Category: External Authentication (LDAP, AD, PAM, CAS, etc)

Problem noticed here:
http://www.wiki-translation.com/tiki-view_forum_thread.php?forumId=2&comments_parentId=39

{img src=images/code.png}%%% {CODE()}
I'm trying to log in with my OpenID. I don't have a wiki-translation.com account yet.

After validating my OpenID, I'm taken to a Tiki page that prompts me to create a new account on wiki-translation.com to associate with my OpenID. I enter a username and password, but then get the following error:

Wrong registration code
{CODE}


__Duplicate of {wish id=2204}__

An attempt to log in using PAM (php-auth-pam) gives the following error message:

Notice: Undefined variable: error in /var/www/tikiwiki/tikiwiki-1.9.7/lib/userslib.php on line 554

Warning: Error variable must be passed by reference in /var/www/tikiwiki/tikiwiki-1.9.7/lib/userslib.php on line 554

Warning: Cannot modify header information - headers already sent by (output started at /var/www/tikiwiki/tikiwiki-1.9.7/lib/userslib.php:554) in /var/www/tikiwiki/tikiwiki-1.9.7/tiki-login.php on line 292


I'm using:
- php5-auth-pam-0.4-9.2 (Debian package)
- tikiwiki-1.9.7 (source)

Contributors

We are running Tiki 6.2 (clean install), on a Windows 2003 Server, Apache 2.2.16 w SSL, PHP 5.3.3, remote MySQL 5 database. This bug is across all browsers.

Our organization has LDAP (Active Directory) enabled. If a user does not type in the correct password or has chosen to remember an old password (that has since been resent by AD) they will not be able to login and there is no screen to tell them why not. On login error, I can see in the LDAP logs:

Error: Bind failed: Invalid credentials

but a blank page is presented. Since the user does not think their invalid login is the problem, they keep trying and blame the system.

If CN contains any character of; æ,ø,å the login fails with "Invalid password" error.

Domain Users are not recognized by TikiWiki when using IIS and Webserver auth against AD.

substr function in tiki-setup_base.php mistakenly removing first char of the login name during substracting domain part. For example "DOMAIN\username" is truncated "sername".

I've fixed the issue with the patch below.

((SAML))

http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
http://simplesamlphp.org/

NTLM is an authentication protocol which is widely used in Microsoft based network environments. By using it with HTTP you can use that method for single-sign-on (SSO) authentication within your web browser.
This means that without needing to enter additional username or passwords, you can be authenticated at the website you're visiting. This is quite convenient especially for company intranets. NTLM should work with all major browsers (Internet Explorer, Firefox and Opera).

Upgraded a test/development site from 1.9.9 to 1.10beta1. Trying to get ldap authentication working to an active directory server. After configuring for ldap auth to AD - with 'use tiki for admin auth' checked - now I cannot log in as the admin user. The AD server is taking a really long time to respond, it's at another location - so it always times out. Unfortunately the Tiki site seems to keep trying LDAP and timing out before it will check internally for the admin user. The net result... I'm currently locked out of my development/test Tiki site. LDAP times out and I can't get in as admin either.

Contributors

When using LDAP External authentication, I am unable to create a new user on the user administration page.

It does not require a password to create the user, but when you click Add, you receive the error message "Password should be at least characters long"


Users are created when they login the first time, but I need to configure permissions before they login.

Contributors

Hi,

I attempted to configure tikiwiki to use PEAR:Auth authentication posted by this link http://doc.tikiwiki.org/tiki-index.php?page=Login%20Config.

However, I still get error "invalid username or password". Is there any way I can debug this?

My installed PHP version 4.4.6 with PEAR:Auth installed.
My Apache version 2.0.59 configured with LDAP.

Any suggestion is appreciated.

