Secure authentication using Active Directory

Discussion forum about Anuko Time Tracker
Post Reply
adminhp
Posts: 20
Joined: Fri Oct 21, 2011 5:10 pm

Secure authentication using Active Directory

Post by adminhp » Wed Feb 03, 2021 9:22 pm

Hello,

Due to the Netlogon vulnerability in Active Directory, Microsoft will be enforcing secure authentication on all domain controllers starting Tuesday, Feb 9, 2021.

I am using Timetracker version 1.19 and currently connecting to AD without secure authentication. How can I configure Timetracker to connect to AD securely? Please see below my current config.

define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => '10.x.x.x', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen

peter
Posts: 88
Joined: Sat May 29, 2010 2:06 pm

Re: Secure authentication using Active Directory

Post by peter » Thu Feb 04, 2021 8:38 pm

adminhp wrote:
Wed Feb 03, 2021 9:22 pm
How can I configure Timetracker to connect to AD securely?
If what you want to do is to use LDAPS protocol instead of LDAP, you may consider introducing a port to configuration parameters, and also to modify ldap_connect call in WEB-INF/lib/auth/Auth_ldap.class.php so that it uses https and also a different port to connect to your AD.

Hope it helps.

adminhp
Posts: 20
Joined: Fri Oct 21, 2011 5:10 pm

Re: Secure authentication using Active Directory

Post by adminhp » Thu Feb 04, 2021 9:22 pm

Thank you Peter. A colleague fixed the issue. Below is what we had to do.

Config.php
define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => 'ldaps://servername.xxx.org:636', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen

Auth_ldap.class.php
Copy CA certificates to a folder on the server say C:\SSL.

Add the following to the Auth_ldap.class.php and put it above the other ldap_set_options.

ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, 'C:\\SSL');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, 'C:\\SSL\\certname.cer');

Nik
Posts: 504
Joined: Wed May 26, 2010 5:55 pm

Re: Secure authentication using Active Directory

Post by Nik » Tue Apr 13, 2021 10:58 pm

I added a possibility to specify LDAP_OPT_X_TLS_CACERTDIR and LDAP_OPT_X_TLS_CACERTFILE options in Time Tracker 1.19.28.5433. Below is an example of authentication parameters for Windows Active Directory.

Code: Select all

// Configuration example for Windows domains with Active Directory:
// define('AUTH_MODULE', 'ldap');
// $GLOBALS['AUTH_MODULE_PARAMS'] = array(
//  'server' => '127.0.0.1',            // Domain controller IP address or name. For secure LDAP use ldaps://hostname:port here.
//  'type' => 'ad',                     // Type of server.
//  'base_dn' => 'DC=example,DC=com',   // Base distinguished name in LDAP catalog.
//  'default_domain' => 'example.com',  // Default domain.
//  'tls_cacertdir' => null,            // Path to a directory containing CA certificates for secure ldap.
//  'tls_cacertfile' => null,           // CA certificate file name for secure ldap.
//  'member_of' => array());            // List of groups, membership in which is required for user to be authenticated.
                                        // Leave it empty if membership is not necessary. Otherwise list CN parts only.
                                        // For example:
                                        // array('Ldap Testers') means that the user must be a member Ldap Testers group.
                                        // array('Ldap Testers', 'Ldap Users') means the user must be a member of both Ldap Testers and Ldap Users groups.
Hope it helps. If things do not work properly please let me know.

Post Reply