Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Help with 2.05+ single sign on

Help with 2.05+ single sign on 3 months 2 weeks ago #111559

  • Concordia
  • Concordia's Avatar
  • OFFLINE
  • Junior Lime
  • Posts: 29
  • Thank you received: 3
  • Karma: 0
Hello,

I have limesurvey setup using LDAP.
But I have to create a LimeSurvey user with the same name as a AD(active directory) user account.

I do not want to have to create a user with the same name as a AD, each time... :silly:

I would like to specify the OU and have all those within the OU to be able to login as Survey Administrator's.

Please Help!
The administrator has disabled public write access.
The following user(s) said Thank You: Yaron

Help with 2.05+ single sign on 3 months 2 weeks ago #111623

  • Yaron
  • Yaron's Avatar
  • OFFLINE
  • Fresh Lemon
  • Posts: 2
  • Thank you received: 1
  • Karma: 0
I got the same problem.
The documentation tells us to add one account that exists in the AD.
I can sign into this account using my AD password. Since I am not able to sign into any other AD account, I assume we need to add every single user manually. If this is the case the LDAP plugin is useless for us.

Are we doing something wrong or is the case above true?

Thanks for clarification!
Yaron
The administrator has disabled public write access.
The following user(s) said Thank You: Concordia

Help with 2.05+ single sign on 3 months 1 week ago #111646

  • Concordia
  • Concordia's Avatar
  • OFFLINE
  • Junior Lime
  • Posts: 29
  • Thank you received: 3
  • Karma: 0
This post was made, but never adressed.

This post was made recently, but I was unable to replicate it in on my windows environment. I don't know if it works.

It's should be documented somewhere, can you please point me in the right direction?

Thank you!
The administrator has disabled public write access.

Help with 2.05+ single sign on 3 months 1 week ago #111651

  • Yaron
  • Yaron's Avatar
  • OFFLINE
  • Fresh Lemon
  • Posts: 2
  • Thank you received: 1
  • Karma: 0
The second link is not working. Can you recheck it please? Thanks!
The administrator has disabled public write access.

Help with 2.05+ single sign on 3 months 1 week ago #111660

  • Concordia
  • Concordia's Avatar
  • OFFLINE
  • Junior Lime
  • Posts: 29
  • Thank you received: 3
  • Karma: 0
Here is the 2nd link: www.limesurvey.org/en/forum/plugins/9633...ion-on-centos-apache

I found this also, a hook function that you place in the config.php or config-defaults.php:
doc.rhizome-fai.net/doku.php?id=techniqu...ys:igname:limesurvey

I have not got this to work yet, but I think I might be on the right track.
If I get it working I will post my solution here.

Thanks.
The administrator has disabled public write access.

Help with 2.05+ single sign on 3 months 1 week ago #111671

  • Concordia
  • Concordia's Avatar
  • OFFLINE
  • Junior Lime
  • Posts: 29
  • Thank you received: 3
  • Karma: 0
I'm close, but no cookie....

I can pass a AD user in the function hook_get_auth_webserver_profile($user_name) from config-defaults.php and it return the users info (full name, email), but i have to hard code it.

I echo the results and I see the following, this is an example:
'full_name' => "$first_name_from_backend $second_name_from_backend",
'email' => "$user_email_from_backend",
'lang' => "fr",
'htmleditormode' => 'inline',
'templatelist' => 'default',
'create_survey' => 1,
'create_user' => 0,
'delete_user' => 0,
'superadmin' => 1,
'configurator' =>1,
'manage_template' => 1,
'manage_label' => 1);

I do not know how to get it to write the information the survey administrators table.

Can anyone point me in the right direction please?

Thank you!
The administrator has disabled public write access.

Help with 2.05+ single sign on 3 months 1 week ago #111672

  • Concordia
  • Concordia's Avatar
  • OFFLINE
  • Junior Lime
  • Posts: 29
  • Thank you received: 3
  • Karma: 0
when I login in the the function hook_get_auth_webserver_profile($user_name) does not seem to be assigning the user name to the variable $user_name...
The administrator has disabled public write access.