[http://sourceforge.net/tracker/index.php?func=detail&aid=1325010&group_id=64258&atid=506846]

Hello,
Installed tikiwiki 1.9 on a CentOS 4.4.
Assigned autenthication to external LDAP server ( Windows AD ) , but the problem
remains even with IMAP.
Login with admin works
Login with external users presents again the login screen ( no "bad password" just the login screen again and again )

I debugged the code and found the both IMAP and LDAP modeles correctly check the user
and at the end of tiki-login.php the "tiki-user-tikiwiki" Cookie is set with the IMAP/LDAP username, but then at start of "tiki-index.php" the $user variable is empty.
A further check states that session_id() at the end of tiki-login.php is different from session_id() at start of tiki-index.php ( and this explains why the value of variables are different ).
10 correct authentication produce 10 different PHPSESS file with correct username but tiki-index.php always load the first one ( without username set ).

This has been reproduced with php-4.3.9-3.22 on a Centos 4.2, 4.3 and 4.4

After upgrading from 1.9.7 to 2.0 I am no longer able to configure IMAP authentication.

templates/tiki-admin-include-login.tpl no longer contains any mention of IMAP, POP3 or vpopmail as it did in 1.9.7.

(Note: this renders tikiwiki unuseable for my organization)

While CAS authentication is great, it allows multiple users to login if you have a widely common CAS server.
For example, SecurePass [1] strong authentication allow ALL securepass users to login through their CAS.
The need is to optionally limit which users or users domain can login to tikiwiki through CAS.

[1] www.secure-pass.net

With revision 31581 the LDAP group synchronisation has been limited to only happen 60 seconds after the login:

http://tikiwiki.svn.sourceforge.net/viewvc/tikiwiki/trunk/lib/userslib.php?r1=31565&r2=31581&pathrev=31581

So far as I can see this method is only called during the LDAP login procedure, so the if-statement in line 1415 will always be false, thus no synchronisation will happen.

I checked this problem with 7.1, 7.2 and 8.3 and never succeded to get the groups from an AD although the LDAP login worked. After disseminating the code and removing this if-statement the feature works again.

I wonder what the the use of this if-statement was? The commit message refers to webdav changes - how does it affect this?
Can this statement be removed so LDAP group synchronisation works or is there another way to fix this?

LDAP group synchronisation is dependent on the "corresponding user attribute", a setting which is only needed if an external directory is used for group synchronisation.

The fix is simple - the combination of if-staments just need to be adjusted slightly - see patch.

When groups are synchronised with a big LDAP organisation many empty groups may end up in Tikiwiki.

This enhancement / patch adds an option to let the administrator of a tikiwiki instance decide whether during synchronisation of groups only the user assignments to existing groups will be done or if non-existent groups will be created in tikiwiki.

The default behaviour - as of now - is that when a LDAP user logs in all the groups he belongs to will be created in tikiwiki and he is being added as a member of these groups.

This enhancement adds the preference "ldap_create_groups_tiki" which is "y" by default - which corresponds to the current behaviour.

If "ldap_create_groups_tiki" is set to "n" and a LDAP user logs in the group synchronisation process will silently ignore groups that exist in LDAP but not in tikiwiki. Existing groups will be synced, though.

I am referencing forum post: https://tiki.org/tiki-view_forum_thread.php?comments_parentId=43682&topics_offset=1

I would like the ability for users in child domains to access the TikiWiki site the same way users in the parent site are able to access it. According to the forum post, "Tiki is not currently capable of authenticating against multiple domains (or multiple LDAP servers)" and "The code could be modified to search, say, the global catalog for the user's DN and then authenticate against the corresponding domain, but this would be custom coding"

I would like an option to specify multiple domains, or a custom code I could use to search the global catalog for the user's DN.

Basically I want all of my users in all of my offices to access the Tiki site. Not just the home office users.

I was unable to get group sync for ldap working, and after changing two lines of code in userslib.php I was able to get it working.

The changes I made are the __procedure__ section, and I have included my settings also in case someone is having a similar issue, or is just trying to set up LDAP group sync and would like to see a working example, and in case it is useful in your troubleshooting.

When editing an external group (a group created automatically by tiki when syncing groups with ldap) the isExternal flag which should be set to Y is set to N.

