[MOD] Use Active Directory Login

[mhequipit]

Don't know if someone has already asked this, but is there a way to use Active Directory users instead of the internal users.cgi?  If not, can you send me a quote?

[bbell]

I know this is an old post, but came across the thread when I was looking for something else and figured I'd post an answer anyway.

I managed to get this working by adding a new file TTXLdap.pm:

Code:

package TTXLdap;

$TTXDropdown::VERSION='1.00';

use strict;
use Win32::OLE;

my $strADsPath = 'LDAP://substitute-your-primary-AD-server-here';
my $strADsAlternatePath = 'LDAP://substitute-your-fallback-AD-server-here';
my $strDomain = "\@substitute-your-domain-name-here";

sub authenticate {
my $strUserID       = shift || "";
my $strUserPassword = shift || "";
my $result = 0;
my $objNameSpace = Win32::OLE->GetObject ('LDAP:') or return $result;
my $objObjSec = $objNameSpace->OpenDSObject($strADsPath, $strUserID,$strUserPassword, 1);
if (Win32::OLE->LastError()==0) {
$result = 1;
}
else {
$objObjSec = $objNameSpace->OpenDSObject($strADsAlternatePath, $strUserID,$strUserPassword, 1);
if (Win32::OLE->LastError()==0) {
$result = 1;
}
}
if ($objObjSec ne undef) {
$objObjSec->Close;
}
$objNameSpace->Close;
return $result;
}

I then changed the login subroutine in TTXLogin.pm:

Code:

  my $user = TTXUser->new($query->param('login'));
  if ($user eq undef || TTXLdap::authenticate( $query->param('login'), $query->param('passwd')) ne 1) {
    $data->{ERROR_MESSAGE} = '[%Wrong User ID or Password%]';
    return undef;
  }

While my Perl experience is limited, this has been working for us for a few months now. YMMV.

[Sparky]

This is excellent.

I'm adding this to the modifications listing.

[Sparky]

moved to modifications forum.

[bbell]

I forgot to mention in my earlier post that I still use setup.cgi to add users, setting the password field to "ignored" or some other nonsensical value.

[Sparky]

And the login name must be setup exactly the same in both TTX and Active Directory, correct?

[Paul Nolette]

This is a great Mod and works perfect! Thank you for this.
We are going to use AD authentication on some helpdesk but not on others so this is a crazy question but could you put in an if statement to use TTX login?
Basically I want to have an Admin account (not an AD account) that can login to any one of our helpdesk systems, so i need to bypass the AD auth if the username is Admin
So if the login username is Admin use ttx login routine:

Code:

  if ($user eq undef || ($user->get('passwd') eq undef) || ($user->get('passwd') ne $query->param('passwd'))) {
    $data->{ERROR_MESSAGE} = '[%Wrong User ID or Password%]';
    return undef;
}

otherwise use AD login:

Code:

  if ($user eq undef || TTXLdap::authenticate( $query->param('login'), $query->param('passwd')) ne 1) {
    $data->{ERROR_MESSAGE} = '[%Wrong User ID or Password%]';
    return undef;
}

I cannot figure out how to write the if statement for this!

[Paul Nolette]

Out of desperation I got this to work. I can't image anyone else wants to have this admin bypass but if you do here it is. Basically if a user named ttxadmin logs in it will use ttx authentication otherwise it's AD authentication.

Code:

  if ($query->param('login') eq "ttxadmin") {
    if ($user eq undef || ($user->get('passwd') eq undef) || ($user->get('passwd') ne $query->param('passwd'))) {
      $data->{ERROR_MESSAGE} = '[%Wrong User ID or Password%]';
      return undef;
    }
  } else {

    if ($user eq undef || TTXLdap::authenticate( $query->param('login'), $query->param('passwd')) ne 1) {
      $data->{ERROR_MESSAGE} = '[%Wrong User ID or Password%]';
      return undef;
    }
  }

[Sparky]

Thanks for the contribution.

[chloeroxymax]

It is worth noting that I had to add this line at the top of TTXLogin.pm to get this to work on 3.00:

use TTXLdap;

Thanks for a great mod!  We're going to put it thru its paces.

[bmj]

Also important to note that Win32::OLE is only supported by servers running Windows.   

I'm working on a mod for Unix/Linux systems based on Net::LDAP bind.  Please drop me a note if anyone has experience with that lib.

[bmj]

For AD authentication in Unix TTX implementations, replace the contents of TTXLdap.pm with the following:

Code:

package TTXLdap;

use Net::LDAP;
$TTXDropdown::VERSION='1.00';

use strict;

my $domain = "DOMAIN_GOES_HERE";
my $adserver = "AD_SERVER_IP_GOES_HERE";

sub authenticate {
  my $strUID = shift || "";
  my $strPass = shift || "";
  my $result = 0;
  my $login = $domain . "\\" . $strUID;
  my $ldap = Net::LDAP->new( "$adserver" ) or die "$@";

  my $auth = $ldap->bind ($login, password => "$strPass", version => 3);

  if ($auth->code)
  {
    # Failed, return 0
    $result = 0;
  } else {
    $result = 1;
  }

  $ldap->unbind;

  return $result;
}

1;
#

Substitute the AD server and domain as appropriate.  Note that I didn't include a fallback server (can be done pretty easily).  Also note that you still need to modify TTXLogin.pm as noted in the original post.