Forum OpenACS Q&A: LDAP authentication

And welcome to the community!

talli

Read about it here

As far as LDAP in Tcl, well, this might be of some interest:

This is about adding a command to the Tcl interpreter so you can get access to the LDAP C library.

There's a Tcl shared library for LDAP on this page of LDAP software

And, just in case someone forgot about this, the ACS has an LDAP module too: see it here

(I don't know the licensing issues, etc., though this was done a while ago, so perhaps it would be GPL'd or whatever the original ACS license was?)

This message from openldap.org suggests that there is Tcl LDAP code from a guy at Neosoft (though when I looked through all the packages the LDAP packages seemed to be for Tcl 7.6, etc. and not the one this guy was talking about.

In any case, it does seem like there is some stuff out there to do LDAP with Tcl.

This looks like a very nice high level ldap api, with connection pooling as well. I better re-install openldap and give it a whirl. Thanks Oscar!

proc_doc -public ldap_auth_user { email password } {
    Returns 1 if the password field matches the password stored
    in the ldap directory and 0 otherwise.

    @param email is the users email address
    @param password is the users password
} {
    set lh [ns_ldap gethandle ldap]
    
    set result [ns_ldap search $lh -scope subtree "o=Universidad Galileo" "(mail=$email)" userpassword]

    # we don't need an ldap handle anymore
    ns_ldap releasehandle $lh

    set n [llength $result]

    if {$n != 1} {
        # multiple matches so can't authenticate
        return 0
    }

    set r [lindex $result 0]

    array set ra $r
    if [empty_string_p [array names ra "userpassword"]] {
        # no userpassword attribute so return false
        return 0
    }
    # now it's safe to do this
    set crypt_password [lindex $ra(userpassword) 0]

    regexp "{(.*)}(.*)" $crypt_password foo cypher ldap_password
    if ![string compare $cypher "crypt"] {
        if [regexp "$1$(.*)$(.*)" $ldap_password foo salt hash] {
            if ![string compare $ldap_password [ob_md5 $password $salt]] {
                return 1
            } else {
                # the passwords don't match
                return 0
            }
        } else {
            # if it doesn't look like FreeBSD's MD5 stuff it should
            # be standard crypt
            # the salt is in the first two letters
            if ![string compare $ldap_password [ns_crypt $password [string range $ldap_password 0 1]]] {
                # we have a winner
                return 1
            }
            return 0
        }
    } else {
        # unknown cypher (I only support crypt) so log it
        ns_log Notice "ldap-api: unknown cypher $cypher"
        return 0
    }
    # this should not be reached
    ns_log "ldap-api: end of function reached something funny going on"
    return 0
}

I would write the code to do this (I think it's fairly simple)
but I've got a lot of other stuff to do right now. I guess in
a couple of weeks I could look into this.

Yes, it's been running on production machines since january 9 2002.

Is it thread-safe, robust, production-quality?

It is thread safe, robust and production-quality. The only weird thing is that it uses pools (like the db module) and thus it can't bind dynamically as a specific user. This could be a problem if people want to use ldap binding as an authentication method (as opposed to using a priviledged account on the LDAP and checking the users's password).

I have some ideas for implementing the ldap bind call as a user api, but haven't had time to implement it. If there's interest I could probably do it in a couple of days (but I can't start working on it for at least a couple of weeks since I'm in the process of relocating)...

Regards,

-Oscar

It happens when I've restarted the LDAP server :)

/Lars