This is something I've yet to implement but will need to consider
shortly. The way I plan on doing it is to configure security groups that
will be allowed access to components. Then perform a search for the
users security groups when the user logs in to populate an auth table of
what this user is allowed access to. This way a fresh search is
performed every time they login. So if the user doesn't exist on AD they
don't get in. I will also have a manual override which will take
priority.
I don't believe all the searching functionality that is requires is part
of the core framework. Have a scan over this as it should be of some
help.
http://framework.zend.com/wiki/display/ZFPROP/Extended+Zend_Ldap+Proposa
l+-+Stefan+Gehrig
Cheers,
Jamie
-----Original Message-----
From: Jaime Garcia [mailto:jgarcia@vali.com.mx]
Sent: 30 January 2009 17:16
To: Jamie Sutherland
Cc: fw-mvc@lists.zend.com
Subject: RE: [fw-mvc] Auth against AztiveDirectory
Hello Jamie,
I appreciate a lot this piece of info, I just was looking right
direction on
this, just yesterday I was testing the ldap module and I successfully
connected and extracted some info from my AD container, so right now I
am
going to test the ldap auth adapter, thank you for the tip =)
Another thing I'm thinking is how to solve the mapping of the roles of
these
users (from AD) to be loaded into my ACL object (I have a plugin that
loads
all resources and roles config to Zend_Acl object from DB by the way).
Before it was easy because the mapping is straightforward from my users
table, just add some field to map the role with acl's table, but now I
just
try figuring out how to accomplish with this mapping since I can't add
arbitrary fields to AD container..
my thought:
Extract each single user from AD and insert this into my DB (mysql)
users
table, then do the mapping through this. but, what happens if an user
from
AD is deleted? Not so bad since not logon is allowed to this user, but
yet
her permissions are on DB table (mysql)... have you faced this before?
Any
thoughts on this will be appreciated, thanks in advance to all.
My best regards,
JG
> -----Mensaje original-----
> De: Jamie Sutherland [mailto:jsutherland@bloxx.com]
> Enviado el: Viernes, 30 de Enero de 2009 09:48 a.m.
> Para: Jaime Garcia
> CC: fw-mvc@lists.zend.com
> Asunto: RE: [fw-mvc] Auth against AztiveDirectory
>
> Jaime,
>
> I've found that the documentation on the website is a bit misleading
in
> getting a server to connect with Active Directory (AD). I've recently
> gone through the process myself and had to refer to the source several
> times to workout how to implement it. Also this is pretty difficult to
> debug if you've previously setup an authorisation plugin like in
> previous examples using a database table. If you have implemented this
> plugin, disable it until you've proved the LDAP auth is working.
>
> I'll assume you are attempting to follow the instructions here:
> http://framework.zend.com/manual/en/zend.auth.adapter.ldap.html
>
> Firstly the config.ini setup required for AD:
>
> Don't copy the example on the website completely. First off the line
>
> "ldap.log_path = /tmp/ldap.log"
>
> This line will cause issues when passing the options to
> Zend_Auth_Adapter_Ldap as it doesn't provide an array. If you whis to
> setup a log. I suggest having a different config option. (i.e.
> log.ldap.log_path = /tmp/ldap.log)
>
> Also make sure you *do not* have the line below in your config.ini.
>
> "ldap.server.bindRequiresDn = 1"
>
> This will perform a lookup on the uid (eDirectory/OpenLDAP) rather
than
> the sAMAccountName (AD)
>
> A stupid point, but it's also worth mentioning is that you must have
> the
> php module ldap.so loaded or available.
>
> sudo apt-get install php5-ldap // if your running ubnutu
>
>
> Hope this helps!
>
> Cheers,
> Jamie
>
> -----Original Message-----
> From: Tobias Gies [mailto:tobiasgies@googlemail.com]
> Sent: 29 January 2009 22:32
> To: Jaime Garcia
> Cc: fw-mvc@lists.zend.com
> Subject: Re: [fw-mvc] Auth against AztiveDirectory
>
> Hi Jamie,
>
> you can use Zend_Ldap and Zend_Auth_Adapter_Ldap for that task.
> Examples of how to use Zend_Ldap with AD can be found in the manual.
>
> Best regards,
> Tobias
>
> 2009/1/29 Jaime Garcia <jgarcia@vali.com.mx>:
> > Hi my friends,
> >
> > Has anyone authenticated users against Active Directory using MVC
ZF?
> >
> >
> >
> > Best regards,
> >
> > J.G.
没有评论:
发表评论