>
> I was having some issues getting the Auth_Ldap adapter to work and I think I
> may have found a bug in Zend_Ldap. Before I submit a ticket to the issue
> tracker, I wanted to see if this is actually a bug or if I am doing
> something wrong.
>
> Environment:
>
> Zend Framework 1.6.2
> Microsoft Active Directory
>
> Here is the pertinent part of the config file I am using:
> ldap.server.host = corp.example.com
> ldap.server.accountDomainNameShort = EXAMPLE
> ldap.server.accountCanonicalForm = 3
>
> When trying to authenticate, I am receiving a error message stating "Option
> required: accountDomainName"
>
> The traceback show this:
> D:\library\Zend\Ldap.php(712):
> Zend_Ldap->getCanonicalAccountName('Example\mlorey', 4)
> ^^ notice the 4 above, instead of the 3 i specified.
As the documentation says, a valid accountDomainName option is required.
The adapter prefers to bind AD with the principal name regardless of
what you enter. And thus it needs accountDomainName (e.g.
ad.example.com).
> If I add the accountDomainName i fail authentication because it is trying to
> authenticate as mlorey@example.com. My active directory requires I
> authenticate as EXAMPLE\mlorey.
Then the accountDomainName value you are using is incorrect. As your
AD administrator what the FQDN domain name of your AD domain is.
Note: The accountDomainName is the DNS domain of your AD domain. It is
not an E-mail domain. As the name suggests, it is a namespace for
accounts and not websites or mail servers.
> Changes lines 711 - 712 of Ldap.php to from:
> $username = $this->getCanonicalAccountName($username,
> Zend_Ldap::ACCTNAME_FORM_PRINCIPAL);
> to:
> $username = $this->getCanonicalAccountName($username,
> $this->_options['accountCanonicalForm']);
>
> works, as it authenticates as EXAMPLE\mlorey.
>
> It seems the current code uses Zend_Ldap::ACCTNAME_FORM_PRINCIPAL (4)
> instead of what I configured 3 (Zend_Ldap::ACCTNAME_FORM_BACKSLASH). Am I
> missing something here, or is this a bug?
It is not a bug. If you had used accountCanonicalForm = 2 the code
could fail as the name must be qualified (and even if AD accepted it,
the username could be interpreted in an ambiguous way).
However, since binding with AD works with ACCTNAME_FORM_BACKSLASH as
well as ACCTNAME_FORM_PRINCIPAL and because those are both qualified
usernames, it might be possible to add some code to choose
ACCTNAME_FORM_BACKSLASH if accountDomainNameShort was specifed but
accountDomainName was not. So you are welcome to open a "feature
enhancement" ticket if you like. But there's no guarantee it will make
it in, I would need to play around with it.
In general the accountDomainName option is fairly important for a
number of reasons and as such the documentation states that it is
required.
Figure out the correct DNS domain name for your AD domain and it
should work fine.
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
没有评论:
发表评论