have minimum problems with adding new information to the wiki.
My personal example: I have a blog on livejournal.com and now plan to create a homepage based on tiki, but I don't want to make all of my friends from LJ to pass registration on my site. Even if they all would, it's unreal to make them all use the same logins as there.
tracker item
Patch to allow support for Active Directory authentication via LDAP
Active Directory doesn't allow for anonymous searches of its structure. Instead, an username and password for an account with search access must be given when connecting.
tracker item
Permissions not allowing me to see anything. Group syncing in the LDAP may be the cause
tracker item
Problem with ldap_sync_user_and_groups in userslib.php
The ldap_sync_user_and_groups function is missing the $user and $pass arguments (types, or whatever you call them). This means that when using LDAP the user will not be added to the LDAP groups and the user's information (name, email, etc) will not be populated. I have a fix listed below, but I don't know if it will break something else.
tracker item
Refactor Login Settings page with separate tabs for Pear::Auth, CAS, Shibboleth
The login settings page should be refactored to eliminate the presentation of unneeded configuration options.
tracker item
Rewrite userslib.php splitting it into smaller pieces to make it easilly expandable
userslib.php is actually a mess where AuthPAM, PEAR and CAS have been pasted inside, my idea is to rewrite userslib.php with the idea of "modular authenticators" that is, having a directory like lib/userslib/ put there authlib_cas.php, authlib_pear.php, authlib_pam.php and tikiauth.php (for the builtin tiki's authentication).

The goal is that a user can create a new authlib_*.php file for his own purposes (actually I need one for Active Directory via php-ldap and another for our customers database) without the need of touching userslib.php at all, so upgrading would be much easier, and writting your own authenticator would be really much easier than now.

I'm currently working on that on BRANCH-1-9 as that's the one I use at the office but userslib.php from 1.9 to HEAD is untouched so no issues come with that.

My plan is to initially split userslib.php into cas, pear, pam and the builtin modules (a lot of work there!) then rewrite the Login section of the admin panel so it adapts to it's new nature.

The ways to preserve environment I've tought are: being able to enable/disable any module at any time, having only the current 3 enabled by default, and set what would be the new "authenticators_order" preference to meet the current possible situations also retaining preferences.

What I still don't know how to handle is:
* How an authenticator can create/delete it's preferences from tiki_preferences when enabled/disabled (is there any tikilib function to create/delete preferences?)

Comments are welcome!

(NOTE: I'm not sure that this tracker is the place for that.. I saw it's a TODO... am I right?)
tracker item
SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports
tracker item
Show realname instead of userid in user field in trackers when the feature is set to do so
tracker item
tikiwiki calls non-existent pear library without checking that library is installed
I have configured "tiki and pear::auth" in the login section of tikiwiki on a server which did not have the pear php libraries installed.
Next time I try to login with a user (not admin), I see a blank page.

This happens because on line 756 of file lib/userslib.php
$a = new Auth("LDAP", $options, "", false, $user, $pass);
just dies without any error message.
tracker item
Tracker API - adding tracker items via external system/external call - M2M communication
tracker item
xavi
Contributors
tracker item

Keywords

The following is a list of keywords that should serve as hubs for navigation within the Tiki development and should correspond to documentation keywords.

Each feature in Tiki has a wiki page which regroups all the bugs, requests for enhancements, etc. It is somewhat a form of wiki-based project management. You can also express your interest in a feature by adding it to your profile. You can also try out the Dynamic filter.

Accessibility (WAI & 508)
Accounting
Administration
Ajax
Articles & Submissions
Backlinks
Banner
Batch
BigBlueButton audio/video/chat/screensharing
Blog
Bookmark
Browser Compatibility
Calendar
Category
Chat
Comment
Communication Center
Consistency
Contacts Address book
Contact us
Content template
Contribution
Cookie
Copyright
Credits
Custom Home (and Group Home Page)
Database MySQL - MyISAM
Database MySQL - InnoDB
Date and Time
Debugger Console
Diagram
Directory (of hyperlinks)
Documentation link from Tiki to doc.tiki.org (Help System)
Docs
DogFood
Draw -superseded by Diagram
Dynamic Content
Preferences
Dynamic Variable
External Authentication
FAQ
Featured links
Feeds (RSS)
File Gallery
Forum
Friendship Network (Community)
Gantt
Group
Groupmail
Help
History
Hotword
HTML Page
i18n (Multilingual, l10n, Babelfish)
Image Gallery
Import-Export
Install
Integrator
Interoperability
Inter-User Messages
InterTiki
jQuery
Kaltura video management
Kanban
Karma
Live Support
Logs (system & action)
Lost edit protection
Mail-in
Map
Menu
Meta Tag
Missing features
Visual Mapping
Mobile
Mods
Modules
MultiTiki
MyTiki
Newsletter
Notepad
OS independence (Non-Linux, Windows/IIS, Mac, BSD)
Organic Groups (Self-managed Teams)
Packages
Payment
PDF
Performance Speed / Load / Compression / Cache
Permission
Poll
Profiles
Quiz
Rating
Realname
Report
Revision Approval
Scheduler
Score
Search engine optimization (SEO)
Search
Security
Semantic links
Share
Shopping Cart
Shoutbox
Site Identity
Slideshow
Smarty Template
Social Networking
Spam protection (Anti-bot CATPCHA)
Spellcheck
Spreadsheet
Staging and Approval
Stats
Survey
Syntax Highlighter (Codemirror)
Tablesorter
Tags
Task
Tell a Friend
Terms and Conditions
Theme
TikiTests
Federated Timesheets
Token Access
Toolbar (Quicktags)
Tours
Trackers
TRIM
User Administration
User Files
User Menu
Watch
Webmail and Groupmail
WebServices
Wiki History, page rename, etc
Wiki plugins extends basic syntax
Wiki syntax text area, parser, etc
Wiki structure (book and table of content)
Workspace and perspectives
WYSIWTSN
WYSIWYCA
WYSIWYG
XMLRPC
XMPP




Useful Tools