MantisBT

View Issue Details Jump to Notes ] Wiki ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0009954mantisbtldappublic2008-12-10 06:492014-09-23 18:05
ReporterKirill 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityhave not tried
StatusnewResolutionopen 
PlatformWindowsOSWindows XPOS Version1.1.0
Product Version1.1.5 
Target VersionFixed in Version 
Summary0009954: More than one ldap-server
DescriptionI have 3 different AD-server with ldap. I can write in config only one ldap-server for authentication.
May be add more than one server?
TagsNo tags attached.
Attached Filespatch file icon multildap.patch [^] (8,862 bytes) 2010-05-13 07:22 [Show Content]

- Relationships
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
has duplicate 0007011closedvboctor Ability to authenticate against multiple LDAP directories 

-  Notes
User avatar (0020352)
vboctor (administrator)
2008-12-12 02:47

So each LDAP server has a separate set of users? What is the user case behind having multiple LDAP servers?
User avatar (0020357)
Kirill (reporter)
2008-12-12 05:05

Yes. All users unique
User avatar (0020363)
grangeway (reporter)
2008-12-12 14:21

I run at a patch at work against mantis to support multiple OU's.

I'm just wondering whether the code for that case could be extended to support this, although i'm thinking probably not.

Is this within 1 project?
I'm just trying to think of what one might want the code to do - when trying to find a user, try 1st, try 2nd server... then lookup email, try 1st, try 2nd (you'd probably not want to store the LDAP server details against a user),.. so this would be a performance hit.

Similarly, what would the expected behaviour be if you've got 2 different users ( Fred in LDAP A and Fred in LDAP B) with the same username when logging in...

What we probably could/should do is allow a fallback ldap server (for if first if offline), in that case, you could probably make a small change to the routines to continue instead of breaking off if you got a 'not found' result from a server.

Paul
User avatar (0020366)
Kirill (reporter)
2008-12-13 11:27

Can we login with full domain name? For example fred@domain1.com and fred@fomain2.com
User avatar (0025494)
AlexM600 (reporter)
2010-05-13 07:22

Hello
I've written a little patch for 1.2.1 to Multi LDAP
1. Added new login_method MIXED
  1.1 You can configure several LDAP profiles
  1.2 You also have LOCAL (SQL BD) auth profile
  1.3 You can select Profile on the Login page
2. When you use MIXED method
  2.1 Users can not reset their passwords (like in LDAP profile)
  2.2 Administrator can reset user's password on User Management page. This password will be used for LOCAL profile
3. On ReAuthetication page administrator use early selected profile to relogon
4. Storing LDAP password to local db is now configurable by $g_ldap_store_to_localdb.
User avatar (0025495)
AlexM600 (reporter)
2010-05-13 07:25

Please, somebody check it for possible bugs.
User avatar (0025708)
mikehelms (reporter)
2010-06-04 10:42

Alex, this is brilliant and it works perfectly.

Thanks for sharing this. I hope this eventually gets worked into the main build; it's probably not something that a lot of people will use, but it makes the LDAP functionality incredibly versatile.
User avatar (0026026)
paontis (reporter)
2010-07-06 12:21

Hi Alex great job.
But i have a question. I see that in your patch you modify on the fly the GLOBAL variable $g_login_method.
Isn't this dangerous in case of concurrent accesses? In this way there is a discrepancy between the variable read from configuration file and the same variable directly accessed.

