Validate User account on AD

Babatunde_Ahmed · September 22, 2016, 4:21pm

I will like to authenticate the user credentials from our AD.

Lets say there is a user xxx@y.com created in xibo…whenever the user attempts log in, the password should be authenticated against the AD details.

alex · September 23, 2016, 6:59am

It’s not possible in the current stable version.

1.8 has support for authenticating via SAML which you can then integrate with Active Directory.

Babatunde_Ahmed · September 23, 2016, 7:43am

Thank you alex…can you please point me to an instruction to upgrade to 1.8 on IIS?

alex · September 23, 2016, 8:18am

1.8 isn’t released for production use yet.

fmousserin · September 23, 2016, 12:01pm

Hello, I’m on 1.7.8 when i will switch on 1.8, must i buy again licence android ?
For now i’m not in production, also i can wait the 1.8 for integrate user account.

Babatunde_Ahmed · September 26, 2016, 8:56am

Hello mouserin, i think the licence for the android boxes are specific to the android player version and not the cms version.if your version is still compatible with the cms 1.8 (which i believe should be), you dont need to purchase new licences.

alex · September 26, 2016, 1:08pm

Android is licenced per major version - so currently you would be purchasing 1.7 series licences.

When you come to upgrade to 1.8 series CMS, you will need to purchase an upgrade licence for your Xibo for Android devices. Once in 1.8 series, you can then upgrade to any release within that series at no charge.

There is no obligation to upgrade your CMS from 1.7 to 1.8 series however - only if you want to use the new features and fixes therein.

Babatunde_Ahmed · September 30, 2016, 2:45pm

well…i was able to enforce validating user creation using ldap by editing

i added

// Validation
// LDAP variables
$ldaphost = “ldap.forumsys.com:389”; // your ldap servers
// your ldap server’s port number

// Connecting to LDAP
$ldapconn = ldap_connect($ldaphost)
  or die("Could not connect to host");

//search user in /Admin/IT/Users

$dn = "dc=example,dc=com";

$filter = "(uid=" . $this->userName . ")";
$attr = array("memberof");
$result = ldap_search($ldapconn , $dn, $filter, $attr) or exit("Unable to search LDAP server");
$entries = ldap_get_entries($ldapconn, $result);
$datastatus = $entries["count"];
if ($datastatus !== 1)
	return $this->SetError(__('cannot validate user on Active Directory'));

to the top of function add in userdata.data.class.php.
I am hoping to i can write a similar function around function.login in module.user general . php on enable authentication

Babatunde_Ahmed · October 2, 2016, 1:34pm

i think i got this to authenticate via AD using this

change function login in module.user.general.php

function login($username, $password)
{
    $db =& $this->db;

    Kit::ClassLoader('userdata');

    // Active Directory server
      $ldap_host = "ldap.forumsys.com:389";

      // Active Directory DN
      $ldap_dn = "dc=example,dc=com";
        // connect to active directory
        $ldap = ldap_connect($ldap_host)
            or die("Couldn't connect to LDAP Server");
              $dn = "uid=".$username.",";
              ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
              // verify user and password
if($bind = @ldap_bind($ldap, $dn . $ldap_dn, $password)) {
  $dbh = PDOConnect::init();
  $sth = $dbh->prepare('SELECT UserID, UserName, UserPassword, UserTypeID FROM `user` WHERE UserName = :userName');
  $sth->execute(array('userName' => $username));
  $rows = $sth->fetchAll();
  $userInfo = $rows[0];
}

else { setMessage(__('Username or Password incorrect'));
    return false;
}
    // there is a result so we store the userID in the session variable
    $_SESSION['userid'] = Kit::ValidateParam($userInfo['UserID'], _INT);
    $_SESSION['username'] = Kit::ValidateParam($userInfo['UserName'], _USERNAME);
    $_SESSION['usertype'] = Kit::ValidateParam($userInfo['UserTypeID'], _INT);

    // Set the User Object
    $this->usertypeid = $_SESSION['usertype'];
    $this->userid = $_SESSION['userid'];

    // update the db
    // write out to the db that the logged in user has accessed the page
    $SQL = sprintf("UPDATE user SET lastaccessed = '" . date("Y-m-d H:i:s") . "', loggedin = 1 WHERE userid = %d", $_SESSION['userid']);

    $db->query($SQL) or trigger_error(__('Can not write last accessed info.'), E_USER_ERROR);

    // Switch Session ID's
    global $session;
    $session->setIsExpired(0);
    $session->RegenerateSessionID(session_id());

    return true;
}

add you extra security check as pleased

but you must have created one of the AD users as admin before editing because your old admin wontnot have access anymore.

Jannis · September 28, 2017, 6:52pm

Hello Babatunde_Ahmed,
can you tell me in which folder you found/ edit the files “userdata.data.class.php” and “module.user.general.php”.
I’m not sure what i’m doing wrong but i’m not able to find both files.

Babatunde_Ahmed · October 8, 2017, 10:10am

Hello Jannis, Sorry this is coming late, This solution was for the 1.7 version and you can easily search this on the whole project folder.

dsxibo · December 13, 2017, 9:51pm

Alex - can you send me the info to authenticate user with AD. I’m using version 1.8.2 cms.

alex · December 14, 2017, 9:04am

You need Active Directory Federation Services running to act as a SAML IdP.

Once you have that, you can connect Xibo to it as documented in the manual:
https://xibo.org.uk/manual-tempel/en/users_saml.html

dsxibo · December 15, 2017, 12:35am

Alex,
Is there a way to set password expired or perhaps, force the user to change password first logon

alex · December 15, 2017, 9:00am

If you’re using SAML then Xibo has no role in the password at all. It’s totally up to your IdP to enforce any password age, complexity etc requirements.

If you’re not using SAML, then no, Xibo doesn’t have ways to force password changes. It does have a complexity check so you can ensure users set sensibly complex passwords, to whatever rule you want to enforce.