-
Notifications
You must be signed in to change notification settings - Fork 287
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication support for IMAP or LDAP #52
Comments
oh yeah, I opt for this as well. that'd be awesome! |
Well I was interested as well in IMAP authentication, and a quick google search led me to the googlegroups sabredav discussion where some knowledgeable developer (Robert George, all credits go to him) posted a simple yet working solution.
Then, in cal.php, in the Backends section, you should replace the default PDO authentication as shown below:
After:
Notes:
I hope this will be of some help ;) |
Thanks for posting a solution minami-o. This is exactly what I need to integrate Baikal with php-push2 (z-push). I can connect using imap_open in a test php script with something similar to this: Theres no error in apache log nor any sort of notification of an imap connection attempt in the imap logs any idea? |
Hmm, can't get it to work. Basically I have adapted the code above to:
However, mostly everything fails. May it be cause of running nginx? I've placed whole baikal standard to |
Apologies, didn't have much time to give, lately. Le 2013-02-17 04:27, Michel a écrit :
Links:[1] |
No need to apologize :) I got it working...had to use another port/options for IMAP connection :) sometimes I still get "throw exception without stack trace", but it doesn't stop anything from working. :) |
OK good news and good job! :) Le 2013-02-20 17:25, Michel a écrit
Links:[1] |
is this also working with CRAM-MD5 ? |
@minami-o Can you fork Baikal, add the code and create a pull request? |
Hi Rene, Good luck!Minami-o On 14 juin 2014 18:37:37 UTC+02:00, Rene Bartsch notifications@github.com wrote:
|
Have a look at this pull request #204 i have tested it myself and it works, but wait for it to be officially added |
@jeromeschneider Will you add this pull request? |
I'd really like LDAP support. It seems like #321 also is a FR for LDAP support. |
It's now June of 2015 and I have rewroted the code to Baikal 0.2.7 still using Sabre with DB table using username and digest A1 as a md5 hash of (username:realm:password). Using Dovecot IMAP server authentificated against 389 LDAP server I can authentificate users with Baikal as Calendar and Contacts with LDAP accounts, Not easy but works fine. The changes to files, using the format PATH: and CHANGES: PATH: .../vendor/sabre/dav/lib/Sabre/DAV/Auth/Backend/IMAP.php [Needs to be created] <?php
namespace Sabre\DAV\Auth\Backend;
use Sabre\DAV;
/**
* IMAP authenticator
*
* This is an authenticator backend using an IMAP Server authentication (as Dovecot).
*
* The backend IMAP must construct a digest based on a user + password valid connection
* on the Sabre realm md5(
*
* Make sure your IMAP Server is properly configured for this to work.
* And also after the construct needs to set de UserData (user,password)
*
* @copyright Copyright (C) 20015-? Guido based on Minami-O code.
* @license http://code.google.com/p/sabredav/wiki/License Modified BSD License
*/
class IMAP extends AbstractBasic
{
protected $imap_server;
protected $pdo;
protected $tableName;
protected $username;
protected $password;
public function __construct($imap_server,\PDO $pdo, $tableName = 'users') {
$this->imap_server = $imap_server;
$this->pdo = $pdo;
$this->tableName = $tableName;
}
public function setUserData ($username, $password) {
$this->username = $username;
$this->password = $password;
return;
}
public function getDigestHash($realm,$username) {
$stmt = $this->pdo->prepare('SELECT username, digesta1 FROM '.$this->tableName.' WHERE username = ?');
$stmt->execute(array($username));
$result = $stmt->fetchAll(); # Searching username on PDO
try {
$imap = imap_open($this->imap_server,$username,$password,OP_HALFOPEN); # IMAP verification
} catch (Exception $e) { # User is not a valid IMAP account, checking against PDO
if (!count($result))
return;
else
return $result[0]['digesta1'];
}
imap_close( $imap );
$digesta1 = md5( $username . ':' . $realm . ':' . $this->password );
# if (!count($result)) { # If not Exist on database
# Add user in PDO
# } else {
# $stmt = $this->pdo->prepare('REPLACE INTO users (username,digesta1) VALUES( ? , ? )');
# $stmt->execute(array($username,$digesta1)); # Update username and digest1
# }
return $digesta1;
} ---- end of file PATH: .../Core/Frameworks/Baikal/Core/IMAPBasicAuth.php [Needs to be created] <?php
namespace Baikal\Core;
/**
* This is an authentication backend that uses an IMAP Server to autentificate users and passwords.
*
* @copyright Copyright (C) 2015-? Guido . All rights reserved.
* @license http://code.google.com/p/sabredav/wiki/License Modified BSD License
*/
class IMAPBasicAuth extends \Sabre\DAV\Auth\Backend\AbstractBasic {
/**
* Reference to IMAP Server
*
* @var PDO
*/
protected $imap_server;
/**
* Reference to PDO connection
*
* @var PDO
*/
protected $pdo;
/**
* Authentication realm
*
* @var string
*/
protected $authRealm;
/**
* PDO table name we'll be using
*
* @var string
*/
protected $tableName;
/**
* Creates the backend object.
