[PATCH] LDAP Bind Authentication

Discussion for TimeTrex open source community developers.
Locked
joel
Posts: 11
Joined: Tue Dec 22, 2009 2:06 pm

[PATCH] LDAP Bind Authentication

Post by joel »

The attached patch implements LDAP Bind Authentication using the Net_LDAP2 PHP module. It includes sample configuration and modifies the install/setup code to assist in a proper install.

The code is written such that users with timetrex accounts can be verified against an LDAP directory. If verification fails, it falls through to the traditional timetrex password authentication.

A github repo with these changes can be found here: http://github.com/joelwreed/TimeTrex/tree/ldap
Attachments
LDAP-Bind-Authentication.txt
Patch
(238.52 KiB) Downloaded 1075 times
mikeb
Posts: 709
Joined: Thu Jul 27, 2006 11:58 am

Re: [PATCH] LDAP Bind Authentication

Post by mikeb »

Thanks for posting the patch, I did a quick review and made some notes.

1. It appears to modify the installer to require NET_LDAP2 class, but this is provided in TimeTrex's bundled PEAR directory, so this requirement should always be met. Though an additional check for the proper files should occur at the time when the class is actually used, so if it ever happens to not exist LDAP authentication is gracefully skipped. The installer really shouldn't need to address this at all.

2. LDAP is only configurable on a per installation basis via the timetrex.ini.php file, we would prefer to have it configurable on a per company basis. I assume you are using TimeTrex Standard Edition which doesn't support multiple companies in the same database, but this is important functionality for many of our customers. Basically all that is required is that the LDAP timetrex.ini.php settings need to be moved to the company table in the database. UserFactory has a getCompanyObject() function that can be used to easily obtain this information, ie:

$this->getCompanyObject()->getLDAPHost()
$this->getCompanyObject()->getLDAPPort()
$this->getCompanyObject()->getLDAPAuthDN()
$this->getCompanyObject()->getLDAPOnlyAuthentication()


3. Missing option to force LDAP only authentication. Many of the requests we have received for LDAP integration explicitly state the need that when an employee is terminated they want a central place to disable all their accounts, but if LDAP authentication fails and TimeTrex falls back to its own database, the employee could still be allowed in when their account is disabled. So an option to enable LDAP only authentication would be nice. Being able to differentiate between a failed connection to the LDAP server, and a failed authentication request would be nice as well, so if the LDAP server goes down it always falls back to the TimeTrex database. If force LDAP authentication is enabled the Forgot Password functionality will likely need to be disabled for all users in that company, and directed to a message stating such.

4. Active Directory support, and more flexibility. Many applications that integrate with LDAP support quite a few different filters and settings, for example SugarCRM uses:

UserDN
Bind Attribute
User Filter
Login Attribute

They also have some group filter options, which may be overkill.

Since specifying the LDAP information through Admin -> Company -> Company Information from the web interface is needed, the options need to be as easy as possible to fill out. This pretty much rules out using %s in authdn strings.

5. LDAP over SSL/TLS support. I assume the LDAP class or PHP handles this itself as long as the encryption libraries exist.

We appreciate all patches, and yours seems to be of high quality, however in order for us to accept it into our primary tree it would need to meet all of the above requirements.
TimeTrex Community Edition is developed and supported by volunteers.
Help motivate us to continue by showing your appreciation!
joel
Posts: 11
Joined: Tue Dec 22, 2009 2:06 pm

Re: [PATCH] LDAP Bind and Search Based Authentication

Post by joel »

Mike, thanks for your feedback and encouragement.

The major update to this patch is that it now supports search based authentication as well now. I did this to support more of the options you mentioned. The ini options now are:

; Sample ldap authentication configuration
;[ldap]
;host = 127.0.0.1
;port = 389
; For bind based authentication, just provide a binddn template:
;binddn = "uid=%s,ou=people,dc=example,dc=edu"
; For search based authentication, provide the following:
;binddn = "cn=admin,dc=example,dc=edu"
;bindpw = "password"
;filter = "(mail=%s)"
;searchbase = "ou=people,dc=example,dc=edu"

A few comments to your feedback:

1. I removed the installer changes per your feedback.
2. Since I'm running TimeTrex Standard Edition as you guess, I'm not going to do the database changes at this time as there is no benefit to my customer.
3. For now, I've changed the code to force LDAP only auth. To keep the code clean and support pre php 5.3 environment I'd have to do a "do {} while (0)" with "break"'s in the code block.
4. You can use the current code to auth against AD.
5. I think you're right about the TLS/SSL but haven't tested it yet.

