Help with 2.05+ single sign on

More
2 years 11 months ago #111559 by Concordia
Concordia created the topic: Help with 2.05+ single sign on
Hello,

I have limesurvey setup using LDAP.
But I have to create a LimeSurvey user with the same name as a AD(active directory) user account.

I do not want to have to create a user with the same name as a AD, each time... :silly:

I would like to specify the OU and have all those within the OU to be able to login as Survey Administrator's.

Please Help!
The following user(s) said Thank You: Yaron

Please Log in to join the conversation.

More
2 years 11 months ago #111623 by Yaron
Yaron replied the topic: Help with 2.05+ single sign on
I got the same problem.
The documentation tells us to add one account that exists in the AD.
I can sign into this account using my AD password. Since I am not able to sign into any other AD account, I assume we need to add every single user manually. If this is the case the LDAP plugin is useless for us.

Are we doing something wrong or is the case above true?

Thanks for clarification!
Yaron
The following user(s) said Thank You: Concordia

Please Log in to join the conversation.

More
2 years 11 months ago #111646 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
This post was made, but never adressed.

This post was made recently, but I was unable to replicate it in on my windows environment. I don't know if it works.

It's should be documented somewhere, can you please point me in the right direction?

Thank you!

Please Log in to join the conversation.

More
2 years 11 months ago #111651 by Yaron
Yaron replied the topic: Help with 2.05+ single sign on
The second link is not working. Can you recheck it please? Thanks!

Please Log in to join the conversation.

More
2 years 11 months ago #111660 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
Here is the 2nd link: www.limesurvey.org/en/forum/plugins/9633...ion-on-centos-apache

I found this also, a hook function that you place in the config.php or config-defaults.php:
doc.rhizome-fai.net/doku.php?id=techniqu...ys:igname:limesurvey

I have not got this to work yet, but I think I might be on the right track.
If I get it working I will post my solution here.

Thanks.

Please Log in to join the conversation.

More
2 years 11 months ago #111671 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
I'm close, but no cookie....

I can pass a AD user in the function hook_get_auth_webserver_profile($user_name) from config-defaults.php and it return the users info (full name, email), but i have to hard code it.

I echo the results and I see the following, this is an example:
'full_name' => "$first_name_from_backend $second_name_from_backend",
'email' => "$user_email_from_backend",
'lang' => "fr",
'htmleditormode' => 'inline',
'templatelist' => 'default',
'create_survey' => 1,
'create_user' => 0,
'delete_user' => 0,
'superadmin' => 1,
'configurator' =>1,
'manage_template' => 1,
'manage_label' => 1);

I do not know how to get it to write the information the survey administrators table.

Can anyone point me in the right direction please?

Thank you!

Please Log in to join the conversation.

More
2 years 11 months ago #111672 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
when I login in the the function hook_get_auth_webserver_profile($user_name) does not seem to be assigning the user name to the variable $user_name...

Please Log in to join the conversation.

More
2 years 11 months ago #111787 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
I have successfully got apache 2.4 to authenticate through ldpa.
Once authenticated limesurvey logs in automatically even if the administrator does not exist.

The answers were all in the post below, the difference was apache 2.4 and a deprecated directive:
www.limesurvey.org/en/forum/plugins/9633...ion-on-centos-apache


The only problem I have is that I cannot log out... once logged in. I have to clear my cache and/or close my browser.
I will start a new thread for this separate issue, unless someone wants to answer in this thread.

I will post my solution later on once I implement this in production.

Please Log in to join the conversation.

More
2 years 11 months ago - 2 years 11 months ago #111879 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
The following instructions describe how to configure limesurvey to authenticate with LDAP through apache and then to automatically import user’s as Survey Administrator.

With this method we no longer need to create users manually, every new user that connects will automatically have access to create a survey.

Increased access is required, it has to be implemented by a SuperAdmin,make sure you already have a super admin account.