Help with 2.05+ single sign on 3 months 6 days ago #111787

  • Concordia
  • Concordia's Avatar
  • OFFLINE
  • Junior Lime
  • Posts: 29
  • Thank you received: 3
  • Karma: 0
I have successfully got apache 2.4 to authenticate through ldpa.
Once authenticated limesurvey logs in automatically even if the administrator does not exist.

The answers were all in the post below, the difference was apache 2.4 and a deprecated directive:
www.limesurvey.org/en/forum/plugins/9633...ion-on-centos-apache


The only problem I have is that I cannot log out... once logged in. I have to clear my cache and/or close my browser.
I will start a new thread for this separate issue, unless someone wants to answer in this thread.

I will post my solution later on once I implement this in production.
The administrator has disabled public write access.

Help with 2.05+ single sign on 3 months 1 day ago #111879

  • Concordia
  • Concordia's Avatar
  • OFFLINE
  • Junior Lime
  • Posts: 29
  • Thank you received: 3
  • Karma: 0
The following instructions describe how to configure limesurvey to authenticate with LDAP through apache and then to automatically import user’s as Survey Administrator.

With this method we no longer need to create users manually, every new user that connects will automatically have access to create a survey.

Increased access is required, it has to be implemented by a SuperAdmin,make sure you already have a super admin account.

Environment:
OS: Win 2008
DB: MS SQL
WEB SERVER: Apache 2.4
PHP: 5.4.24
SSL: Open SSL (optional)

Configure PHP for Active Directory Authentication
Enable LDAP Settings for PHP
i.Edit PHP.INI
ii.Uncomment the line extension=php_LDAP.dll
iii.copy libsasl.dll to [apache folder]\bin
iv.restart apache


Configure Apache for Active Directory Authentication
1.Enable modules/mod_LDAP.so and modules/mod_authnz_LDAP.so
(Located in C:\Apache24\conf\httpd.conf )
2.Add the following lines to the end of the httpd.conf or include step 3 directly into your http.conf
<IfModule authnz_LDAP_module>
Include conf/authnz_LDAP.conf
</IfModule>
3.Create authnz_LDAP.conf file in destination path C:\Apache24\conf\
Add the following lines in the config file:

#authnz_LDAP configuration for limesurvey
#Start
<Location /limesurvey/admin>
AuthBasicProvider LDAP
AuthType Basic
AuthName "AD Login"
AuthLDAPURL "ldaps://xxx-xx-xxx-xxx.xxxx.ca:636/ou=People,DC=xxx,DC=ca?cn?sub?objectClass=*"
AuthLDAPBindDN "cn=xxxxxx,ou=Roles,dc=xxxxxx,dc=ca"
AuthLDAPBindPassword xxxxxxx
require valid-user
LDAPReferrals Off
</Location>
<Location /limesurvey/index.php/admin>
AuthBasicProvider LDAP
AuthType Basic
AuthName "AD Login"
AuthLDAPURL "ldaps://xxx-xx-xxx-xxx.xxxx.ca:636/ou=People,DC=xxx,DC=ca?cn?sub?objectClass=*"
AuthLDAPBindDN "cn=xxxxxx,ou=Roles,dc=xxxxxx,dc=ca"
AuthLDAPBindPassword xxxxxxx
require valid-user
</Location>
#End

Configure settings to allow for authentication delegation with automatic user import
Modify config-defaults.php (Located in C:\Apache24\htdocs\limesurvey\application\config)
settings to allow for authentication delegation with automatic user import:

// LDAP settings
$config = true;
$config = true;
$config = array(); // This is important for future "Super Admin privileges"
$config = true;

function hook_get_auth_webserver_profile($user_name)
{
$SearchFor=$user_name;
$SearchField="cn";
$LDAPHost = "ldaps://xxxx-xxx-xxxx-xxxx.xxxxxx.ca";