Patch attached or git tree here: http://github.com/joelwreed/TimeTrex/tree/ldap
Attachments
LDAP-Bind-Authentication-v2.txt
(238.09 KiB) Downloaded 818 times
mikeb
Posts: 709
Joined: Thu Jul 27, 2006 11:58 am

Re: [PATCH] LDAP Bind Authentication

Post by mikeb »

Thanks for taking the time to implement some of our suggestions.
2. Since I'm running TimeTrex Standard Edition as you guess, I'm not going to do the database changes at this time as there is no benefit to my customer.
Obviously the choice is yours, but I would disagree with this statement.

Maintaining patches outside of the main TimeTrex tree can be time consuming and error prone (even if you are using GIT), since you are posting the patches to the public you are giving back to the community which is greatly appreciated, but the reality of the situation is that unless you plan on maintaining those patches for each new version they don't have that much value as soon as v3.0.5 (likely this week) of TimeTrex is released and merge conflicts start to appear.

Also due to major changes we have coming down the pipe I can pretty much guarantee that you will need to rewrite the majority of the patch in the coming months if its not merged into the main tree and supported by us. TimeTrex has been undergoing a major overhaul for the last two years in preparation for v4.0.

Finally it would also make upgrading a non-issue for your customer once we do finally offer LDAP support.

I assume that your customer is paying you for your time and I would imagine that your time could be much better spent doing other things rather than maintaining old patches for each new version of TimeTrex.

Modifying the database is actually extremely easy in TimeTrex and adding the necessary functions to CompanyFactory is pretty much cut and paste, I would be happy to provide you with a quick installer tutorial if you are interested in going that route. Or you could simply provide us with the SQL columns required and we can do the installer modification when we merge it into our main tree.

Again we appreciate your efforts and respect your decision either way.
TimeTrex Community Edition is developed and supported by volunteers.
Help motivate us to continue by showing your appreciation!
joel
Posts: 11
Joined: Tue Dec 22, 2009 2:06 pm

Re: [PATCH] LDAP Bind Authentication

Post by joel »

Mike,

I hear you! All I'm saying is "not at this time". I have lots of other timetrex customizations to do and will be getting into database changes so, I'll probably revisit this patch after that.

I'm aware of the costs of maintaining these patches outside your tree and have the client's support for doing extra work to get them in, but I also have a schedule to adhere to.

Thanks again for your timely feedback. I will likely be posting many more feature additions/customizations over the next two months.

jr
mikeb
Posts: 709
Joined: Thu Jul 27, 2006 11:58 am

Re: [PATCH] LDAP Bind Authentication

Post by mikeb »

I understand your time constraints, but I just wanted to provide you with some additional information to think about.

We look forward to seeing any features that you develop for TimeTrex in the future, however I would recommend that you mention them on the forum before starting to do any coding so we can offer suggestions and feedback, as well so you don't waste time working on something that we may already be doing. Its happened quite often that we receive patches for features that are already in our development tree.
TimeTrex Community Edition is developed and supported by volunteers.
Help motivate us to continue by showing your appreciation!
ianchan
Posts: 2
Joined: Mon Jan 25, 2010 1:17 pm

Re: [PATCH] LDAP Bind Authentication

Post by ianchan »

How do I adjust the settings or code to have it check the TT database for user authentication if LDAP login fails?

thanks for the is patch BTW!
ianchan
Posts: 2
Joined: Mon Jan 25, 2010 1:17 pm

Re: [PATCH] LDAP Bind Authentication

Post by ianchan »

Also, the initial bind and user search are successful. However, the login is not.
pcTechs
Posts: 19
Joined: Thu Mar 18, 2010 8:00 pm

Re: [PATCH] LDAP Bind Authentication

Post by pcTechs »

will timetrex ondemand ever have ldap / ads integration with a customer's onsite ActiveDirectory over SSL?
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: [PATCH] LDAP Bind Authentication

Post by shaunw »

Perhaps at some point, however there are a lot of issues to consider, (firewalls, internet routing failures, etc...) so the practicality of it is questionable.
pcTechs
Posts: 19
Joined: Thu Mar 18, 2010 8:00 pm

Re: [PATCH] LDAP Bind Authentication

Post by pcTechs »

yes, there would be problems.

i would feel more comfortable with a minimal 'read only' ldap / krb / ads host. Could be hosted on the customer premises or at timetrex.com.

