Ticket #543 (reopened Feature Request)

Opened 10 years ago

Last modified 8 years ago

Patch: Authentication Class for Windows Active Directory

Reported by: Scott E. Barasch Owned by:
Priority: high Milestone: WifiDog Auth Server 1.0
Component: Auth server, Other Version: Auth Server SVN
Keywords: Active Directory, Windows Server 2003, LDAP Cc:

Description (last modified by sbarasch) (diff)

This class, when added to the /Classes/Authenticators directory in the auth server, will be automatically populated into the authenticator selection dropdown box within the networks page (in admin mode) of the auth server. I have personally been able to just rename the current ldap authenticator to another temporary name, and rename the Authenticator for Active Directory to be the old name for the ldap authenticator. This class has been tested on my Windows Server 2003 / 2008 AD environment, and works. You may have to edit the domain controller security policy to the setup defaults, if you have enabled a strict group policy on this policy.

Attachments

AuthenticatorActiveDirectory.php.txt Download (12.6 KB) - added by benoitg 10 years ago.
Attached the file so it isn't lost
AuthenticatorLDAP.php Download (16.6 KB) - added by Scott Barasch <wifidog-dev@…> 6 years ago.
Added Active Directory group-based ACL capability to the current implementation.

Change History

Changed 10 years ago by Scott(at)scottbarasch[dot]com

I couldn't upload this file using the file upload (Invalid spam error) , so here is a link to it:  http://external.scottbarasch.com/wifidog/AuthenticatorActiveDirectory.php.txt

Changed 10 years ago by benoitg

Attached the file so it isn't lost

Changed 10 years ago by benoitg

  • summary changed from I'd like to submit an Authentication Class for Windows Active Directory to Patch: Authentication Class for Windows Active Directory

Changed 9 years ago by jodoreps

  • version set to Gateway 20090925
  • description modified (diff)

Changed 8 years ago by sbarasch

  • status changed from new to closed
  • resolution set to fixed
  • description modified (diff)

Changed 8 years ago by sbarasch

  • description modified (diff)
  • reporter changed from Scott E. Barasch ( scott[at]scottbarasch(dot)com ) to Scott E. Barasch

Changed 8 years ago by networkfusion

  • version changed from Gateway 20090925 to Auth Server SVN

Changed 8 years ago by networkfusion

  • status changed from closed to reopened
  • resolution fixed deleted

Changed 8 years ago by mikevan

Just wanted to add the following important details.

1. If you want this to work with AD then you MUST replace the current wwwroot\wifidog-auth\wifidog\classes\Authenticators\AuthenticatorLDAP.php' with the php file above (remember to remove the .txt)

2. You must also have the following string set up as in this example in the Authenticator Parameters:

'default-network','127.0.0.1','cn=serviceAccount,ou=WifidogUsers?,dc=yourcompany,dc=com','password','ou=WifidogUsers?,dc=yourcompany,dc=com','sAMAccountName'

Changed 8 years ago by Scott E. Barasch

That is correct. You must also rename the file above to AuthenticatorLDAP.php when replacing said file. It is also important to note that this class was tested with a Server 2003 Active Directory, where the domain and domain controller security policy were set to the "default setup" template. I noticed at a later date that if the domain controller security policy (if your web server is on a 2003 domain controller) or domain security policy (all other cases) was set to a default template that is more locked down than the "setup security" template, there will likely be problems with authentication. If you are implementing this class in an AD environment with enhanced security or Windows Server 2008 security templates (which you _should_ be doing, for security sake) you are going to need to examine your security policy, and figure out how to tweak it to work with this authenticator class.

Changed 6 years ago by Scott Barasch <wifidog-dev@…>

Added Active Directory group-based ACL capability to the current implementation.

Note: See TracTickets for help on using tickets.