LDAP Support

Use this forum to discuss desired new features for TimeTrex
Locked
GSMD
Posts: 6
Joined: Sun Oct 22, 2006 11:53 pm

LDAP Support

Post by GSMD »

It's a common practice for enterprise-grade applications to store user accounts in LDAP.
Guess this would be a handy feature for TimeTrex Standard.
rrsIPOV
Posts: 1
Joined: Tue Dec 19, 2006 12:44 pm
Contact:

Post by rrsIPOV »

This would indeed be a great improvement. I am having to have someone look into writing a script to copy LDAP entries into the DB (de-activating them should be easy enough to do by hand given the limited number of users we have).

I know there is a need to make the full version different, but the timeclock and related modules are already pretty good incentive for that. ]

Anyway, just thought I'd chime in.
hallmant
Posts: 3
Joined: Thu Aug 23, 2007 11:57 am

LDAP integration plans?

Post by hallmant »

Hi all,

Have there been any further discussions on LDAP integration? I just installed TimeTrex and didn't see options for it. Did I miss it? Or is it planned for a future release?

Thanks!

~Tom
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Post by shaunw »

No LDAP module has been developed yet. The demand for it is still too small for us to make it a high priority at this point.

It is in our TODO list, just closer to the bottom.
Thom
Posts: 2
Joined: Thu Aug 09, 2007 5:55 am

Post by Thom »

I'd just like to register my request for this to be added.
mbkrishna
Posts: 1
Joined: Fri Sep 21, 2007 12:08 am

LDAP Module

Post by mbkrishna »

Hi,

Please provide script for LDAP

Regards
Balu
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Post by shaunw »

Can you guys provide more details as far as the type of LDAP integration you are looking for. For example, do you want just password authentication, or complete user synchronization.

Also what type of LDAP server are you integrating with? Is it something custom made? Or is it a Windows active directory?
Thom
Posts: 2
Joined: Thu Aug 09, 2007 5:55 am

Post by Thom »

shaunw wrote:Can you guys provide more details as far as the type of LDAP integration you are looking for. For example, do you want just password authentication, or complete user synchronization.
For starters, authentication alone would be nice. Once authenticated, users would ideally have an account created for them in the db.

For users who already have accounts created, it'd be fantastic if you could do some kind of matching between the db's user name and LDAP's cn attribute.
  • -- If there was a match, then set that user's LDAP account equal to the one that's already in the db.
    -- If there's no matching account in the db, then create a user account, as mentioned, above.
shaunw wrote:Also what type of LDAP server are you integrating with? Is it something custom made? Or is it a Windows active directory?
I'm using Apple's OS X Server (10.4.10), which uses OpenLDAP for it's directory services w/ a slightly modified schema. I've currently got it configured to allow anonymous access, but will likely disable that in the near future, so authenticated access would be a huge bonus.
sgrizzard
Posts: 3
Joined: Thu Nov 29, 2007 5:11 pm
Location: Los Angeles, CA
Contact:

can it be setup just to use authentication passed by apache?

Post by sgrizzard »

While it would be nice for account information to be stored in ldap, it would be great if it would just do authentication against it.

You should be able to do this very easily by enabling TimeTrex to accept apache authentication, and then have TimeTrex to authorize the user if they have an account. (In httpd.conf, you would set up your authentication for the TimeTrex directory, with a simple

Code: Select all

Require Valid User
at the end.)

Then, you could set up any authentication mechanism that apache supports (i.e., ldap, kerberos, ntlm) without having to code all of those options into the server.

This solution would still require you to maintain two separate databases for the users (ldap and timetrex), but it wouldn't require two seperate password stores. It would also allow you to disable access by a user by simply disabling their account in the ldap.

Trec (http://trac.edgewall.org/) does this for their authentication/authorization, and it works very well.

The best thing about this solution is that, by using kerberos authentication through apache, you can have single sign on.
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Post by shaunw »

This sounds like a good idea in theory, but HTTP basic authentication is a nightmare to work with. Just some of its issues:

1. No real support for logging out.
2. Only works when running PHP as a module, not in CGI mode. (out of the box at least)
3. Compatibility issues between browsers and web servers.
4. Poor support for error messages and custom login/logout pages.