Environment:
OS: Win 2008
DB: MS SQL
WEB SERVER: Apache 2.4
PHP: 5.4.24
SSL: Open SSL (optional)

Configure PHP for Active Directory Authentication
Enable LDAP Settings for PHP
i.Edit PHP.INI
ii.Uncomment the line extension=php_LDAP.dll
iii.copy libsasl.dll to [apache folder]\bin
iv.restart apache


Configure Apache for Active Directory Authentication
1.Enable modules/mod_LDAP.so and modules/mod_authnz_LDAP.so
(Located in C:\Apache24\conf\httpd.conf )
2.Add the following lines to the end of the httpd.conf or include step 3 directly into your http.conf
<IfModule authnz_LDAP_module>
Include conf/authnz_LDAP.conf
</IfModule>
3.Create authnz_LDAP.conf file in destination path C:\Apache24\conf\
Add the following lines in the config file:

#authnz_LDAP configuration for limesurvey
#Start
<Location /limesurvey/admin>
AuthBasicProvider LDAP
AuthType Basic
AuthName "AD Login"
AuthLDAPURL "ldaps://xxx-xx-xxx-xxx.xxxx.ca:636/ou=People,DC=xxx,DC=ca?cn?sub?objectClass=*"
AuthLDAPBindDN "cn=xxxxxx,ou=Roles,dc=xxxxxx,dc=ca"
AuthLDAPBindPassword xxxxxxx
require valid-user
LDAPReferrals Off
</Location>
<Location /limesurvey/index.php/admin>
AuthBasicProvider LDAP
AuthType Basic
AuthName "AD Login"
AuthLDAPURL "ldaps://xxx-xx-xxx-xxx.xxxx.ca:636/ou=People,DC=xxx,DC=ca?cn?sub?objectClass=*"
AuthLDAPBindDN "cn=xxxxxx,ou=Roles,dc=xxxxxx,dc=ca"
AuthLDAPBindPassword xxxxxxx
require valid-user
</Location>
#End

Configure settings to allow for authentication delegation with automatic user import
Modify config-defaults.php (Located in C:\Apache24\htdocs\limesurvey\application\config)
settings to allow for authentication delegation with automatic user import:

// LDAP settings
$config = true;
$config = true;
$config = array(); // This is important for future "Super Admin privileges"
$config = true;

function hook_get_auth_webserver_profile($user_name)
{
$SearchFor=$user_name;
$SearchField="cn";
$LDAPHost = "ldaps://xxxx-xxx-xxxx-xxxx.xxxxxx.ca";

$dn = "ou=People,dc=xxxxxxxxx,dc=ca";

// Utilisateur qui se bind pour récup' les infos des autres.
$LDAPUser = "CN=xxxxxxx,ou=Roles,dc=xxxxxxx,dc=ca";
$LDAPUserPassword = "xxxxxx";
$LDAPFieldsToFind = array("cn", "mail","givenName", "sn");

$cnx = LDAP_connect($LDAPHost) or die("Could not connect to LDAP");
LDAP_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3);
LDAP_set_option($cnx, LDAP_OPT_REFERRALS, 0);
LDAP_bind($cnx,$LDAPUser,$LDAPUserPassword) or die("Could not bind to LDAP");
error_reporting (E_ALL ^ E_NOTICE);
$filter="($SearchField=$SearchFor*)";
$sr=LDAP_search($cnx, $dn, $filter, $LDAPFieldsToFind);
$info = LDAP_get_entries($cnx, $sr);

for ($x=0; $x<$info["count"]; $x++) {
$cn=$info[$x][0];
$email=$info[$x][0];
$nam=$info[$x][0];
$gn=$info[$x][0];
$sn=$info[$x][0];
if (stristr($cn, "$SearchFor")) {
$user_name_from_backend = $nam;
$user_email_from_backend = $email;
$first_name_from_backend = $gn;
$second_name_from_backend = $sn;
}
}

if ($x==0) {
return Array();
}

return Array(
'full_name' => "$first_name_from_backend $second_name_from_backend",
'email' => "$user_email_from_backend",
'lang' => "en",
'htmleditormode' => 'inline',
'templatelist' => 'default',
'create_survey' => 1,
'create_user' => 0,
'delete_user' => 0,
'superadmin' => 1,
'configurator' =>1,
'manage_template' => 1,
'manage_label' => 1);
}

Configure and activate limesurvey plugins
a. Settings for LDAP Plugin
i.LDAP Server: ldaps://xxx-xxx-xxxx-xxx.xxxx.ca
ii.Port number:636
iii. LDAP version:3
iv. Username prefix: cn=
v. Username suffix:,OU=people,DC=xxxxxxxx,DC=ca
vi. Check for default: Yes
vii. Save and click on activate for the LDAP Plugin
b. Settings for Web server authentication
i.Click on configure for Webserver authentication, leave as is with "REMOTE_USER" BUT CLICK ON SAVE! If you don't it won't work.
ii.Save and click on activate for the LDAP Plugin

Configuration for SSL (Optional)
1.Install openSSL and create your certificates.
2.Create file LDAP.conf:
i.Copy below text into file
# Start
# LDAP Defaults
#

# See LDAP.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI LDAP://LDAP.example.com LDAP://LDAP-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
#URI LDAP://127.0.0.1/
#BASE dc=example,dc=com
TLS_REQCERT never
TLS_CACERT C:\openldap\xxxxx\xxxxxx_CERT.crt
#TLS_CACERT C:\openldap\xxxxxx\xxxxxx_CERT.pem
TLS_CACERTDIR C:\openldap\xxxxxx
#End
ii.Save file in c:\openldap\xxxxxx

Final Steps
1.Restart apache
2.Log into lime survey using your AD name

Reference
Last Edit: 2 years 11 months ago by Concordia.
The following user(s) said Thank You: DenisChenu

Please Log in to join the conversation.

More
2 years 11 months ago #111888 by DenisChenu
DenisChenu replied the topic: Help with 2.05+ single sign on
Concardia : our plugin can be updated by other dev , i think LDAP can have a 'auto create user' too.

You can make some pull request on github :)

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

More
2 years 10 months ago #112039 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
What are the files that I have to modify?
Can you point me in the right direction?

Please Log in to join the conversation.

More
2 years 10 months ago #112043 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
I found this on github, but it seems there is something about a security issue.

separate bind DN + user autocreation
github.com/LimeSurvey/LimeSurvey/pull/176

Please Log in to join the conversation.

More
2 years 9 months ago #113285 by chlarsen
chlarsen replied the topic: Help with 2.05+ single sign on
Hi there,

I most definitely endorse the concept of on-the-fly user creation of those users that have successfully logged in via OpenLDAP. To have to set up users twice (in the Directory server and LimeSurvey is simply not scalable. However, I am confused as to where we stand now:
With the new plugin structure, this ( manual.limesurvey.org/Optional_settings#...automatic_user_impor ) is not applicable any more.
Looking at your pst, Concordia, I do not know where to start. First I do not use my web server to authenticate, but OpenLDAP.
Then, where am I supposed to insert the function, Concordia? With the new LimeSurvey layout, config-default does not seem to get called any more.
Thanks for your help!
Chris

Please Log in to join the conversation.

More
2 years 9 months ago - 2 years 9 months ago #113289 by Concordia
Concordia replied the topic: Help with 2.05+ single sign on
Hi Chris,

This post is for authentication through webserver.
If your looking for authentication through LDAP try looking at this other post I made:
here or look under the development forum for LDAP authentication & automatic user creation using AuthLDAP.php plugin

I cannot help you with the new version as I do not have that installed, but what I could tell you from my limited knowledge of limesurvey is that the settings from config-defaults.php are copied to config.php. Try adding the function there.
Last Edit: 2 years 9 months ago by Concordia.

Please Log in to join the conversation.

More
2 years 9 months ago #113305 by chlarsen
chlarsen replied the topic: Help with 2.05+ single sign on
Dear Concordia,
Thankfully, Wilbert van Ham has posted a smooth solution on GitHub. See here, github.com/LimeSurvey/LimeSurvey/pull/176#issuecomment-58514793 and thereafter issue #225.
Works like a charm!
Thanks anyway, stay well,
Chris

Please Log in to join the conversation.

Did you already participate in our customer survey?

Don't miss your chance for great prices.

Please click here to participate:

Start now

Start now!

Just create your account and start using Limesurvey today.

Register now