$dn = "ou=People,dc=xxxxxxxxx,dc=ca";

// Utilisateur qui se bind pour récup' les infos des autres.
$LDAPUser = "CN=xxxxxxx,ou=Roles,dc=xxxxxxx,dc=ca";
$LDAPUserPassword = "xxxxxx";
$LDAPFieldsToFind = array("cn", "mail","givenName", "sn");

$cnx = LDAP_connect($LDAPHost) or die("Could not connect to LDAP");
LDAP_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3);
LDAP_set_option($cnx, LDAP_OPT_REFERRALS, 0);
LDAP_bind($cnx,$LDAPUser,$LDAPUserPassword) or die("Could not bind to LDAP");
error_reporting (E_ALL ^ E_NOTICE);
$filter="($SearchField=$SearchFor*)";
$sr=LDAP_search($cnx, $dn, $filter, $LDAPFieldsToFind);
$info = LDAP_get_entries($cnx, $sr);

for ($x=0; $x<$info["count"]; $x++) {
$cn=$info[$x][0];
$email=$info[$x][0];
$nam=$info[$x][0];
$gn=$info[$x][0];
$sn=$info[$x][0];
if (stristr($cn, "$SearchFor")) {
$user_name_from_backend = $nam;
$user_email_from_backend = $email;
$first_name_from_backend = $gn;
$second_name_from_backend = $sn;
}
}

if ($x==0) {
return Array();
}

return Array(
'full_name' => "$first_name_from_backend $second_name_from_backend",
'email' => "$user_email_from_backend",
'lang' => "en",
'htmleditormode' => 'inline',
'templatelist' => 'default',
'create_survey' => 1,
'create_user' => 0,
'delete_user' => 0,
'superadmin' => 1,
'configurator' =>1,
'manage_template' => 1,
'manage_label' => 1);
}

Configure and activate limesurvey plugins
a. Settings for LDAP Plugin
i.LDAP Server: ldaps://xxx-xxx-xxxx-xxx.xxxx.ca
ii.Port number:636
iii. LDAP version:3
iv. Username prefix: cn=
v. Username suffix:,OU=people,DC=xxxxxxxx,DC=ca
vi. Check for default: Yes
vii. Save and click on activate for the LDAP Plugin
b. Settings for Web server authentication
i.Click on configure for Webserver authentication, leave as is with "REMOTE_USER" BUT CLICK ON SAVE! If you don't it won't work.
ii.Save and click on activate for the LDAP Plugin

Configuration for SSL (Optional)
1.Install openSSL and create your certificates.
2.Create file LDAP.conf:
i.Copy below text into file
# Start
# LDAP Defaults
#

# See LDAP.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI LDAP://LDAP.example.com LDAP://LDAP-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#URI LDAP://127.0.0.1/
#BASE dc=example,dc=com
TLS_REQCERT never
TLS_CACERT C:\openldap\xxxxx\xxxxxx_CERT.crt
#TLS_CACERT C:\openldap\xxxxxx\xxxxxx_CERT.pem
TLS_CACERTDIR C:\openldap\xxxxxx
#End
ii.Save file in c:\openldap\xxxxxx

Final Steps
1.Restart apache
2.Log into lime survey using your AD name

Reference
Last Edit: 3 months 1 day ago by Concordia.
The administrator has disabled public write access.
The following user(s) said Thank You: DenisChenu

Help with 2.05+ single sign on 3 months 1 day ago #111888

  • DenisChenu
  • DenisChenu's Avatar
  • OFFLINE
  • Moderator Lime
  • Posts: 6551
  • Thank you received: 869
  • Karma: 257
Concardia : our plugin can be updated by other dev , i think LDAP can have a 'auto create user' too.

You can make some pull request on github :)
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.157 seconds
Donation Image