*
* If the filename argument is passed in, it will parse out the specified file fist.
*
* @param string $imap_server Connection to IMAP Server
* @param PDO $pdo
* @param string $tableName The PDO table name to use
*/
public function __construct($imap_server, \PDO $pdo, $authRealm, $tableName = 'users') {
$this->imap_server = $imap_server;
$this->pdo = $pdo;
$this->authRealm = $authRealm;
$this->tableName = $tableName;
}
/**
* Validates a username and password
*
* This method should return true or false depending on if login
* succeeded.
*
* @param string $username
* @param string $password
* @return bool
*/
public function validateUserPass($username, $password) {
$stmt = $this->pdo->prepare('SELECT username, digesta1 FROM '.$this->tableName.' WHERE username = ?');
$stmt->execute(array($username));
$result = $stmt->fetchAll(); # Searching username on PDO
$digesta1 = md5( $username . ':' . $this->authRealm . ':' . $password );
try {
$imap = imap_open($this->imap_server,$username,$password,OP_HALFOPEN);
} catch (Exception $e) { # Failed access to IMAP, checking agains PDO
if (!count($result)) return false;
if( $result[0]['digesta1'] == $digesta1 )
{
$this->currentUser = $username;
return true;
}
return false;
}
imap_close( $imap );
# if (!count($result)) { # if not exist on PDO
# Add user and digesta1 on table
# } else {
# $stmt = $this->pdo->prepare('REPLACE INTO users (username,digesta1) VALUES( ? , ? )');
# $stmt->execute(array($username,$digesta1)); # Update user and digesta1
# }
$this->currentUser = $username;
return true;
}
} ---- end of file PATH: sftp://ccbas2/var/calendario-www/Core/Frameworks/Baikal/WWWRoot/ # Backends
if( BAIKAL_DAV_AUTH_TYPE == "Basic" || preg_match('/Windows-Phone-WebDAV-Client/i', $_SERVER['HTTP_USER_AGENT']) ) {
$authBackend = new \Baikal\Core\PDOBasicAuth($GLOBALS["DB"]->getPDO(), BAIKAL_AUTH_REALM);
} elseif ( BAIKAL_DAV_AUTH_TYPE == "IMAP" ) {
$authBackend = new \Baikal\Core\IMAPBasicAuth("{localhost:143/imap/notls}",$GLOBALS["DB"]->getPDO(), BAIKAL_AUTH_REALM);
# $authBackend = new \Sabre\DAV\Auth\Backend\IMAP("{localhost:993/imap/ssl/novalidate-cert}",$GLOBALS["DB"]->getPDO());
# $authBackend = new \Sabre\DAV\Auth\Backend\IMAP("{localhost:143/imap/notls}",$GLOBALS["DB"]->getPDO());
} else
$authBackend = new \Sabre\DAV\Auth\Backend\PDO($GLOBALS["DB"]->getPDO()); ---- end fixing Select the IMAP connecting type that works for you:
-- AND VERY IMPORTANT --- Please do this PATH: .../Core/Frameworks/Baikal/Model/Config/Standard.php [Needs to be fixed] formMorphologyForThisModelInstance() {
$oMorpho->add(new \Formal\Element\Listbox(array(
"prop" => "BAIKAL_DAV_AUTH_TYPE",
"label" => "WebDAV authentication type",
"options" => array( "Basic","Digest","IMAP" ) #LDAP?
))); And That's all, change it and you are ready to connect over IMAP (and LDAP if are integrated) But to test it, take in count that the web interface is only for admin propos, so other users can't use it. That why you need to test if it works using URLs, as shown: Enjoy the mod, and if some one wants to make de branch please give me the proper credits. |
@GuidoRed Thanks ! Could you maybe provide a pull request, so that we can integrate it in Baïkal ? |
Sorry, I'm not a git user fan neither have the time. |
@GuidoRed I rewrote your comment so that the code is properly displayed. |
Thanks indeed, more clean and usable. Just do the same in the last part with the CalDev and CardDev URLs to show the hidden code. |
Would be usable to write also a pure LDAP Authentication code? |
@GuidoRed |
I managed to get this working on my Synology server but just to make note that the address displayed above: sftp://ccbas2/var/calendario-www/Core/Frameworks/Baikal/WWWRoot/ is actually the root of the Baikal install so this: sftp://ccbas2/var/calendario-www/Core/Frameworks is not needed |
This issue was moved to fruux/Baikal2#17 |
Authentication support for IMAP or LDAP for these backends makes it earsier to maintain authentication centralized and maybe automatic creation of users can also be implemented on a successfull authentication.
The text was updated successfully, but these errors were encountered: