Patching OneOrZero Helpdesk Software (PHP/MySQL) to Support Multiple LDAP Base DN records in Novell NDS

This article demonstrates a working configuration of OneOrZero helpdesk that was setup to authenticate to Novell NDS via LDAP. I wrote a simple patch for OneOrZero that is designed to accept multiple Base DN records and search through each record for the requested username (uid).

Configuring OneOrZero to Authenticate to Novell NDS via LDAP

First, I should describe the customer’s tree. When viewing the tree from within Console One, I see something similar to the following:

NDS
 ROOTNAME
   Container1
     User1
   Container2
     User2
     User3
     User4
   Container3
     User5
     User6

Unfortunately, OneOrZero is not compatible with this tree design. Instead, OneOrZero expects a tree desigin similar to the following. While the following is the recommended way of configuring an NDS tree, I occassionally see trees structured without a Base Container.

NDS
 ROOTNAME
   BaseContainer
     Container1
       User1
     Container2
       User2
       User3
       User4
     Container3
       User5
       User6

Here is the LDAP portion of the configuration file (configuration/website_settings.php) for the first example. This configuration should work for anyone using Novell eDirectory 8.7 with modifications only to ‘ldap_host’ and ‘ldap_rootdn’. This configuration does not require an ‘ldap_domain’ since this setting is only required for Active Directory. This config does not require an ‘ldap_binddn’ or an ‘ldap_bindpwd’ since these settings are not required for anonymous binding to the LDAP directory. If the tree had been created with a base container as shown in the second NDS example, I would change the ‘ldap_rootdn’ from ‘o=container1’ to ‘o=basecontainer’.

auth_method = "LDAP"
ldap_host = "10.128.1.1"
ldap_domain = ""
ldap_binddn = ""
ldap_bindpwd = ""
ldap_rootdn = "o=container1"
ldap_searchattr = "uid"
ldap_fname = "givenname"
ldap_lname = "sn"
ldap_uname = "uid"
ldap_email_add = "mail"
ldap_office = "l"
ldap_phone = "telephonenumber"
ldap_context = "dn"

Patching OneOrZero to Search for Username in Multiple Root DN records

When using an tree structure similar to the first NDS example, this configuration will only allow users within Container1 to access the OneOrZero helpdesk website. I have written the following patch (for common/common.php) that will allow OneOrZero to accept multiple ‘ldap_rootdn’ records and will search through each Root DN for the username that is attempting to authenticate.

[root@web html]# diff common/common.php common/common.php.orig
167,186d166
<     // 2006-07-25 : dni/jrk
<     // OoZ Patch : Support for multiple Root DN records, separated by ";" delimiter
<     // without modifying existing lines of code.  Could do better job of recycling
<     // data retrieved from LDAP.  We currently discard data and query a second time
<     // using the original code to search the correct Base DN.
<
<     // If delimiter ";" exists in 'ldap_rootdn' setting, search for username in each DN
<     if ( strpos($ldap_rootdn , ";") ) {
<       $ldap_rootdn_recs = explode(";",$ldap_rootdn);
<       foreach( $ldap_rootdn_recs as $ldap_rootdn ) {
<           $sr = ldap_search($ldapconn, $ldap_rootdn, $filter, $justthese);
<           $info = ldap_get_entries($ldapconn, $sr);
<           if ( (!(!sr)) && ($info["count"] > 0) ) {
<               // Username exists in current DN.  Stop searching and use this DN.
<               break;
<           }
<       }
<     }
<     unset( $sr , $info , $ldap_rootdn_recs , $ldap_rootdn_rec );
<

The diff above shows you that the following lines were added to common.php starting at line 167. If you backup your common.php file and run a similar diff command after patching the file, you should receive similar output.

The LDAP section of the OneOrZero configuration was changed as follows to provide multiple Root DN records. When used in conjunction with the patch shown above, this new setting will cause OneOrZero to search for the username within each container listed (Container1, Container2, Container3, etc). Although the containers could be listed in any order, you should list containers with the most users first (for performance reasons), since the containers will be searched in the order listed until a username is found.

auth_method = "LDAP"
ldap_host = "10.128.1.1"
ldap_domain = ""
ldap_binddn = ""
ldap_bindpwd = ""
ldap_rootdn = "o=container2;o=container3;o=container1"
ldap_searchattr = "uid"
ldap_fname = "givenname"
ldap_lname = "sn"
ldap_uname = "uid"
ldap_email_add = "mail"
ldap_office = "l"
ldap_phone = "telephonenumber"
ldap_context = "dn"

LDAP Agent for Novell eDirectory 8.7.3.7 (10554.24)

OneOrZero v1.6.5.2 patch 2 (ooz_v165.zip) (ooz_v1652_patch_2.zip)

2006/07/25 – Jason Klein

Leave a Reply

Your email address will not be published. Required fields are marked *