Ticket #496 (new Feature Request) — at Initial Version

Opened 12 years ago

Last modified 11 years ago

Support Windows Server 2003 Active Directory LDAP Authentication

Reported by: scott [at] scottbarasch [dot] com Owned by:
Priority: high Milestone: WifiDog Auth Server 1.0
Component: Auth server, Authentication, permissions and access control Version:
Keywords: active directory, LDAP, Windows Server 2003, authenticator Cc:


I submitted a ticket regarding a bug fix for this problem on April 1, 2008. Seeing as how this has not been fixed with the LDAP Authenticator Class, and after doing a bit more research, I decided to submit a feature request for a new Authenticator Package for Active Directory Authentication using Windows Server 2003 Active Directory.

The current version of the LDAP Auth mechanism for the wifidog-auth server does not support / is not compatible with Windows Server 2003 Active Directory implementations of LDAP. Since AD is a specialized implementation of LDAP, it requires an extra parameter or so to be complaint.

I have read that people have gotten the LDAP in Wifidog to work using AD, but I am not entirely sure if this is using Windows NT Server, Windows 2000 Server or Windows Server 2003. Each uses a slightly different implementation of LDAP. I believe that the Windows Server 2003 and Windows Server 2008 implementations of LDAP are the same.

If Windows Server 2003 AD authentication were enabled, this product could be more widely used in the corporate environment. It would also be very helpful in creating a SSO for some network admins and programmers who run their own Lab network out of their basement (Like myself ;) )

A bind with AD can be anonymous or authenticated, and can be a bind and search, or a bind with the current user account that is logging in. This bind ideally should not require an Admin level service account.

This sort of thing has been done before in PHP as part of the Joomla 1.5 CMS base framework. If you need sample code, please look at that open source project (www.joomla.org)

This would also allow for more centralized managed authentication for a wireless network, and the ability to enforce a security policy such as number of bad logins, and the length, and complexity of a password (AD Handles all of this).

The fields should include:

* An AD Server DNS Hostname / IP * Port on that server (389 is default for non-ssl connection) * SSL or non-SSL connection * Service account Full DN (ideally this should be any user, and not an admin account) * Service account password * Base DN in AD Domain schema for search able accounts to login with * Attribute mapping within AD that is used as username. (Usually this is sAMAccountName for just the username)

Please document in the source code where these parameters are, so that when the users construct the parameters for the constructor, they know what to place, and in what field, and in what order. (This is not currently present in the LDAP Authenticator class)

If you need a testbed Windows Server 2003 AD Server, I can provide a single account for testing purposes on my lab network. Just email me, and I'll set you up with a non-admin account, if you can't find alternate means of testing the code.

Note: See TracTickets for help on using tickets.