Good Morning
I’m setting up phplist version 3.6.8 and the client is asking me to authenticate via the active directory so I can manage administrators. I found a plugin that does this (or so it seems) but it is very old and when I install it from the graphical interface the phplist goes to error 500
Hi @duncanc ,
thanks for your reply.
I am trying to configure this plugin https://github.com/digital-me/phplist-plugin-ldap but unfortunately there is little documentation, I have put all the parameters on the php list config.php and I would expect to log in with the domain user, on the other hand, remains on the blank page. Are there any logs? do you have any suggestions?
I’m confusing from these lines:
$ldap_all_user_pattern = "(uid=__LOGIN__)";
$ldap_all_user_uid_attribute = "uid";
what should I enter?
@mgraps I guessed it might be that plugin. I have looked at it and there is some outdated code that causes a php fatal error.
I have forked the repository and made some changes - removing the outdated code and simplifying other code. You can try that version by installing from
https://github.com/bramley/phplist-plugin-ldap/archive/phplist_authenticate.zip
I don’t know much about LDAP so don’t know the difference between $ldap_all_user_xxx and $ldap_matching_user_xxx variables
I have tested this against a public LDAP test server Online LDAP Test Server - Forum Systems using their users and passwords. These are the php config.php settings
$ldap_url = "ldap://ldap.forumsys.com:389";
$ldap_auth_bind_dn = "cn=read-only-admin,dc=example,dc=com";
$ldap_auth_bind_pw = "password";
$ldap_all_user_base_dn = "dc=example,dc=com";
$ldap_all_user_pattern = "(uid=__LOGIN__)";
$ldap_all_user_uid_attribute = "uid";
If the password verification fails for that, then the plugin tries again with the $ldap_matching_user_xxx settings but I don’t really understand the distinction between these.
@duncanc thanks.
I removed the previous plugin, I imported from the link you sent me, I changed the parameters but when I try to log in, for example, with user “riemann” and password “password” it stays on a blank page and from the browser I see error 500. Unfortunately I can’t find in the car where that error is.
this is what I added at the end of the /lists/config/config.php file:
$ldap_enabled = 1;
$ldap_url = "ldap://ldap.forumsys.com:389";
$ldap_auth_bind_dn = "cn=read-only-admin,dc=example,dc=com";
$ldap_auth_bind_pw = "password";
$ldap_all_user_base_dn = "dc=example,dc=com";
$ldap_all_user_pattern = "(uid=__LOGIN__)";
$ldap_all_user_uid_attribute = "uid";
$ldap_all_user_is_super = 1;
$ldap_default_privs = array(
'subscribers' => true,
'campaigns' => true,
'statistics' => true,
'settings' => true
);
$ldap_matching_user_base_dn = "dc=example,dc=com";
$ldap_matching_user_pattern = "(&(uid=__LOGIN__)(|(uid=her)(uid=him)))";
$ldap_matching_user_uid_attribute = "uid";
$ldap_except_users = array('admin');
@mgraps There might be a php error log in the lists/admin directory, usually named error.log
Also, try viewing the HTML source of the “blank” page as sometimes there can be an error message that is hidden.
Which version of php are you using?
@duncanc
okay, I reinstalled the php-ldap module and now when I try authentication I get a red message saying OK, it doesn’t let me log in but I have this result.
@mgraps Not sure that I understand what you mean. Is that trying to login to your LDAP server or the test one that I mentioned? Please show a screenshot of what has happened.
@duncanc
okay, i found, i thought the plugin did user provisioning as well, instead it just does authentication
@duncanc
Hello, this part of the PHP isn’t working for me.
if (strval(strtolower($myResult[0])) == $login) {
// see if there is an existing record
$admindata = Sql_Fetch_Array_Query(sprintf('select password,disabled,id from %s where loginname = "%s"',$GLOBALS["tables"]["admin"],addslashes($login)));
// if not found, then we create it
if (!$admindata) {
// create a new record
if (! $ldap_default_privs) {
$ldap_default_privs = array(
'subscribers' => true,
'campaigns' => true,
'statistics' => true,
'settings' => true
);
}
Sql_Query(sprintf('insert into %s (loginname,namelc,created,privileges) values("%s","%s",now(),"%s")',
$tables["admin"],addslashes($login),addslashes($login),sql_escape(serialize($ldap_default_privs))));
$id = Sql_Insert_Id();
$admindata = Sql_Fetch_Array_Query(sprintf('select password,disabled,id from %s where loginname = "%s"',$GLOBALS["tables"]["admin"],addslashes($login)));
}
@mgraps That is when the $ldap_all_user_pattern matches. The plugin creates a phplist admin if one does not already exist.
The second set of fields $ldap_matching_user_pattern does not do that. If the LDAP authentication is successful then the login is rejected if there is not an existing phplist admin.
I guess that the $ldap_all_user_pattern is failing but the $ldap_matching_user_pattern is then successful.
@duncanc
I confirm that it seems to me too. Unfortunately I can’t fix the problem with the plugin.
i’m analyzing the ldapAuth.php file but i don’t understand what’s wrong.
@duncanc
I found the problem!
when the plugin tried to create the new user it ran the query:
insert into phplist_admin (loginname,namelc,created,privileges) values("user","user",now(),"a:4:{s:11:\"subscribers\";b:1;s:9:\"campaigns\";b:1;s:1
0:\"statistics\";b:1;s:8:\"settings\";b:1;}")
I then tested the query by logging into mysql locally and running the query and this is the result:
insert into phplist_admin (loginname,namelc,created,privileges) values("user","user",now(),"a:4:{s:11:\"subscribers\";b:1;s:9:\"campaigns\";b:1;s:10:\"statistics\";b:1;s:8:\"settings\";b:1;}");
ERROR 1364 (HY000): Field 'email' doesn't have a default value
I set the default value of the column to NULL and the query started working and the users create themselves
@mgraps Thanks. I think there must be a strict mysql database setting because in my testing that query was successful. I will modify the plugin code to fix this.
Update - when I tried your sql query it was successful but had a warning
@duncanc
In my case there was an error.
now i am trying to log only people in a certain group, the plugin is impractical though
@mgraps I don’t know enough about LDAP to know how to filter on belonging to a particular group. Do you have an example of a filter that you think should work?