You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

#1 2008-04-18 13:21:27

xabib
Member
Registered: 2008-04-18
Posts: 11

Active Directory restriction

Good morning.

I'm having problems authenticating users againt a w2k3 Domain through LDAP. If the user can login in any machine of the domain, there is no problem authenticating. However, every user in my domain can only log in into their own machine (User preferences/account/log in form). If the user cant login in every machine an error is thrown. It says "user not found or found many users". if i change the user to be able to log in in every machine it works. It doesnt even work even if the user that tries to login in glpi is located in the machine he is allowed to use.

Offline

#2 2008-04-18 16:32:35

xabib
Member
Registered: 2008-04-18
Posts: 11

Re: Active Directory restriction

I've been doing some research with WireShark and found a problem googling the results.

http://64.233.183.104/search?q=cache:Jg … cd=2&gl=es

It seems that when using simple auth the machine that gets compared is the DC, so that if the DC is not in the "allowed machines to log in" form, it cant log into glpi. If i add the DC into the "allowed machines list" i can log in without problems. However that's not the solution i would like to use....

Offline

#3 2008-04-22 17:40:24

xabib
Member
Registered: 2008-04-18
Posts: 11

Re: Active Directory restriction

Is there any posibility of this being fixed, or is the problem PHP or OpenLDAP related?

Offline

#4 2008-04-23 13:28:34

xabib
Member
Registered: 2008-04-18
Posts: 11

Re: Active Directory restriction

From what i've seen in the code, you are using simple authentication method (http://www.openldap.org/doc/admin24/security.html) through the ldap_bind method from PHP. The way for this to work in an environment with users who have restricted machines in which they can login, would be to use SASL (http://www.php.net/manual/en/function.l … l-bind.php) using Kerberos V mechanism.

Offline

Board footer

Powered by FluxBB