Since were mainly talking a list of companies and users, may be timetrex.com ondemand would host this read-only section of openldap tables.
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: [PATCH] LDAP Bind Authentication

Post by shaunw »

TimeTrex v3.1.0-rc1 has just been released which includes LDAP authentication support, I urge anyone interested in LDAP to give it a try and let us know how it works:
http://forums.timetrex.com/viewtopic.php?f=8&t=1776
pcTechs
Posts: 19
Joined: Thu Mar 18, 2010 8:00 pm

Re: [PATCH] LDAP Bind Authentication

Post by pcTechs »

Shaun, is this expected to work when apache on Linux is the webserver authenticating with the ldap part of MS Active Directory?
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: [PATCH] LDAP Bind Authentication

Post by shaunw »

Yes, the LDAP support is extremely configurable and should work with Active Directory, openLDAP, and LDAP on OSX, in both bind authentication and group filter authentication modes.

Here are the different settings/filters it supports:
Server: (ie: ldap.example.com or ldaps://ldap.example.com for SSL)
Port: (ie: 389 or 636 for SSL)
Bind User Name: (Used to search for the TimeTrex-Debug user, leave blank for anonymous binding)
Bind Password:
Base DN: (ie: ou=People,dc=example,dc=com)
Bind Attribute: (For binding the LDAP user. ie: AD/openLDAP: userPrincipalName, Mac OSX: uid)
User Filter: (Additional filter parameters, ie: is_timetrex_user=1)
Login Attribute: (For searching the LDAP user. ie: AD: userPrincipalName, openLDAP: dn, Mac OSX: dn)
pcTechs
Posts: 19
Joined: Thu Mar 18, 2010 8:00 pm

Re: [PATCH] LDAP Bind Authentication

Post by pcTechs »

3rd party hosting providers and LDAP vs Kerberos Authentication.

I am more familiar with Kerberos authentication. I know that i can print to a kerberized printer without sending my password to the printer. I send a ticket request to the Kerberos Ticket Granting Server (MS Active Directory Domain Controller based on kerberos.mit.edu) and receive a Ticket that i then send to the printer. This is way way over-simplified, but the bottom line is that the _password_ is not sent to the printer.

So if your TimeTrex server runs on an untrusted 3rd party machine configured for LDAP authentication, does the user's _password_ get sent to the external hosting provider? Or does LDAP use some kind of ticket system like kerberos? If someone with the LDAP module setup could tell us if the user enters a password to the TimeTrex server? Does the TimeTrex server receive a password that could be read?
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: [PATCH] LDAP Bind Authentication

Post by shaunw »

The password is entered into the TimeTrex login form before being sent to LDAP for authentication, so yes TimeTrex receives a copy of the password that is readable by it (as its being forwarded along), but in most cases this is sent over an encrypted HTTPS connection, and in theory should be sent over SSL to LDAP as well which this feature does support. So it goes without saying that the TimeTrex server needs to be trusted.

Unfortunately from a security stand-point this isn't ideal when using our On-Demand service with remote LDAP authentication, but there isn't anything we can do about it. As stated a few posts earlier, the practicality of using LDAP with our On-Demand service is questionable.
Perhaps at some point, however there are a lot of issues to consider, (firewalls, internet routing failures, etc...) so the practicality of it is questionable.
If the employees are using the same passwords across different services then the chances are their TimeTrex specific password is the same as well, so in reality there isn't much difference authenticating to TimeTrex directly or to a local LDAP server when it comes to this issue.
ibrahim
Posts: 3
Joined: Wed Mar 14, 2012 7:47 am

Re: [PATCH] LDAP Bind Authentication

Post by ibrahim »

Hi Friends,

Is this correct? Please help to finish Ldap configuration

LDAP Authentication: Enabled -w/Local Fallback
Server: ldap.mydomain.com
Port: 389
Bind User Name: ????
Bind Password: ????
Base DN: ou=users,dc=mydomain,dc=com
Bind Attribute: administrator@mydomain.com
User Filter: ????
Login Attribute: ?????
Locked