Page 1 of 1
Secure authentication using Active Directory
Posted: Wed Feb 03, 2021 9:22 pm
by adminhp
Hello,
Due to the Netlogon vulnerability in Active Directory, Microsoft will be enforcing secure authentication on all domain controllers starting Tuesday, Feb 9, 2021.
I am using Timetracker version 1.19 and currently connecting to AD without secure authentication. How can I configure Timetracker to connect to AD securely? Please see below my current config.
define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => '10.x.x.x', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen
Re: Secure authentication using Active Directory
Posted: Thu Feb 04, 2021 8:38 pm
by peter
adminhp wrote: ↑Wed Feb 03, 2021 9:22 pm
How can I configure Timetracker to connect to AD securely?
If what you want to do is to use LDAPS protocol instead of LDAP, you may consider introducing a port to configuration parameters, and also to modify ldap_connect call in WEB-INF/lib/auth/Auth_ldap.class.php so that it uses https and also a different port to connect to your AD.
Hope it helps.
Re: Secure authentication using Active Directory
Posted: Thu Feb 04, 2021 9:22 pm
by adminhp
Thank you Peter. A colleague fixed the issue. Below is what we had to do.
Config.php
define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => 'ldaps://servername.xxx.org:636', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen
Auth_ldap.class.php
Copy CA certificates to a folder on the server say C:\SSL.
Add the following to the Auth_ldap.class.php and put it above the other ldap_set_options.
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, 'C:\\SSL');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, 'C:\\SSL\\certname.cer');
Re: Secure authentication using Active Directory
Posted: Tue Apr 13, 2021 10:58 pm
by Nik
I added a possibility to specify LDAP_OPT_X_TLS_CACERTDIR and LDAP_OPT_X_TLS_CACERTFILE options in Time Tracker 1.19.28.5433. Below is an example of authentication parameters for Windows Active Directory.
Code: Select all
// Configuration example for Windows domains with Active Directory:
// define('AUTH_MODULE', 'ldap');
// $GLOBALS['AUTH_MODULE_PARAMS'] = array(
// 'server' => '127.0.0.1', // Domain controller IP address or name. For secure LDAP use ldaps://hostname:port here.
// 'type' => 'ad', // Type of server.
// 'base_dn' => 'DC=example,DC=com', // Base distinguished name in LDAP catalog.
// 'default_domain' => 'example.com', // Default domain.
// 'tls_cacertdir' => null, // Path to a directory containing CA certificates for secure ldap.
// 'tls_cacertfile' => null, // CA certificate file name for secure ldap.
// 'member_of' => array()); // List of groups, membership in which is required for user to be authenticated.
// Leave it empty if membership is not necessary. Otherwise list CN parts only.
// For example:
// array('Ldap Testers') means that the user must be a member Ldap Testers group.
// array('Ldap Testers', 'Ldap Users') means the user must be a member of both Ldap Testers and Ldap Users groups.
Hope it helps. If things do not work properly please let me know.