Authentication using Active Directory
From WebCalendar Wiki
To authenticate WebCalendar with Active Directory you need a windows user in the domain and must modifiy the file user-ldap.php.
[edit] user-ldap.php
Set the LDAP protocol to version 3:
$set_ldap_version = true; $ldap_version = '3'; // (usually 3)
Set the base DN to the directory with the users:
$ldap_base_dn = 'CN=Users,DC=contoso,DC=com';
The login attribute must be set to samaccountname:
$ldap_login_attr = 'samaccountname';
Set the DN and the password of the webcalendar domain user:
$ldap_admin_dn = 'CN=webcalendar,CN=Users,DC=contoso,DC=com'; // user DN $ldap_admin_pwd = 'webcalendar'; // user password
Set the DN of the administrators group and change the group type to group and the group attribute to member:
$ldap_admin_group_name = 'CN=Domain-Admins,CN=Users,DC=contoso,DC=com'; $ldap_admin_group_type = 'group'; $ldap_admin_group_attr = 'member';
Set the user filter to (objectclass=user):
$ldap_user_filter = '(objectclass=user)';
Add samaccountname and displayname to the user attributes:
$ldap_user_attr = array ( // LDAP attribute //WebCalendar variable 'samaccountname', //login 'sn', //lastname 'givenname', //firstname 'displayname', //fullname 'mail' //email );
Since the Active Directoy returns the values in UTF-8, you must modifiy the functions user_load_variables() and user_get_users() to decode the values with utf8_decode():
function user_load_variables ( $login, $prefix ) {
[...]
$GLOBALS[$prefix . 'firstname'] = utf8_decode ( $info[0][$ldap_user_attr[2]][0] );
$GLOBALS[$prefix . 'lastname'] = utf8_decode ( $info[0][$ldap_user_attr[1]][0] );
$GLOBALS[$prefix . 'email'] = utf8_decode ( $info[0][$ldap_user_attr[4]][0] );
$GLOBALS[$prefix . 'fullname'] = utf8_decode ( $info[0][$ldap_user_attr[3]][0] );
[...]
function user_get_users ( $publicOnly=false ) {
[...]
'cal_login' => utf8_decode ( $info[$i][$ldap_user_attr[0]][0] ),
'cal_lastname' => utf8_decode ( $info[$i][$ldap_user_attr[1]][0] ),
'cal_firstname' => utf8_decode ( $info[$i][$ldap_user_attr[2]][0] ),
'cal_email' => utf8_decode ( $info[$i][$ldap_user_attr[4]][0] ),
'cal_is_admin' => user_is_admin ($info[$i][$ldap_user_attr[0]][0],$Admins),
'cal_fullname' => utf8_decode ( $info[$i][$ldap_user_attr[3]][0] )
[...]
The Active Directoy expects the DN paths also in UTF-8!
You must save the file user-ldap.php therefore in UTF-8 (but without BOM) or using the function utf8_encode to encode the DN paths:
$ldap_admin_group_name = utf8_encode('CN=Domain-Admins,CN=Users,DC=contoso,DC=com');
That's all! :-)
Edit By Rémi :
I have to modify this line too, for admin authentication:
Line 231 :
$GLOBALS[$prefix . 'is_admin'] = user_is_admin ($info[0][$ldap_user_attr[3]][0],get_admins ());
Line 449 :
'cal_is_admin' => user_is_admin ($info[$i][$ldap_user_attr[3]][0],$Admins),
Because authentication try to compare “full name” against “samaccountname”!
[edit] To allow Active Directory Search from a root dc
i.e. say from dc=test,dc=com, instead of cn=users,dc=test,dc=com.
This tends to happen when you are using separate OUs at the root for different groups of users. Source is from http://blog.redbranch.net/2008/05/php-ldap-search-root-of-active.html
Basically, you need to add:
ldap_set_option($ds, LDAP_OPT_REFERRALS,0);
Before:
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap_version);
In user-ldap.php, I found two instances to change:
function user_valid_login ( $login, $password ) {
...
ldap_set_option($ds, LDAP_OPT_REFERRALS,0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap_version);
And:
function connect_and_bind () {
...
ldap_set_option($ds, LDAP_OPT_REFERRALS,0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap_version);
