Secure authentication using Active Directory

Discussion forum about Anuko Time Tracker
Post Reply
adminhp
Posts: 20
Joined: Fri Oct 21, 2011 5:10 pm

Secure authentication using Active Directory

Post by adminhp » Wed Feb 03, 2021 9:22 pm

Hello,

Due to the Netlogon vulnerability in Active Directory, Microsoft will be enforcing secure authentication on all domain controllers starting Tuesday, Feb 9, 2021.

I am using Timetracker version 1.19 and currently connecting to AD without secure authentication. How can I configure Timetracker to connect to AD securely? Please see below my current config.

define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => '10.x.x.x', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen

peter
Posts: 88
Joined: Sat May 29, 2010 2:06 pm

Re: Secure authentication using Active Directory

Post by peter » Thu Feb 04, 2021 8:38 pm

adminhp wrote:
Wed Feb 03, 2021 9:22 pm
How can I configure Timetracker to connect to AD securely?
If what you want to do is to use LDAPS protocol instead of LDAP, you may consider introducing a port to configuration parameters, and also to modify ldap_connect call in WEB-INF/lib/auth/Auth_ldap.class.php so that it uses https and also a different port to connect to your AD.

Hope it helps.

adminhp
Posts: 20
Joined: Fri Oct 21, 2011 5:10 pm

Re: Secure authentication using Active Directory

Post by adminhp » Thu Feb 04, 2021 9:22 pm

Thank you Peter. A colleague fixed the issue. Below is what we had to do.

Config.php
define('AUTH_MODULE', 'ldap');
$GLOBALS['AUTH_MODULE_PARAMS'] = array(
'server' => 'ldaps://servername.xxx.org:636', // Domain controller IP address or name.
'type' => 'ad', // Type of server.
'base_dn' => 'DC=xxx,DC=org', // Base distinguished name in LDAP catalog.
'default_domain' => 'xxx.org', // Default domain.
'member_of' => array()); // List of groups, membership in which is required for user to be authen

Auth_ldap.class.php
Copy CA certificates to a folder on the server say C:\SSL.

Add the following to the Auth_ldap.class.php and put it above the other ldap_set_options.

ldap_set_option(null, LDAP_OPT_X_TLS_CACERTDIR, 'C:\\SSL');
ldap_set_option(null, LDAP_OPT_X_TLS_CACERTFILE, 'C:\\SSL\\certname.cer');

Post Reply