External Authentication

[kruemi]

Hello

I'd like to implement a feature to be able to authenticate against an external source.

I'm using kerberos with a local script that takes the username and the password and returns 0 on success or something else if the check failed.

I've created an extension that can check the password against kerberos. It uses the checkCredentials hook.
Sadly, this only works, when the user exists in the database and has not entered the right password.

Is there an easy way to implement this function?

- User gives Username and Password
- Contao checks this against my kerberos
- If successfull the user gets a default group and the user has apprioriate access

My actual extension can be configured to use any locally installed executable (script, binary) that takes username and password as command line arguments and answers with a code of 0 on success and with another code otherwise. If there is some interest for that, I'll be happy to provide the code.

best regards

kruemi

[kruemi]

Ok... I seem to have come one step further...

I can use the "importUser" hook. Seems quite nice.

The description only mentions, that a boolean is to be returned. But what does that boolean do?

Does it mean:"login succeded"?
Or does it just mean:"user exists"?

kind regards

kruemi

[Ruud]

At login the function only checks that the username exists in the users db. importUser could do just that; check that the username you type in is the name of an existing account. But the boolean returned represents the result of the username lookup (yes, user exists in db / no, user was not found)

Then, when importUser did it's thing you can use checkCredentials to actually verify the password.

Returning 0 on success is a little unusual, but if you invert the outcome of kerberos you should be able to login.

One note though; I have not yet used either of these hooks and am unsure if you'll run into problems later. But I don't think you would.

[kruemi]

Thank you very much for the reply.

This sounds really good. So I'll need to implement both of these hooks.

About the return code "0". This is common practise for unix tools. I'm doing a call to an executable (a perl-script in this case). So I need to translate between these two worlds. But this is not really an Issue.

But another thing I realized is, that this call occurs in frontend as well as in backend.

I have made two modules. One for the Frontend and one for the Backend.

One class starts with:
class FrontendExtAuth extends Frontend {
and the other one with
class FrontendExtAuth extends Backend {

But it seems that both of them are called on a wrong password. How can I find out from where the function has been called?

best

kruemi

[ramjet]

Code:

if (TL_MODE == 'BE'){ } and if (TL_MODE != 'BE'){ }

might work

[kruemi]

Hello Ramjet

Code:

if (TL_MODE == 'BE'){ } and if (TL_MODE != 'BE'){ }

might work

That did the trick! Thanx a lot!

kruemi

[kruemi]

Ok... again it's me...

I got it running... almost!

What my extension does now:

If a user is not found in the DB:
hook importUser is called

I authenticate against kerberos with username and password. If this succeeds, the user is added to the database with an x in place of the password (to force the use of the next hook).
I do this by writing directly to the database. If there is a better way, please let me know.

Than contao checks the password. If this fails (what will be in almost any case, since I've set an invalid pw in the database) the hook checkCredentials is called.

Again, I check against kerberos and on success, the user is logged in.


The only problem left for me is with groups. Groups are stored in the database as binary blobs. Is there documentation, how these blobs are built? Or is there a finished function that creates this blob?


best regards

kruemi

PS: would there be any interest that I make this extension available?

[ramjet]

There might be a method, but i don't know of one.
The group blob is a serialized array of ids from the tl_member_group table (which holds the group name etc)
So you can unserialize ( or deserialize, a Contao function)
and process array.

eg - here i'm finding the "Joblisting Accounts" group id:

Code:

 
//get the id number of the group Joblisting Accounts 
   $objGroup = $this->Database->prepare("SELECT id, name FROM tl_member_group WHERE name='Joblisting Accounts'")
  ->limit(1)
  ->execute();

   $groupId = $objGroup->id;
//unserialize the groups this member belongs to		
    $groupIdArray = deserialize($dc->activeRecord->groups, true);
//and if Joblisting Accounts is ticked	
      if(in_array($groupId,$groupIdArray))
....
			{

If you are adding to the tl_member groups blob, add the group id to the array and serialize before updating

[kruemi]

Wow, thank you all a huge load!