I report here some logging i added, I hope this could be helpful:

 2010-07-06 18:08 CEST ldap login.php BEFORE the patch code:
 2010-07-06 18:08 CEST ldap config_get( 'login_method' ): 7
 2010-07-06 18:08 CEST ldap g_login_method' : 7

 2010-07-06 18:08 CEST ldap login.php AFTER the patch code:
 2010-07-06 18:08 CEST ldap config_get( 'login_method' ): 7
 2010-07-06 18:08 CEST ldap g_login_method' : 4
User avatar (0026041)
paontis (reporter)
2010-07-08 12:19

More: i logged in with my user with local profile and changed the local password.
The i am no more able to login with LDAP.
I think because also before i didn't really authenticated with LDAP.
The login appeared to be successfull becuse when using the native LDAP the password was copied in local db.
But the function auth_does_password_match in authentication_api.php perform the following check:
if( LDAP == $t_configured_login_method ) {
        return ldap_authenticate( $p_user_id, $p_test_password );
    }
It means that when the login method is == MIXED, the LDAP authentications is not performed.
So the patch by alex is a good starting point, but it needs to be reworked.
User avatar (0028520)
kgron (reporter)
2011-04-04 04:38

Hi Alex,
this patch is exactly what I needed to put Mantis to work. However I found an error in the process which could be problematic. When you have to reauthenticate, Mantis saves your password in PLAIN TEXT into mantis database instead of a MD5 hash.
I located the problem in function auth_process_plain_password (authentication_api.php) and changed the default behaviour of a plain password into the same as MD5.
Has someone noticed the same behaviour on his Mantis with this patch?
User avatar (0028720)
paontis (reporter)
2011-04-29 07:14

Hi kgron,

instead of change the case of the plain password, i think it is more clean to add this one:

case MIXED:
     $t_processed_password = md5( $p_password );
     break;

see also my two previous notes: 0009954:0026041 and 0009954:0026026
User avatar (0030555)
pigbrain (reporter)
2011-12-12 03:29

Hi Paontis

I meet the same problem with you in notes: 0009954:0026041
Could you share me how did you fix the problem´╝č
Thanks lot.
User avatar (0030991)
grangeway (reporter)
2012-01-22 05:34

The 1.3 series will support an array of ldap servers
User avatar (0036296)
grangeway (reporter)
2013-04-05 17:57

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Issue History
Date Modified Username Field Change
2008-12-10 06:49 Kirill New Issue
2008-12-12 02:47 vboctor Note Added: 0020352
2008-12-12 02:47 vboctor Status new => feedback
2008-12-12 05:05 Kirill Note Added: 0020357
2008-12-12 14:21 grangeway Note Added: 0020363
2008-12-13 11:27 Kirill Note Added: 0020366
2009-07-05 21:11 vboctor Relationship added has duplicate 0007011
2009-10-27 23:29 vboctor Status feedback => acknowledged
2010-05-13 07:22 AlexM600 Note Added: 0025494
2010-05-13 07:22 AlexM600 File Added: multildap.patch
2010-05-13 07:25 AlexM600 Note Added: 0025495
2010-06-04 10:42 mikehelms Note Added: 0025708
2010-07-06 12:21 paontis Note Added: 0026026
2010-07-08 12:19 paontis Note Added: 0026041
2011-04-04 04:38 kgron Note Added: 0028520
2011-04-29 07:14 paontis Note Added: 0028720
2011-12-12 03:29 pigbrain Note Added: 0030555
2012-01-22 05:34 grangeway Note Added: 0030991
2012-01-22 05:34 grangeway Status acknowledged => resolved
2012-01-22 05:34 grangeway Fixed in Version => 1.3.x
2012-01-22 05:34 grangeway Resolution open => fixed
2012-01-22 05:34 grangeway Assigned To => grangeway
2013-04-05 17:57 grangeway Status resolved => acknowledged
2013-04-05 17:57 grangeway Note Added: 0036296
2013-04-05 18:26 grangeway Relationship added related to 0015721
2013-04-06 09:26 dregad Tag Attached: 2.0.x check
2013-04-06 09:26 dregad Status acknowledged => resolved
2013-04-27 16:58 atrol Assigned To grangeway =>
2013-04-27 16:58 atrol Status resolved => new
2013-04-27 16:58 atrol Resolution fixed => open
2013-04-27 16:58 atrol Fixed in Version 1.3.x =>
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1193 seconds.
memory usage: 3,132 KB
Powered by Mantis Bugtracker