[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Inquiry on ePrints AD Authentication



Hi,

I would like to link eprints system to Microsoft AD for authentication. I
have referred to a few websites, and configured as advise, but it is not
working, with no error message.

Following is a script for eprints-AD connection testing. I tried and it is
working. I can get the result.

********************************
*#!/usr/bin/perl -w*

*# EPrints Services LDAP test script*
*use Net::LDAP;*
*use Net::LDAP::Constant;*
*use strict;*

*my ($user_sent) = $ARGV[0];*

*# Params*
*my $ldap_host = "ldaps://192.168.5.11 <http://192.168.5.11>"; # Active
Directory server on example.org <http://example.org> domain*
*my $bind_dn = "cn=Tarc Admin;cn=users,DC=tarc,DC=edu,DC=local"; # one or
more 'ou's may need to be set*
*my $bind_pword = "PASSWORD";*
*my $base = "DC=tarc,DC=edu,DC=local"; # Likely the same domain as the AD
server itself*

*# Connect to server*
*my $ldap = Net::LDAP->new( $ldap_host, version => 3, port => 636 ); #
Version and port may need changing*

*die "LDAP connect error: $@\n" unless defined $ldap;*

*# Try to bind*
*my $mesg;*
*if( $bind_dn eq "" && $bind_pword eq "" )*
*{*
*       $mesg = $ldap->bind; # anonymous bind*
*}*
*else*
*{*
*       $mesg = $ldap->bind( $bind_dn, password => $bind_pword );*
*}*
*die "LDAP bind error: " . $mesg->error() . "\n" if $mesg->code();*

*# Search for an account and get all available attributes (by not setting
attrs)*
*$mesg = $ldap->search (*
*       base    => $base,*
*       scope   => "sub",*
*       filter => "sAMAccountName=$user_sent", # Most likely cn, uid or
sAMAccountName*
*       sizelimit => 1,*
*);*
*if( $mesg->code() )*
*{*
*       print STDERR "LDAP search error: ".$mesg->error."\n";*
*       exit;*
*}*

*my $entr = $mesg->pop_entry;*
*unless( defined $entr )*
*{*
*       print STDERR "LDAP no search results returned\n";*
*       exit 1;*
*}*

*# See what attributes are set for this user*
*print $entr->dump;*

*$ldap->unbind;*
********************************

I have configured the following authentication script (got from
https://wiki.eprints.org/w/LDAP), it always show "Incorrect username or
password." although the AD login and password is correct.

********************************
*=pod*

*# Please see http://wiki.eprints.org/w/User_login.pl
<http://wiki.eprints.org/w/User_login.pl>*
*# $c->{check_user_password} = sub {*
*#       my( $repo, $username, $password ) = @_;*
*#*
*#       ... check whether $password is ok*
*#*
*#       return $ok ? $username : undef;*
*#};*

*$c->{check_user_password} = sub {*
*  my( $session, $username, $password ) = @_;*

*  # Kerberos authentication for "user", "editor" and "admin" types (roles)*

*  use Net::LDAP; # IO::Socket::SSL also required*
*  use Authen::Krb5::Simple;*
*  use Authen::SASL;*

*  # LDAP tunables*
*  my $ldap_host = "ldaps://192.168.5.11 <http://192.168.5.11>";*
*  my $base      = "OU=TARUC,DC=tarc,DC=edu,DC=local";*
*  my $proxy_user ="ad_read";*
*  my $dn        = "CN=$proxy_user,$base";*

*  # Kerberos tunables*
*  my $krb_host = "192.168.5.11";*

*  my $krb         = Authen::Krb5::Simple->new(realm => $krb_host);*
*  unless ( $krb )*
*  {*
*        print STDERR "Kerberos error: $@\n";*
*        return 0;*
*  }*

*  my $ldap      = Net::LDAP->new ( $ldap_host );*
*  unless( $ldap )*
*  {*
*      print STDERR "LDAP error: $@\n";*
*      return 0;*
*  }*

*  my $sasl = Authen::SASL->new(*
*         mechanism => 'GSSAPI',*
*         callback => { user => 'ad_read' }*
*       ) or die "$@";*

*  my $mesg = $ldap->bind(sasl => $sasl);*

*  if( $mesg->code() )*
*  {*
*      print STDERR "LDAP Bind error: " . $mesg->error() . "\n";*
*      return 0;*
*  }*

*  # Distinguished name (and attribues needed later on) for this user*
*  my $result = $ldap->search (*
*      base    => "$base",*
*      filter  => "(&(sAMAccountName=$username))",*
*      attrs   =>  ['1.1', 'uid', 'sn', 'givenname', 'mail', 'department',
'title'],*
*      sizelimit=>1*
*  );*

*  my $entr = $result->pop_entry;*
*  unless( defined $entr )*
*  {*
*      # Allow local EPrints authentication for admins (accounts not found
in LDAP)*
*      my $user = EPrints::DataObj::User::user_with_username( $session,
$username );*
*      return 0 unless $user;*

*      my $user_type = $user->get_type;*
*      if( $user_type eq "admin" )*
*      {*
*          # internal authentication for "admin" type*
*          return $session->get_database->valid_login( $username, $password
);*
*      }*
*      return 0;*
*  }*

*  # Check password*
*  if( !$krb->authenticate( $username, $password ) )*
*  {*
*        print STDERR "$username authentication failed: ", $krb->errstr(),
"\n";*
*      return 0;*
*  }*

*  # Does account already exist?*
*  my $user = EPrints::DataObj::User::user_with_username( $session,
$username );*
*  if( !defined $user )*
*  {*
*      # New account*
*      $user = EPrints::DataObj::User::create( $session, "user" );*
*      $user->set_value( "username", $username );*
*  }*

*  # Set metadata*
*  my $name = {};*
*  $name->{family} = $entr->get_value( "sn" );*
*  $name->{given} = $entr->get_value( "givenName" );*
*  $name->{honourific} = $entr->get_value( "title");*
*  $user->set_value( "name", $name );*
*  $user->set_value( "username", $username );*
*  $user->set_value( "email", $entr->get_value( "mail" ) );*
*  $user->set_value( "dept", $entr->get_value("department")  );*
*  $user->commit();*

*  $ldap->unbind if $ldap;*

*  return 1;*
* }*

*=cut*

*# Maximum time (in seconds) before a user must log in again*
*# $c->{user_session_timeout} = undef;*

*# Time (in seconds) to allow between user actions before logging them out*
*# $c->{user_inactivity_timeout} = 86400 * 7;*

*# Set the cookie expiry time*
*# $c->{user_cookie_timeout} = undef; # e.g. "+3d" for 3 days*

********************************

    Please advise where went wrong. FYI, I do not familiar with Perl.

    Thank you very much for your help.


Regards,
Lee Yeat Yee
CIT Centre
Tunku Abdul Rahman University College
Tel: 03-41450123 ext 3511
Fax: 03-41438980

-- 

The content in this e-mail and any attachments are intended solely for the 
addressee or addressees and any disclosure of such contents to other 
parties is unauthorized, not condoned by the TAR UC and may be unlawful. If 
you are not the intended recipient, please delete the message and any 
attachments and notify the sender. No undertaking, guarantee or other 
obligation contained in this e-mail shall be binding upon the TAR UC unless 
confirmed in writing under our letterhead. Any views and or representations 
expressed by any individual within this e-mail shall not be deemed as 
reflecting the stand of the TAR UC. All liabilities arising as a result of, 
or consequential upon any cyber security breach, including but not limited 
to computer viruses, is excluded to the fullest extent permissible by law.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20180815/dda5c440/attachment-0001.html