Context:
User logs in, and tiki groups are syncing with a OU on the AD, so a group is added. Say this group is "tiki-admin".
We want users part of the group tiki-admin on the AD to have admin perms on the wiki, so we edit the group in tiki and set it to inherit permissions from the local Admin group. When you hit the "Save" button after editing the group (you don't have to change anything) the group's isExternal flag is set to "n", meaning it will not sync like an external group.

Users added to the group in the AD will be added to it in tiki, but users removed from it in the AD will not be removed from the group in tiki.

Features Classification

Should already be supported since we use PEAR::AUTH
http://pear.php.net/package/Auth

Needs testing and confirmation.

Hello all.

Almost by chance I noticed a behavior which seems wrong regarding the LDAP authentication on TikiWiki 2.0. I'm not sure if it was already present in 1.9.11 but I don't think so. We migrated last week.

Regarding the TW configuration:

- authentication method is "Tiki+PEAR::Auth"
- users cannot register and cannot change password
- "Create user if not in Tiki?" is on
- "Create user if not in Auth?" is off
- "Just use Tiki auth for admin?" is on
- The LDAP auth configuration paramters are correct, the auth itself works well, as it worked in 1.9.11. When TW connects to the LDAP server (OpenLDAP 2.1.30) the authentication works as expected.

This means that a Tiki account is created when LDAP users login for the first time. As expected, in presence of such a user, TW connects to LDAP, authenticates, creates Tiki account and logs the user in (I have some doubts in this last item though). However, when users log in again after this, I would expect that authentication is still delegated completely to the LDAP and is not done through Tiki. Instead, I have confirmed by looking at my LDAP logs that when TW finds a Tiki account, it authenticates the user through Tiki and never connects to the LDAP. This is not the expected behavior, because it means that passwords are being stored on the TW database and actually used for authentication. As a consequence, when a user changes his password on the LDAP, this is not "seen" by TW.

I'm pretty sure this is not the intended behavior also because if I go to Admin Users, both the "edit user" and the "add user" boxes show the following:

"No password is required
Tikiwiki is configured to delegate the password managment to LDAP through PEAR Auth."

And actually, the "edit user" box also says "Warning: changing the username will require the user to change his password" which is a contradiction since the password should be managed by LDAP and my TW is configured to disallow users from being able to change their passwords.

Paulo

We are using LDAP authentication at our site and the email field is not being automatically filled in. This means we must manually setup our email for each user for the page change notifications to work.


Note we are connecting to an ActiveDirectory LDAP database which does not like anonymous binds so had to make a patch based on the following suggestion:

http://tikiwiki.org/tiki-view_forum_thread.php?topics_offset=58&forumId=6&comments_parentId=14021

Our Active Directory is configured not to allow arbitrary LDAP searches for unprivileged users. However, these users can successfully bind to AD's LDAP interface. This would be enough for authentication and we would not need a special account for checking authentication.

I therefore removed parts of the function fetchData in /lib/pear/Auth/Container/LDAP.php:

{img src=images/code.png}%%% {CODE()}
function fetchData($username, $password)
{
$this->log('Auth_Container_LDAP::fetchData() called.', AUTH_LOG_DEBUG);
$err = $this->_prepare();
if ($err !== true) {
return PEAR::raiseError($err->getMessage(), $err->getCode());
}

$err = $this->_getBaseDN();
if ($err !== true) {
return PEAR::raiseError($err->getMessage(), $err->getCode());
}

// UTF8 Encode username for LDAPv3
if (@ldap_get_option($this->conn_id, LDAP_OPT_PROTOCOL_VERSION, $ver) && $ver == 3) {
$this->log('UTF8 encoding username for LDAPv3', AUTH_LOG_DEBUG);
$username = utf8_encode($username);
}

/* // make search filter
$filter = sprintf('(&(%s=%s)%s)',
$this->options['userattr'],
$this->_quoteFilterString($username),
$this->options['userfilter']);