We currently use ADODB for our database abstraction layer, and it supports LDAP, so a much better solution is simply adding a few additional columns to the company table that define the LDAP server and filter criteria, then using that directly for authentication.
sgrizzard
Posts: 3
Joined: Thu Nov 29, 2007 5:11 pm
Location: Los Angeles, CA
Contact:

Post by sgrizzard »

LDAP support would be nice (especially for the user data), but what I really want is Kerberos authentication.

We are deploying TimeTrex as part of our corporate intranet (along with Subversion, Trac, and a web-groupware client that has yet to be determined), and I want to use Kerberos to authenticate the whole thing.

As I understand it, Apache authentication is the only way to get that done. I currently have it working for Trac and Subversion (though Trac is not aware of other users in the system, so that causes a headache), and I wanted to add timetrex to that same system with single-sign-on.
shaunw wrote: 1. No real support for logging out.
This is the one that gives me pause too. Is there some way to end authenticated sessions for apache?
2. Only works when running PHP as a module, not in CGI mode. (out of the box at least)
3. Compatibility issues between browsers and web servers.
4. Poor support for error messages and custom login/logout pages.
Aside from the error messages, I don't really care about the rest of these. I control the web browsers the clients are using, and the server they use it on.

Here is my thought (though I don't know as much as I should about php sessions):
  • * When a user visits the site, check first for a server authentication variable (I think it is called $_SERVER['PHP_AUTH_USER'])
    * If there is not username passed, or if that user is not in the database, send back an error page that says "Automatic Login not working blah blah blah, please click the button below to log in manually".
    * When you click the button, it sends a new login request to apache, using a different form of authentication (mod_authnz_ldap for example), and pulls this username to login.
    * If login is unsuccessful, go back to the error page.

    * Allow the logout button where it normally is, but when it is clicked, it sends you back to the same error page as before (but with different text) to let people log in as a different user.
Anyway, it's just a thought. I'm not really looking for TimeTrex to turn around and add such an unpolished system to its product. I just thought someone could post a hack on how to do it if you are interested. Frankly, if an admin really wants to do this, then they should have to hack it themselves.

I think you can get around the php-cgi authentication problem by running one script in module mode. I found this solution on another forum:
http://blog.dreamhosters.com/kbase/index.cgi?area=2933
(If you want to keep some of the same functionality of running PHP as an Apache Module with a PHP-CGI enabled account, you can put the following line in your .htaccess file

AddType application/x-httpd-php .foo

Anything with a .foo extension in your site directory will be run against the PHP Apache Module, so you'll have access to proper $_SERVER variables and certain php apache_* functions.
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Post by shaunw »

Yes, thats the problem with HTTP authentication, its all hacks.

There are "hacks" that try to fake a "logout" but I haven't seen any that truly work. Most can be fooled with a simple cookie modification or the "back" button. Session timeouts are another issue altogether. Since TimeTrex stores sensitive information, especially if you are using it for payroll, this is just unacceptable from a security stand-point.

For CGI mode, there are "hacks" for it too, but thats not something we want to get into for an application that needs to be installed in less then 5 clicks.

Anyways, PHP does support both LDAP and Kerberos authentication, its just a matter of doing the work to get it there. I don't think it would take much, but as mentioned earlier in this thread the demand is simply too small at this point to warrant spending a lot of time on.

We're happy to assist other people though, and in fact we have heard of at least one company that has added LDAP support, unfortunately they haven't been willing to share their code yet.
mcube
Posts: 8
Joined: Sun May 25, 2008 5:56 am

Windows Active Directory integration would be great to start

Post by mcube »

Currently just integtrating with LDAP for authentication would be great. It is difficult to convince the end-user that there is one more application for which you theyneed to remember username and password.
jbussert
Posts: 5
Joined: Wed Jun 11, 2008 2:43 pm
Location: Charlotte, NC

LDAP

Post by jbussert »

Yea... I would like to see LDAP support as well... Integrating with Windows Active Directory. All teh fields could be pulled automatically from the LDAP to fill in the User's information as far as name and address goes.
aeltalkhawy
Posts: 18
Joined: Sat Oct 25, 2008 10:59 pm

Post by aeltalkhawy »

What about CAS(Single-Sign-On Server) ?

