Open-AudIT

What's on your network?
It is currently Fri Jan 19, 2018 9:27 am

All times are UTC + 10 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Mon Feb 18, 2013 6:15 pm 
Offline
Newbie

Joined: Thu Mar 02, 2006 12:41 am
Posts: 33
Possibly been asked/answered already - is there any scope for LDAP (Windows AD) login in OAv2 like there is in v1 ?
If so, how is this configured ?

Thanks


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Mon Feb 18, 2013 9:50 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
Menu -> Admin -> Config should do the trick.

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Mon Feb 18, 2013 10:05 pm 
Offline
Newbie

Joined: Thu Mar 02, 2006 12:41 am
Posts: 33
I already have that thanks Mark.
What I mean is how can I change the authentication so it uses LDAP to login, and not the usual "admin" username ?


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Wed Feb 20, 2013 2:31 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1225
It may be on the list but this is not possible with Open Audit v2 at this time.


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Wed Feb 20, 2013 2:52 am 
Offline
Newbie

Joined: Thu Mar 02, 2006 12:41 am
Posts: 33
Thought so - thanks


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Wed Feb 20, 2013 12:03 pm 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
mcutting wrote:
What I mean is how can I change the authentication so it uses LDAP to login, and not the usual "admin" username ?

Do you mean LDAP as opposed to Active Directory?
There has to be a link between LDAP or Active Directory and Open-AudIT.
The username is it.
If you want to get rid of the Open-AudIT admin user just create another user, use your LDAP or AD name, make sure it has "User is admin" ticked and you should be good to go... Admittedly I have not tried this :lol:

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Wed Feb 20, 2013 3:32 pm 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1225
Sorry, when I said "it's on the list" I really meant to say "it is on the list but it's been checked off!" I set ad_domain and ad_server in Admin - Config. Then created a user in Admin - Users - Add a user with my Active Directory username. I was able to log on to OpenAudit using my AD user and AD password without ever having the AD password entered in OpenAudit.

Unfortunately, there is a huge bug in the authentication logic and you can also log in with no password at all! Mark you need to review m_userlogin.php lines 28 and 29. They're not doing what you want. Probably should review the whole of validate_user to make it a bit more robust.

Probably want something more like this but I'm not a coder.
Code:
$query = $this->db->query($sql, $data);

if ($query->num_rows() > 0)
{
   foreach ($query->result() as $row)
   {
      $user_id = $row->user_id;
      ..........
 


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Wed Feb 20, 2013 6:13 pm 
Offline
Newbie

Joined: Thu Mar 02, 2006 12:41 am
Posts: 33
jpa wrote:
Sorry, when I said "it's on the list" I really meant to say "it is on the list but it's been checked off!" I set ad_domain and ad_server in Admin - Config. Then created a user in Admin - Users - Add a user with my Active Directory username. I was able to log on to OpenAudit using my AD user and AD password without ever having the AD password entered in OpenAudit.

Unfortunately, there is a huge bug in the authentication logic and you can also log in with no password at all! Mark you need to review m_userlogin.php lines 28 and 29. They're not doing what you want. Probably should review the whole of validate_user to make it a bit more robust.

Probably want something more like this but I'm not a coder.
Code:
$query = $this->db->query($sql, $data);

if ($query->num_rows() > 0)
{
   foreach ($query->result() as $row)
   {
      $user_id = $row->user_id;
      ..........
 


I agree - it seems to work fine, but you can also use a blank password - there is no check against AD for authentication. Easily fixed, but missing. Another thing missing is the ability to copy a user based on another, or create one from a template.


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Thu Feb 21, 2013 5:19 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1225
I'm wrong again. There is a authentication check against AD but it always succeeds with a blank password because ldap_bind with a valid username and empty password does an anonymous bind which always succeeds. Line 65 in login.php always succeeds when given a valid AD user and no password in line 64 because of this.

Now that we're past the login check if the user exists in Open Audit then we successfully call session->set_userdata at line 67 and when we redirect we're in. If the user doesn't exist in OpenAudit then the set_userdata stuff doesn't work as expected and when we redirect we're forced to authenticate again. This is also why when you give an invalid username and empty password you don't get the "invalid credentials" message below the login box.

I just checked and OAv1 has the same problem but it doesn't let you log in because it's login routine is a bit different.

It would be nice for the next revision of this feature to enable SSL and port selection.


Top
 Profile  
Reply with quote  
 Post subject: Re: OAv2 LDAP Login ?
PostPosted: Thu Feb 21, 2013 9:14 am 
Offline
Site Admin
User avatar

Joined: Mon Jun 07, 2004 11:48 am
Posts: 1933
Location: Brisbane, Australia
Thanks guys. Fixed for the next release.
I'm busy enabling auditing from the web interface at the moment.
When that's complete, v1.0 will be released :D

_________________
Support and Development hours available from Opmantek.
Please consider a purchase to help make Open-AudIT better for everyone.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group