I had the requirement to provide a way to authenticate a user from a different OU while still preserving the current OU used for authentication that is already working. Company policy didn't allow for a dummy account to be created in the same OU branch that we used for authentication purposes.
First, verify that your testlink authentication through LDAP is already working. If it is, then we can proceed to modify: config.inc.php
g_ldap_root_dn = 'OU=Workers,DC=company,DC=com';
to
g_ldap_root_dn = 'OU=some_other_OU,DC=company,DC=com';
and verify that it works for the account belonging to "some_other_OU".
If this step works, then we are ready to proceed to the final step that allows authentication from both branches.
1. modify: config.inc.php
revert changes to g_ldap_root_dn, so authentication is done using original OU, "Workers".
create a new variable, g_ldap_root_dn2, like so:
g_ldap_root_dn2 = 'OU=some_other_OU,DC=company,DC=com';
2. modify: ./lib/functions/ldap_api.php
look for: function ldap_authenticate( $p_login_name, $p_password ) {
and add the following highlighted code:
(i basically copy/pasted the original code that tests for authentication again and included a test to make sure that the user hasnt been authenticated successfully yet "if(!$t_authenticated->status_ok){")
sorry, i have very limited knowledge of php and ldap, so i chose the more verbose way to make this work.
this method can be extended to work with additional OUs, just repeat the steps as needed.
Code: Select all
function ldap_authenticate( $p_login_name, $p_password ) {
# if password is empty and ldap allows anonymous login, then
# the user will be able to login, hence, we need to check
# for this special case.
if ( is_blank( $p_password ) ) {
return false;
}
$t_ldap_organization = config_get( 'ldap_organization' );
$t_ldap_root_dn = config_get( 'ldap_root_dn' );
$t_username = $p_login_name;
$t_ldap_uid_field = config_get( 'ldap_uid_field', 'uid' ) ;
$t_search_filter = "(&$t_ldap_organization($t_ldap_uid_field=$t_username))";
$t_search_attrs = array( $t_ldap_uid_field, 'dn' );
$t_connect = ldap_connect_bind();
if( !is_null($t_connect->handler) )
{
$t_ds = $t_connect->handler;
# Search for the user id
$t_sr = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
$t_info = ldap_get_entries( $t_ds, $t_sr );
$t_authenticated->status_ok = false;
$t_authenticated->status_code = ERROR_LDAP_AUTH_FAILED;
if ( $t_info ) {
# Try to authenticate to each until we get a match
for ( $i = 0 ; $i < $t_info['count'] ; $i++ ) {
$t_dn = $t_info[$i]['dn'];
# Attempt to bind with the DN and password
if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
$t_authenticated->status_ok = true;
break; # Don't need to go any further
}
}
}
#hack to allow authentication from a different OU
if(!$t_authenticated->status_ok){
$t_ldap_root_dn = config_get( 'ldap_root_dn2' );
# Search for the user id
$t_sr = ldap_search( $t_ds, $t_ldap_root_dn, $t_search_filter, $t_search_attrs );
$t_info = ldap_get_entries( $t_ds, $t_sr );
$t_authenticated->status_ok = false;
$t_authenticated->status_code = ERROR_LDAP_AUTH_FAILED;
if ( $t_info ) {
# Try to authenticate to each until we get a match
for ( $i = 0 ; $i < $t_info['count'] ; $i++ ) {
$t_dn = $t_info[$i]['dn'];
# Attempt to bind with the DN and password
if ( @ldap_bind( $t_ds, $t_dn, $p_password ) ) {
$t_authenticated->status_ok = true;
break; # Don't need to go any further
}
}
}
}
#end of hack to allow authentication from a different OU
ldap_free_result( $t_sr );
ldap_unbind( $t_ds );
}
else
{
$t_authenticated->status_ok = false;
$t_authenticated->status_code = $t_connect->status;
}
return $t_authenticated;
}