EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #07408


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

[EP-tech] Inquiry on ePrints AD Authentication


Hi,

I would like to link eprints system to Microsoft AD for authentication. I have referred to a few websites, and configured as advise, but it is not working, with no error message.

Following is a script for eprints-AD connection testing. I tried and it is working. I can get the result.

******************************
#!/usr/bin/perl -w

# EPrints Services LDAP test script
use Net::LDAP;
use Net::LDAP::Constant;
use strict;

my ($user_sent) = $ARGV[0];

# Params
my $ldap_host = "ldaps://MailScanner warning: numerical links are often malicious: 192.168.5.11"; # Active Directory server on example.org domain
my $bind_dn = "cn=Tarc Admin;cn=users,DC=tarc,DC=edu,DC=local"; # one or more 'ou's may need to be set
my $bind_pword = "PASSWORD";
my $base = "DC=tarc,DC=edu,DC=local"; # Likely the same domain as the AD server itself

# Connect to server
my $ldap = Net::LDAP->new( $ldap_host, version => 3, port => 636 ); # Version and port may need changing

die "LDAP connect error: $@\n" unless defined $ldap;

# Try to bind
my $mesg;
if( $bind_dn eq "" && $bind_pword eq "" )
{
       $mesg = $ldap->bind; # anonymous bind
}
else
{
       $mesg = $ldap->bind( $bind_dn, password => $bind_pword );
}
die "LDAP bind error: " . $mesg->error() . "\n" if $mesg->code();

# Search for an account and get all available attributes (by not setting attrs)
$mesg = $ldap->search (
       base    => $base,
       scope   => "sub",
       filter => "sAMAccountName=$user_sent", # Most likely cn, uid or sAMAccountName
       sizelimit => 1,
);
if( $mesg->code() )
{
       print STDERR "LDAP search error: ".$mesg->error."\n";
       exit;
}

my $entr = $mesg->pop_entry;
unless( defined $entr )
{
       print STDERR "LDAP no search results returned\n";
       exit 1;
}

# See what attributes are set for this user
print $entr->dump;

$ldap->unbind;
******************************

I have configured the following authentication script (got from https://wiki.eprints.org/w/LDAP), it always show "Incorrect username or password." although the AD login and password is correct.

******************************
=pod

# $c->{check_user_password} = sub {
#       my( $repo, $username, $password ) = @_;
#
#       ... check whether $password is ok
#
#       return $ok ? $username : undef;
#};

$c->{check_user_password} = sub {
  my( $session, $username, $password ) = @_;

  # Kerberos authentication for "user", "editor" and "admin" types (roles)

  use Net::LDAP; # IO::Socket::SSL also required
  use Authen::Krb5::Simple;
  use Authen::SASL;

  # LDAP tunables
  my $base      = "OU=TARUC,DC=tarc,DC=edu,DC=local";
  my $proxy_user ="ad_read";
  my $dn        = "CN=$proxy_user,$base";

  # Kerberos tunables
  my $krb_host = "192.168.5.11";

  my $krb         = Authen::Krb5::Simple->new(realm => $krb_host);
  unless ( $krb )
  {
        print STDERR "Kerberos error: $@\n";
        return 0;
  }

  my $ldap      = Net::LDAP->new ( $ldap_host );
  unless( $ldap )
  {
      print STDERR "LDAP error: $@\n";
      return 0;
  }

  my $sasl = Authen::SASL->new(
         mechanism => 'GSSAPI',
         callback => { user => 'ad_read' }
       ) or die "$@";

  my $mesg = $ldap->bind(sasl => $sasl);

  if( $mesg->code() )
  {
      print STDERR "LDAP Bind error: " . $mesg->error() . "\n";
      return 0;
  }

  # Distinguished name (and attribues needed later on) for this user
  my $result = $ldap->search (
      base    => "$base",
      filter  => "(&(sAMAccountName=$username))",
      attrs   =>  ['1.1', 'uid', 'sn', 'givenname', 'mail', 'department', 'title'],
      sizelimit=>1
  );

  my $entr = $result->pop_entry;
  unless( defined $entr )
  {
      # Allow local EPrints authentication for admins (accounts not found in LDAP)
      my $user = EPrints::DataObj::User::user_with_username( $session, $username );
      return 0 unless $user;

      my $user_type = $user->get_type;
      if( $user_type eq "admin" )
      {
          # internal authentication for "admin" type
          return $session->get_database->valid_login( $username, $password );
      }
      return 0;
  }

  # Check password
  if( !$krb->authenticate( $username, $password ) )
  {
        print STDERR "$username authentication failed: ", $krb->errstr(), "\n";
      return 0;
  }

  # Does account already exist?
  my $user = EPrints::DataObj::User::user_with_username( $session, $username );
  if( !defined $user )
  {
      # New account
      $user = EPrints::DataObj::User::create( $session, "user" );
      $user->set_value( "username", $username );
  }

  # Set metadata
  my $name = {};
  $name->{family} = $entr->get_value( "sn" );
  $name->{given} = $entr->get_value( "givenName" );
  $name->{honourific} = $entr->get_value( "title");
  $user->set_value( "name", $name );
  $user->set_value( "username", $username );
  $user->set_value( "email", $entr->get_value( "mail" ) );
  $user->set_value( "dept", $entr->get_value("department")  );
  $user->commit();

  $ldap->unbind if $ldap;

  return 1;
 }

=cut

# Maximum time (in seconds) before a user must log in again
# $c->{user_session_timeout} = undef;

# Time (in seconds) to allow between user actions before logging them out
# $c->{user_inactivity_timeout} = 86400 * 7;

# Set the cookie expiry time
# $c->{user_cookie_timeout} = undef; # e.g. "+3d" for 3 days

******************************

    Please advise where went wrong. FYI, I do not familiar with Perl.

    Thank you very much for your help.


Regards,
Lee Yeat Yee
CIT Centre
Tunku Abdul Rahman University College
Tel: 03-41450123 ext 3511
Fax: 03-41438980



The content in this e-mail and any attachments are intended solely for the addressee or addressees and any disclosure of such contents to other parties is unauthorized, not condoned by the TAR UC and may be unlawful. If you are not the intended recipient, please delete the message and any attachments and notify the sender. No undertaking, guarantee or other obligation contained in this e-mail shall be binding upon the TAR UC unless confirmed in writing under our letterhead. Any views and or representations expressed by any individual within this e-mail shall not be deemed as reflecting the stand of the TAR UC. All liabilities arising as a result of, or consequential upon any cyber security breach, including but not limited to computer viruses, is excluded to the fullest extent permissible by law.