// make search base dn
$search_basedn = $this->options['userdn'];
if ($search_basedn != '' && substr($search_basedn, -1) != ',') {
$search_basedn .= ',';
}
$search_basedn .= $this->options['basedn'];

// attributes
$searchAttributes = $this->options['attributes'];

// make functions params array
$func_params = array($this->conn_id, $search_basedn, $filter, $searchAttributes);

// search function to use
$func_name = $this->_scope2function($this->options['userscope']);

$this->log("Searching with $func_name and filter $filter in $search_basedn", AUTH_LOG_DEBUG);

// search
if (($result_id = @call_user_func_array($func_name, $func_params)) === false) {
$this->log('User not found', AUTH_LOG_DEBUG);
} elseif (@ldap_count_entries($this->conn_id, $result_id) >= 1) { // did we get some possible results?

$this->log('User(s) found', AUTH_LOG_DEBUG);

$first = true;
$entry_id = null;

do {

// then get the user dn
if ($first) {
$entry_id = @ldap_first_entry($this->conn_id, $result_id);
$first = false;
} else {
$entry_id = @ldap_next_entry($this->conn_id, $entry_id);
if ($entry_id === false)
break;
}
$user_dn = @ldap_get_dn($this->conn_id, $entry_id);

// as the dn is not fetched as an attribute, we save it anyway
if (is_array($searchAttributes) && in_array('dn', $searchAttributes)) {
$this->log('Saving DN to AuthData', AUTH_LOG_DEBUG);
$this->_auth_obj->setAuthData('dn', $user_dn);
}

// fetch attributes
if ($attributes = @ldap_get_attributes($this->conn_id, $entry_id)) {

if (is_array($attributes) && isset($attributes['count']) &&
$attributes['count'] > 0) {

// ldap_get_attributes() returns a specific multi dimensional array
// format containing all the attributes and where each array starts
// with a 'count' element providing the number of attributes in the
// entry, or the number of values for attribute. For compatibility
// reasons, it remains the default format returned by LDAP container
// setAuthData().
// The code below optionally returns attributes in another format,
// more compliant with other Auth containers, where each attribute
// element are directly set in the 'authData' list. This option is
// enabled by setting 'attrformat' to
// 'AUTH' in the 'options' array.
// eg. $this->options['attrformat'] = 'AUTH'

if ( strtoupper($this->options['attrformat']) == 'AUTH' ) {
$this->log('Saving attributes to Auth data in AUTH format', AUTH_LOG_DEBUG);
unset ($attributes['count']);
foreach ($attributes as $attributeName => $attributeValue ) {
if (is_int($attributeName)) continue;
if (is_array($attributeValue) && isset($attributeValue['count'])) {
unset ($attributeValue['count']);
}
if (count($attributeValue)<=1) $attributeValue = $attributeValue[0];
$this->log('Storing additional field: '.$attributeName, AUTH_LOG_DEBUG);
$this->_auth_obj->setAuthData($attributeName, $attributeValue);
}
}
else
{
$this->log('Saving attributes to Auth data in LDAP format', AUTH_LOG_DEBUG);
$this->_auth_obj->setAuthData('attributes', $attributes);
}
}
}
@ldap_free_result($result_id);


// need to catch an empty password as openldap seems to return TRUE
// if anonymous binding is allowed
*/ $user_dn = $username;
if ($password != "") {
$this->log("Bind as $user_dn", AUTH_LOG_DEBUG);

// try binding as this user with the supplied password
if (@ldap_bind($this->conn_id, $user_dn, $password)) {
$this->log('Bind successful', AUTH_LOG_DEBUG);
// check group if appropiate
if (strlen($this->options['group'])) {
// decide whether memberattr value is a dn or the username
$this->log('Checking group membership', AUTH_LOG_DEBUG);
$return = $this->checkGroup(($this->options['memberisdn']) ? $user_dn : $username);
$this->_disconnect();
return $return;
} else {
$this->log('Authenticated', AUTH_LOG_DEBUG);
$this->_disconnect();
return true; // user authenticated
} // checkGroup
} // bind
} // non-empty password
// } while ($this->options['try_all'] == true); // interate through entries
// } // get results
// default
$this->log('NOT authenticated!', AUTH_LOG_DEBUG);
$this->_disconnect();
return false;
}
{CODE}

If would be nice to have a checkbox in the LDAP part of the admin page for selecting this behaviour.