It now works the way I wanted it to.

It can be found as au-extAuth in the repository.

[ramjet]

:D

[pbrooks]

Hadn't noticed the checkCredentials hook too much before, might modify my Authentication class to use this instead of having to do a patch on the core.

Did anyone ever fully implement OpenID?

[kruemi]

Hrm... it could be possible, but I doubt it...

because with openID you don't enter the userID and password on the contao site but into a window from your ID-Provider.

Maybe if you made a hack with hiding input fields for username and password, and the user just clicking on "login".
Than the hooks would get called...

best regards

kruemi

[pbrooks]

I had begun the OpenID implementation, my http://www.contao.org/extension-list...ion.19.en.html Authentication module I had to add new code to User.php but I will see how much I can rip out.

I reckon given that hook and a custom ModuleLogin could do it, I see another Facebook Connect module has popped up and probably follows the similar pattern.

My authentication module was a start at providing the ability to provide multiple authentication methods depending on different data sources and such.

I need to however keep it up to date with Contao, something which I'm in a better position to do now.

[kruemi]

I've seen these discussions (with openID and changes to he core)

I've used an LDAP-Auth-Plugin to learn how to integrate with contao (I do still not fully understand everything in dca/)... And I also took a look at the facebook plugin.
I think, I snapped up the user-creation-stuff there. But I still hope to find some code to add users without having to directly access the database. Because, as soon as someone extends the user database, my plugin breaks!

I'm looking at the api-documentation right now. /controller/classes/ModuleUser seems promising. But I have no clue, how to use that information :-(

best

Marco

[kruemi]

Please don't accuse me of spamming...

I've just found the function
createNewUser($arrUser) in ModuleRegistration.php (line 332)

Code:

        /**
         * Create a new user and redirect
         * @param array
         */
        protected function createNewUser($arrData)

If I used this function, I would just have to activate the user in a next step (via the "ceateNewUser" hook).

But how can I user a method which is declared as protected?

best regards

kruemi

[Medianomaly]

Unless I'm misunderstanding (which wouldn't be the first time)...

If you're using the "createNewUser" hook, you have to specify a class and a method anyway.

That hook class can extend "ModuleRegistration", and then you should be able to call it from within your hook method.

Code:

class ModuleRegistrationExternal extends ModuleRegistration
{
    public function createNewUserExternal($intId, $arrData)
    {
        // You should be able to call ModuleRegistration::createNewUser() from here...
    }
}

If not, maybe this is still at least a little helpful...

[pbrooks]

Just regarding public/protected/private , to use a protected method you must be calling it from either within the class or from within an extension of that class.

So let's say you extended a class, ie we had:

Code:

class alpha extends Controller{
      protected function one(){
     }
}

You wouldn't be able to call alpha:ne from an instance of alpha.

If you defined:

Code:

class beta extends alpha{
    protected function two(){
        $this->one();
    }
}

You would be able to call one from within beta.

Hope this helps.

Please don't accuse me of spamming...

I've just found the function
createNewUser($arrUser) in ModuleRegistration.php (line 332)

Code:

        /**
         * Create a new user and redirect
         * @param array
         */
        protected function createNewUser($arrData)

If I used this function, I would just have to activate the user in a next step (via the "ceateNewUser" hook).

But how can I user a method which is declared as protected?

best regards

kruemi

[kruemi]

Thank you all for your input... It's been a great help.

Upon looking at the code of the Method in question I stepped back from using it.

Basicly all it does is writing an array (which has to be built and filled by the calling function) to the database. So I would have to build the array according to the database structure myself...
So I see no big difference in filling my data directly into the database or creating an array that mirrors the structure of the table. Both ways will break as soon as something in the table layout changes.

again: thanx for all the help!

kruemi