A directory service like Active Directory in Windows is used to store users'
information (name, address, e-mail, phone etc.) in a centralized location.
Besides being used as directory, Active Directory is used for authentication in
a network. This means Active Directory can store login credentials (username and
password) of users to allow them access applications and network resources. All
applications will look up the directory service to validate the login
credentials as opposed to storing the credentials in their own store (like their
own databases). If a user wants to change his password, he only needs to change
it at one place -at the Active Directory. Subsequently, he would be able to log
on to all the applications with his new password.
Windows and Windows applications can easily integrate for Active Directory
—after all Active Directory is the de facto directory services on Windows. What
about an application developed in open source technology ? What about open
source products ?
PHP is undoubtedly one of the most popular open source language for
developing web applications. What if, you are writing a new PHP application for
your organization and want that application to authenticate against an existing
Active Directory server? The answer is to use a PHP library of functions called
adLDAP (as explained later). Next, numerous open source web applications (like
blogs, content management systems) and enterprise applications (like CRM and
mailing lists) have been written in PHP. In this article, we explain how to
configure the following PHP based open source applications to authenticate
against an Active Directory:
SugarCRM
(www.sugarcrm.com): A customer relationship management (CRM) system
Joomla
(www.joomla.org): A content management system
Wordpress
(www.wordpress.org): A blogging platform
phpBB
(www.phpbb.com): A web based discussion forum
PHPlist
(www.phplist.com): A newsletter/mailing list system
Active Directory setup
For this article, we used Windows Server 2008 and had setup pcqlinux.net as
the domain. Assuming that you have already installed and setup Active Directory,
let's create a user called 'Shekhar Govindarajan' in the directory. Click on
Start>Administrative Tools>Active Directory Users and Computers. Right click on
Users, under the domain, and select New>User. Type in the following details:
The ADSI Edit console in Windows server gives a detailed peek into the directory organization of Active Directory. This is quite useful to understand and query an Active Directory. ADSI Edit can be launched via adsiedit.msc. |
First name: Shekhar
Last name: Govindarajan
User logon name: shekhar.govindarajan
Click on 'Next' and type in the password as pass@word2. Uncheck the box 'User
must change password at next logon'. Click on 'Next' and then on 'Finish'. Right
click on the newly created user (found in the right pane) and select properties.
Under the General tab, type in shekhar. govindarajan@pcqlinux.net for Email. You
may like to substitute all the above mentioned details with your own. Next we
configure each of the above mentioned open source products. Note that almost all
these products can be installed on Windows too but that is not required for the
authentication. That is, you can deploy these products on Linux and they can
authenticate with an Active Directory on Windows. Also note that in many cases
we would require the credentials of an Active Directory account who can bind and
search through the directory. We will be using the Administrator account with
the password as pass@word1 for this purpose. In real world deployment, you must
not use the Administrator account but create a low privilege account for this
purpose.
Authenticate your custom PHP app
Using adLDAP, you can authenticate any custom or home made application
against an Active Directory. Download adLDAP from http://adldap.sourceforge. net
and extract the archive. You will find a file named adLDAP.php. Open this file
in a text editor and make the following changes (as per the Active Directory
setup):
var $_account_suffix="@pcqlinux.net";
var $_base_dn = "CN=Users,DC=pcqlinux,DC=net";
var $_domain_controllers = array ("ad.pcqlinux.net");
Note that for $_domain_ controllers you will need to specify the IP address
or the hostname (ad.pcqlinux.net in our case) of the Active Directory. Save the
file. Now in the login page (say login.php) of your PHP application include the
above file as:
include(“adLDAP.php”);
Next with the following code you can authenticate with the Active Directory:
function authenticateWithAd($username,$password)
{
$adLDAP = new adLDAP();
$auth = $adLDAP->authenticate($username,$password);
return $auth;
}
The function will return a 'true' if the authentication succeeds and a
'false', otherwise. Next we look at configuring existing open source products
for Active Directory authentication. Many have built-in capability. Others
require plugins or code modifications. We assume your familiarity with the
product(s) and will be explaining only the authentication part.
SugarCRM
For this article we used SugraCRM version 5.2.0a. After installing SugarCRM,
login as admin. Click on the Admin link on the top right. Under Users>User
Management>Create New User, create a new user with the details:
Fedora Directory Service can be thought of the Active Directory for Linux. It uses LDAP and provides graphical console for configuration. (Source: directory.fedoraproject.org). |
First Name: Shekhar
Last Name: Govindarajan
User Name: shekhar.govindarajan
Password: secret
Confirm Password: secret
Status: Active
Note that it is important to use the logon name in Active Directory as the
User Name in SugarCRM. The other details can be different. The password you
supply here is the SugarCRM password. SugarCRM will try to authenticate the user
against the Active Directory as well as this password. If either match, the user
is allowed to log in. Typically, you may like to give the users, only the Active
Directory password and set the SugarCRM password to something that is known only
to you, so that it can be used a fallback during occasions, like when the
directory service is down. Next, we will need to tell SugarCRM about our Active
Directory. For this click on Admin (top right link). Click on System Settings.
Under 'LDAP Authentication Support', check 'Enable LDAP' and then fill in the
following details:
Server: ad.pcqlinux.net
Port Number: 389
Base DN: CN=Users,DC=pcqlinux,DC=net
Bind Attribute: userPrincipalName
Login Attribute: sAMAccountName
Authenticated User: CN=Administrator,CN=Users,DC=pcqlinux,DC=net
Authenticated Password: pass@word1
Note that for Server you will need to specify the IP address or the hostname
(ad.pcqlinux.net in our case) of the Active Directory. Click on 'Save'. Log out
and try login as shekhar.govindarajan with the password as pass@word2 — the
Active Directory password for Shekhar.