As we have many systems in our intranet(Timetrex, Wordpress, Wikimedia, mail server ... etc) we wanted to add Single-Sign-Support, so the user signs on with a password that is stored in LDAP once, and only once, and whenever he accessed any of our intranet systems he don't have to log in again, which simplify the user accounts management activities, and provide centralized repository for user accounts(LDAP).

So we have used CAS server integrated with LDAP(Open LDAP) to do so Timetrex.

So after applying the modifications to Timetrex the login and logout processes became as follows:

1 - when the user tries to login to Timetrex, if he was logged before then Timetrex will work as usual.

2 - if he wasn't logged in before, the user will be directed to CAS secured login page (With SSL and Digital certificates).

3 - If user enter valid username and passwords(the ones in LDAP) the CAS server will set this user as logged user and redirect him back to Timetrex which get us back to step 1.

4 - if the user have no account in LDAP, the CAS server will show him error page.

5 - When the user wants to logout within Timetrex, Timetrex will redirect him to CAS logout page which will handle the logout process and redirect the user to predetermined page.


I didn't submit the code as i don't know if this disagree with forums policies or not.

So if any one interested in that modification please let me know.
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Post by shaunw »

Feel free to email the modifications to support@timetrex.com if you want it to be considered for integration into the main TimeTrex branch.
aeltalkhawy
Posts: 18
Joined: Sat Oct 25, 2008 10:59 pm

Post by aeltalkhawy »

I have sent the code to support@timetrex.com as you requested.

Hope mention our contribution as “gpmehosting.com” in return.

Will wait to see that modification in the next release.
letoatrads
Posts: 1
Joined: Tue Dec 16, 2008 7:15 am

Adding my voice....

Post by letoatrads »

Timetrex looks like a great product, currently testing it in my local office and may roll it out corporate wide. As we have about 400 users that could be somewhat cumbersome without LDAP support so that will certainly play a role in the decision making process.

Thanks for a great looking product.
epritchett
Posts: 1
Joined: Tue Dec 16, 2008 5:40 pm

Post by epritchett »

We're looking into a time clock currently with LDAP integration. If TimeTrex had this feature we'd be sold already. This is what we want to accomplish:

USER - User goes to wall mounted TimeTrex biometric reader and scans their finger. A friendly screen comes up with the users name, some brief info on their current status (whether they're checked in or out and the time of that event) and whether they would like to check in or out.

ADMIN - Admin sets up ldap info similar to openfire (open source jabber IM server found at http://www.igniterealtime.org ... in fact, that will have good info and plus it's open suorce so you may be able to use some of the source code). From there the interface is very similar to openfire where the admin can add groups to the database. This will add all the users in that group the ability to sign on the timeclock. If the user can't authenticate with AD then the user can't clock in/out.

CHALLENGE - From a web point of view it seems like there wouldn't be any issues, but from stand alone machine itself it would be hard to enter user's AD passwords on a keypad that only has numbers. The remedy for this would be to offer the option to have an additional numeric password for that machine and/or just finger print check.

Please feel free to ask me any questions, but count this as my support for this feature. Really we would just want LDAP Authentication, but you can do some neat things if you went further.
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Post by shaunw »

If LDAP integration is the only road block to purchasing TimeTrex, I highly recommend that you talk to our sales department.

Customers constantly come to us with custom development requirements that our sales people are often able to work into the agreement without too many problems. Depending on the size or the order there may or may not be additional costs as well.

It will be even easier if multiple customers approach us at the same time with the same requirements.
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: LDAP Support

Post by shaunw »

Recently there has been some more discussion about this and the consensus has turned to implementing OpenID support rather then have to deal with all the other non-standard and more complex authentication schemes. (LDAP, Active Directory, Kerberos, etc...)

The great thing about OpenID is that you can easily setup an OpenID server within your organization that essentially acts as a proxy to authenticate off your chosen method (LDAP, Active Directory, Kerberos).

OpenID is being used with some of the largest sites on the internet and has really taken off over the last couple years, so this approach seems to make the most sense.

What do people looking for LDAP/Active Directory support think about this?
shaunw
Posts: 7839
Joined: Tue Sep 19, 2006 2:22 pm

Re: LDAP Support

Post by shaunw »

TimeTrex v3.1.0-rc1 has just been released which includes LDAP authentication support, I urge anyone interested in LDAP to give it a try and let us know how it works:
http://forums.timetrex.com/viewtopic.php?f=8&t=1776
Locked