Hello,
Due to the Netlogon vulnerability in Active Directory, Microsoft will be enforcing secure authentication on all domain controllers starting Tuesday, Feb 9, 2021.
I am using Timetracker version 1.19 and currently connecting to AD without secure authentication. How can I configure Timetracker to connect to AD securely? Please see below my current config.
define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => '10.x.x.x', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen
Secure authentication using Active Directory
Re: Secure authentication using Active Directory
If what you want to do is to use LDAPS protocol instead of LDAP, you may consider introducing a port to configuration parameters, and also to modify ldap_connect call in WEB-INF/lib/auth/Auth_ldap.class.php so that it uses https and also a different port to connect to your AD.
Hope it helps.
Re: Secure authentication using Active Directory
Thank you Peter. A colleague fixed the issue. Below is what we had to do.
Config.php
define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => 'ldaps://servername.xxx.org:636', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen
Auth_ldap.class.php
Copy CA certificates to a folder on the server say C:\SSL.
Add the following to the Auth_ldap.class.php and put it above the other ldap_set_options.
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, 'C:\\SSL');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, 'C:\\SSL\\certname.cer');
Config.php
define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => 'ldaps://servername.xxx.org:636', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen
Auth_ldap.class.php
Copy CA certificates to a folder on the server say C:\SSL.
Add the following to the Auth_ldap.class.php and put it above the other ldap_set_options.
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, 'C:\\SSL');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, 'C:\\SSL\\certname.cer');
Re: Secure authentication using Active Directory
I added a possibility to specify LDAP_OPT_X_TLS_CACERTDIR and LDAP_OPT_X_TLS_CACERTFILE options in Time Tracker 1.19.28.5433. Below is an example of authentication parameters for Windows Active Directory.
Hope it helps. If things do not work properly please let me know.
Code: Select all
// Configuration example for Windows domains with Active Directory:
// define('AUTH_MODULE', 'ldap');
// $GLOBALS['AUTH_MODULE_PARAMS'] = array(
// 'server' => '127.0.0.1', // Domain controller IP address or name. For secure LDAP use ldaps://hostname:port here.
// 'type' => 'ad', // Type of server.
// 'base_dn' => 'DC=example,DC=com', // Base distinguished name in LDAP catalog.
// 'default_domain' => 'example.com', // Default domain.
// 'tls_cacertdir' => null, // Path to a directory containing CA certificates for secure ldap.
// 'tls_cacertfile' => null, // CA certificate file name for secure ldap.
// 'member_of' => array()); // List of groups, membership in which is required for user to be authenticated.
// Leave it empty if membership is not necessary. Otherwise list CN parts only.
// For example:
// array('Ldap Testers') means that the user must be a member Ldap Testers group.
// array('Ldap Testers', 'Ldap Users') means the user must be a member of both Ldap Testers and Ldap Users groups.