Joomla
For this article we used Joomla version 1.5.9. After installing Joomla, login as
admin in the Joomla Administration Login. Click on Site>User Manager. Click on
'New'. Type in the following details:
Name: Shekhar Govindarajan
Username: shekhar.govindarajan
E-mail: shekhar.govindarajan@pcqlinux.net
Group: Public Back-end - Manager
Note the the Username must match the logon name of Active Directory. If you
want this user to login only using his active directory password you can leave
the password fields blank, else the user can login using his Joomla password
too. Next, Click on Extensions> Plugin Manager. Click on the plugin named
'Authentication — LDAP'. On the left, select 'Yes' for Enabled. On the right,
under Parameters, type in the following:
Host: ad.pcqlinux.net
Port: 389
LDAP V3: Yes
Negotiate TLS: No
Follow referrals: No
Authorisation Method: Bind and Search
Base DN: CN=Users,DC=pcqlinux,DC=net
Search String: sAMAccountName=
User's DN:
Connect username: cn=Administrator,cn=Users,dc=pcqlinux,dc=net
Connect password: pass@word1
Note that for Host you will need to specify the IP address or the hostname (ad.pcqlinux.net
in our case) of the Active Directory. Leave the other fields to their default.
Click on 'Save'.
Wordpress
For this article we used Wordpress version 2.7.1. To authenticate Wordpress
users with Active Directory you will need to download a Wordpress plugin called
'Simple LDAP Login'. The plugin can be downloaded from the URL http://downloads.wordpress.org/plugin/simple-ldap-login.1.2.zip.
Unzip the downloaded file in the directory wp-content/plugins directory.
Next, log into Wordpress as admin. First, we will need to activate the 'Simple
LDAP Login' plugin. For this, click on the Plugins menu on the left. Click on
the Activate link besides the 'Simple LDAP Login' plugin. Next, click on
Settings>”Simple LDAP Login” on the left. Type in the following:
Account Suffix: @pcqlinux.net
Base DN: CN=Users,DC=pcqlinux,DC=net
Domain Controller(s): ad.pcqlinux.net
Here the account suffix matches the domain in the 'User logon name' specified
in the Active Directory. Finally, you will need to create Wordpress users whose
usernames match the Active Directory logon names. Similar to SugarCRM and Joomla,
this setup allows users to login using either their Active Directory password or
the Wordpress password (specified while creating the Wordpress user).
phpBB
In case of phpBB (3.0.4), unlike the above products, the users can be
authenticated only against one source — either the Active Directory or the phpBB
database. For this reason, while phpBB installation, the username of the admin
user must match with the logon name of a Active Directory user. So if you opt
for the username as admin, do not forget to create a user named admin in the
Active Directory. After installation, login to the ACP (Administration Control
Panel). Under 'Client Configuration' click on Authentication and fill in the
following:
Select an authentication method: Ldap
LDAP server name: ad.pcqlinux.net
LDAP base dn: CN=User,DC=pcqlinux,DC=net
LDAP uid: sAMAccountName
LDAP user filder:
LDAP e-mail attribute: mail
LDAP user dn: CN=Administrator,CN=Users,DC=pcqlinux,DC=net
LDAP password: pass@word1
Click on submit.
phpList
For phpList we will use the adLDAP library (see above). The Active Directory
authentication can be used for the list admins. Create a list admin by following
'Main page'>admins (under Administrator functions). Click on add new admin. For
the username type in the Active Directory logon name (i.e. shekhar.govindarajan
in our case). Setup other parameters as per your case.
Next, we will modify the phpList code in such a way that besides admin (the
default list admin) all other list admins will be authenticated against the
Active Directory. Assuming that you have already modified adLDAP.php file as
explained above, copy this file to the subdirectory lists/admin of phpList. Next
open the file named phplist_auth.inc, found in lists/admin /auth, in a text
editor add the following line after
require_once dirname(__FILE__).'/../adLDAP.php';
Modify function validateLogin($login,$password) function, so that it looks as
follows:
function validateLogin($login,$password) {
$adldap = new adLDAP();
$admindata = Sql_Fetch_Array_Query(sprintf('select password,disabled,id from %s
where loginname = "%s"',$GLOBALS<"tables"><"admin">,$login));
if ($admindata<"disabled">) {
return array(0,"your account has been disabled");
} elseif ($admindata<0> && (($login=="admin" && $admindata<0> == $password) || $adldap->authenticate($login,$password))
&& strlen($admindata<0>) > 3) {
return array($admindata<"id">,"OK");
} else {
return array(0,"invalid password");
}
return array(0,"Login failed");
}
Save the file. From now on, non 'admin' users will be authenticated against
the Active Directory.
Take home
Last year with PCQLinux 2008 (bundled with the March 2008 issue of PCQuest) we
had the appliances for CMS (Alfresco), web meeting (Webhuddle) and Messaging (Zimbra)
authenticating against LDAP-based Fedora Directory Services. This time, in this
article we looked at how to authenticate our own PHP applications with Active
Directory. We picked up popular open source, PHP-based products for CRM, CMS,
Blog and discussion forums, and configured them to authenticate against Windows
2007 Active Directory. We went to the extent of modifying the code of an open
source product (thanks to it being open source) for Active Directory
authentication. We hope that we have given you enough meat to meet the central
authentication nirvana with open source platform.