LDAPv2 is obsolete, and the use of LDAPv3 is now standard practice. In fact, the [http://www.openldap.org/faq/data/cache/822.html|latest releases of OpenLDAP don't even support LDAPv2 properly anymore]. However, PHP's ldap_connect() and PEAR::Auth [http://www.openldap.org/lists/openldap-software/200204/msg00046.html|default to LDAPv2].

The patch to use LDAPv3 is attached. It shouldn't be difficult to make the LDAP protocol version a configurable preference.

Hi All,

I’m working on the Tikiwiki 2.2 with a LDAP authentication.

In the login option, I see it is possible to automatically give someone access in the Tiki if this person is in LDAP directory.

My question is: Is it possible to define access with a Distribution List group and not with the entire LDAP directory?

On another note, do you know why “LDAP Member is DN” can not be set to “yes?”

Thanks for your response

in file tiki-admin_include_login.php
if (isset($_REQUEST["auth_pear"])) {
check_ticket('admin-inc-login');
simple_set_toggle('auth_create_user_tiki');
............
....
.....
missing 2 lines below.
simple_set_value('auth_ldap_emailattr');
simple_set_value('auth_ldap_countryattr');

Missing database entries for ldap email and country

System environment:
Tiki 6
Windows Server 2008 64bit
Apache x64 2.2.11
PHP x64 5.2.5 (lib/smarty/libs/internals/core.is_secure.php patched to make it work)

LDAP authentication against AD does work once configured properly
BUT
Debugging the configuration was hard because turning on logging caused errors!
When logging is off, all is well. When logging is on and line 346 of lib/auth/ldap.php is commented out, all is well.
It seems that when logging is active, "$filter->asString()" on that line causes an error on our system. The same call is made on line 262 with a simpler filter and works OK.

Perhaps when checking groups, asString is returning too much for the logging system to handle?

That's what the mod descritpion says:
{CODE()}
author: mcfarland
last modification: 2006/12/22 01:49:26
by: mcfarland
features/phpcas/COPYRIGHT -> lib/phpcas/COPYRIGHT
features/phpcas/README -> lib/phpcas/README
features/phpcas/source/CAS/CAS.php -> lib/phpcas/source/CAS/CAS.php
features/phpcas/source/CAS/PGTStorage -> lib/phpcas/source/CAS/PGTStorage
features/phpcas/source/CAS/PGTStorage/pgt-db.php -> lib/phpcas/source/CAS/PGTStorage/pgt-db.php
features/phpcas/source/CAS/PGTStorage/pgt-file.php -> lib/phpcas/source/CAS/PGTStorage/pgt-file.php
features/phpcas/source/CAS/PGTStorage/pgt-main.php -> lib/phpcas/source/CAS/PGTStorage/pgt-main.php
features/phpcas/source/CAS/client.php -> lib/phpcas/source/CAS/client.php
features/phpcas/source/CAS/domxml-php4-php5.php -> lib/phpcas/source/CAS/domxml-php4-php5.php
features/phpcas/source/CAS/languages/english.php -> lib/phpcas/source/CAS/languages/english.php
features/phpcas/source/CAS/languages/french.php -> lib/phpcas/source/CAS/languages/french.php
features/phpcas/source/CAS/languages/greek.php -> lib/phpcas/source/CAS/languages/greek.php
features/phpcas/source/CAS/languages/languages.php -> lib/phpcas/source/CAS/languages/languages.php
{CODE}

And that's what it says to me when attempting to install it:
{CODE()}
Warning: mkdir(lib/phpcas/source/CAS/PGTStorage): File exists in c:\archivos de programa\easyphp1-8\www\branch-1-9\lib\mods\modslib.php on line 68

Warning: copy(mods/features/phpcas/source/CAS/PGTStorage/pgt-db.php): failed to open stream: No such file or directory in c:\archivos de programa\easyphp1-8\www\branch-1-9\lib\mods\modslib.php on line 375
features/phpcas/source/CAS/PGTStorage/pgt-db.php to lib/phpcas/source/CAS/PGTStorage/pgt-db.php impossible to copy
{CODE}

Scenario:
TikiWiki version 4.1
Auth against LDAP
LDAP being used: Novell eDirectory

Problem:
user can not log in unless the complete DN of the user is specified.
In my scenario the users are spread across the complete tree, so no chance to provide a specific "User DN", additionally a "Base DN" needs to be specified in order restrict the search to the city where the service runs. Finally only the default option provided at the "LDAP Bind Type" seems to be correct for eDirectory.

How this has been solved:
1.- The code modified has been: lib/auth/ldap.php
2.- If the LDAP connect operation fails, then a try to search for the user is triggered
3.- if the user is found then the LDAP, the his/her DN is extracted and a new LDAP connect is performed.

Here the diff of the modified code:
{CODE(colors="php")}diff -uN ldap.php ldap.php.new
--- ldap.php 2009-10-30 16:53:31.000000000 +0100
+++ ldap.php.new 2010-01-13 22:28:18.000000000 +0100
@@ -200,6 +200,50 @@

$this->ldaplink= Net_LDAP2::connect($options);
if(Net_LDAP2::isError($this->ldaplink)) {
+ /* This modification is placed in order to add a kind of e-Directory compatibility.
+ For e-Directory and according to what I found about documentation - please consider I'm not an expert on this matter -
+ e-Directory will only get a positive result for the user search (with is password) only if the dn is pointing to the place where
+ the user object has been created, so we need first to find this data.
+ In the next lines the user data will be searched, and once found (if found) the info related to binddn will be updated
+ */
+ // filters to locate the user
+ $filter1=Net_LDAP2_Filter::create('objectClass','equals',$this->options['useroc']);
+ $filter2=Net_LDAP2_Filter::create($this->options['userattr'],'equals',$this->options['username']);
+ $filter=Net_LDAP2_Filter::combine('and',array($filter1,$filter2));
+ if(Net_LDAP2::isError($filter)) {
+ $this->add_log('ldap','LDAP Filter creation error: '.$filter->getMessage().' at line '.__LINE__.' in '.__FILE__);
+ return false;
+ }
+ $searchoptions=array('scope' => $this->options['scope']);
+ // unset the binddn, if set then the connect will fail
+ unset ($options['binddn']);
+ $this->ldaplink= Net_LDAP2::connect($options);
+ if(Net_LDAP2::isError($this->ldaplink)) {
+ $this->add_log('ldap','Error: '.$this->ldaplink->getMessage().' at line '.__LINE__.' in '.__FILE__);
+ return($this->ldaplink->getCode());
+ }
+ $searchresult = $this->ldaplink->search($this->options['basedn'],$filter,$searchoptions);
+ if($searchresult->count()!=1) {
+ // More then 1 user ... problem
+ $this->add_log('ldap','Error: ldap search found this amount of useres:'.$searchresult->count().' which is not 1. at line '.__LINE__.' in '.__FILE__);
+ return false;
+ }
+ $entry=$searchresult->shiftEntry();
+ if (Net_LDAP2::isError($entry)) {
+ $this->add_log('ldap','Error fetching user entries: '.$entry->getMessage().' at line '.__LINE__.' in '.__FILE__);
+ return($this->ldaplink->getCode());
+ }
+ // Set the binddn again
+ $options['binddn']=$entry->dn();
+ // Try again now with the correct binddn
+ $this->ldaplink= Net_LDAP2::connect($options);
+ if(Net_LDAP2::isError($this->ldaplink)) {
+ $this->add_log('ldap','Error: '.$this->ldaplink->getMessage().' at line '.__LINE__.' in '.__FILE__);
+ // return Net_LDAP2 Error codes. No need to redefine this.
+ return($this->ldaplink->getCode());
+ }
+ // The rest of the code gets encapsulated in the else
+ }else {
$this->add_log('ldap','Error: '.$this->ldaplink->getMessage().' at line '.__LINE__.' in '.__FILE__);
// return Net_LDAP2 Error codes. No need to redefine this.
return($this->ldaplink->getCode());
@@ -371,5 +415,5 @@
if($this->options['debug'])
$this->logslib->add_log($facility,$message);
}
-
+
}
{CODE}

References:
[http://tikiwiki.org/tiki-view_forum_thread.php?topics_offset=19&topics_sort_mode=lastPost_desc&forumId=17&comments_parentId=32433|Info in TikiForum]
[http://www.codeproject.com/KB/system/eDirectoryAuthentication.aspx|Info about eDirectory]

Hope this could be a kind of contribution
TalindoChe

When using OpenID + Registration CAPTCHA...
With Tiki 2.2...

I attempted to register using my OpenID:

#On the Login page, I entered my OpenID.
#My OpenID was validated and Tiki shows the page where I can either associate my OpenID with an existing Tiki account, or register as a new user.
#I completed the registration form (including the correct CAPTCHA), but Tiki keeps saying that the Anti-bot code was incorrect.

Additionally, the registration form presented with the OpenID __does not__:
*Display the password minimum requirements (such as number of characters).
*Allow for the selection of groups.


__Duplicate of {wish id=1505}__

For sites with open content it's very important that a visitor who came through a link from search engine or somewhere else would have minimum problems with adding new information to the wiki.
My personal example: I have a blog on livejournal.com and now plan to create a homepage based on tiki, but I don't want to make all of my friends from LJ to pass registration on my site. Even if they all would, it's unreal to make them all use the same logins as there.

Active Directory doesn't allow for anonymous searches of its structure. Instead, an username and password for an account with search access must be given when connecting.

The ldap_sync_user_and_groups function is missing the $user and $pass arguments (types, or whatever you call them). This means that when using LDAP the user will not be added to the LDAP groups and the user's information (name, email, etc) will not be populated. I have a fix listed below, but I don't know if it will break something else.

The login settings page should be refactored to eliminate the presentation of unneeded configuration options.

userslib.php is actually a mess where AuthPAM, PEAR and CAS have been pasted inside, my idea is to rewrite userslib.php with the idea of "modular authenticators" that is, having a directory like lib/userslib/ put there authlib_cas.php, authlib_pear.php, authlib_pam.php and tikiauth.php (for the builtin tiki's authentication).

The goal is that a user can create a new authlib_*.php file for his own purposes (actually I need one for Active Directory via php-ldap and another for our customers database) without the need of touching userslib.php at all, so upgrading would be much easier, and writting your own authenticator would be really much easier than now.

I'm currently working on that on BRANCH-1-9 as that's the one I use at the office but userslib.php from 1.9 to HEAD is untouched so no issues come with that.

My plan is to initially split userslib.php into cas, pear, pam and the builtin modules (a lot of work there!) then rewrite the Login section of the admin panel so it adapts to it's new nature.

The ways to preserve environment I've tought are: being able to enable/disable any module at any time, having only the current 3 enabled by default, and set what would be the new "authenticators_order" preference to meet the current possible situations also retaining preferences.

What I still don't know how to handle is:
* How an authenticator can create/delete it's preferences from tiki_preferences when enabled/disabled (is there any tikilib function to create/delete preferences?)

Comments are welcome!

(NOTE: I'm not sure that this tracker is the place for that.. I saw it's a TODO... am I right?)

I have configured "tiki and pear::auth" in the login section of tikiwiki on a server which did not have the pear php libraries installed.
Next time I try to login with a user (not admin), I see a blank page.

This happens because on line 756 of file lib/userslib.php
$a = new Auth("LDAP", $options, "", false, $user, $pass);
just dies without any error message.