Authentication info - ldap

cfapress wrote on Wednesday, November 07, 2007:

Hi All,

I’d like OpenEMR to authenticate against our Active Directory server. I’ve been using the ADLDAP (http://adldap.sourceforge.net/) code succesfully in other web based applications. I’d like to use it with OpenEMR. I’ve looked at the auth.inc code and it seems pretty easy to alter for use with ADLDAP. My question is…

What SESSION variables are stored during authentication that come into place elsewhere in the OpenEMR code?

I’m going to guess these are used:
$_SESSION[‘authUser’] = $user;
$_SESSION[‘authGroup’] = $authGroup[‘name’];
$_SESSION[‘authUserID’] = $authDB[‘id’];
$_SESSION[‘authPass’] = $pass;
$_SESSION[‘authProvider’] = $provider;
$_SESSION[‘authId’] = $authDB{‘id’};
$_SESSION[‘userauthorized’] = $authDB[‘authorized’];

Anything else I’m missing here?

Is it necessary to store the user’s password in a SESSION ?? It doesn’t seem smart to me.

Also, once I’ve succesfully made OpenEMR authenticate against Active Directory’s LDAP I will post my results back to the developer community here. I can’t possibly be the only person who is interested in this.

Jason Morrill
IT Manager
Child & Family Agency

sunsetsystems wrote on Wednesday, November 07, 2007:

Your assessment looks pretty reasonable to me, though I have not verified all of the session variables.

I’d suggest that you create one or more configuration parameters in globals.php to control your LDAP authentication option.

Thanks!

Rod
www.sunsetsystems.com

cfapress wrote on Thursday, November 08, 2007:

Rod,

I’ll take your advice about settings in globals.php. I plan to follow the coding standards used in the existing OpenEMR software when I make my updates. That way they could be integrated into future releases of this software.

Jason

cfapress wrote on Thursday, December 06, 2007:

I’ve made a few changes to the code on my server so it will authenticate against Active Directory on my Windows 2000 server. It uses adLDAP.php and a few minor code changes. Here is a list of the files I added/altered:

Files added/updated to permit adLDAP to work
for authentication purposes only
--------------------------------------------
./library/adLDAP.php
./library/adldap_auth.inc
./interface/main/main.php
./interface/main/main_info.php
./interface/usergroup/user_admin.php
./interface/globals.php
./interface/logout.php
./interface/main/myadmin/config.inc.php

Please this is for AUTHENTICATION ONLY and not for authorization. I’m still relying upon the built-in Users table because it’s so embedded into everything. I will be writing a LDAPsync script that will sync my Windows users with the OpenEMR database without passwords. All authentication will still be done against the official Windows server.

Jason Morrill
IT Manager
Child & Family Agency

andres_paglayan wrote on Thursday, December 06, 2007:

sweet!!

cfapress wrote on Friday, December 07, 2007:

If this is something the OpenEMR community would want I could polish up this small work, include something about LDAP in the setup.php script, and check it into the CVS repository. But I would want a full confirmation from Rod at the very least.

Jason

sunsetsystems wrote on Friday, December 07, 2007:

Yes, that sounds great.  Please make sure that you are applying your changes against the latest module versions in CVS.  Thanks!

Rod
www.sunsetsystems.com

cfapress wrote on Wednesday, December 12, 2007:

Just an update on adLDAP progress:

I have a rudimentary process in the setup.php script to permit users to enter LDAP info when setting up OpenEMR for the first time. It needs refinement but it mostly works.

I have an adLDAPsync.php script which should be run as a cron job to keep the OpenEMR Users table in sync with the users in Active Directory. This is about 90% complete.

I’ve tried to write the code in keeping with the style of OpenEMR. I need to get at the CVS code base and see how my development merges with the latest code in the OpenEMR CVS.

More to come!
Jason Morrill

sunsetsystems wrote on Wednesday, December 12, 2007:

You should be able to get the latest code via "anonymous CVS access."  See:

https://sourceforge.net/cvs/?group_id=60081

If that doesn’t work, let me know and I’ll figure out a way to get it to you.

Rod
www.sunsetsystems.com

aperezcrespo wrote on Wednesday, December 12, 2007:

Hi
  Would this also work with any LDAP server?

Thanks
Alfonso

cfapress wrote on Friday, December 14, 2007:

This code base *should* work with any other LDAP server if you feed it the right parameters. However I only have Active Directory available for testing it out. Part of the code is relying upon the objectGUID attribute provided by Active Directory during the syncronization with the Users table in OpenEMR. This allows a username to change but retain it’s unique ID in the OpenEMR database.

hmmm…

<thinking out loud>
How does phpGACL work in authorization? Is its key the username or another unique identifier. I suppose if the key is the username then relying on the objectGUID is pointless in a sync between Active Directory and OpenEMR. So if the sync between AD and OpenEMR used the username as the key then it would become generic enough for any LDAP server. I think.
</thinking out loud>

My original intent was to keep my users all managed through Active Directory and not have to manage their account names and passwords in Windows *and* OpenEMR. My other internal web apps use adLDAP for authentication and authorization. Getting OpenEMR _authenticating_ against LDAP helps out.

I’ll do more consideration on this topic but I agree that being able to use **any** LDAP server would be good.

Jason

opensourcelab wrote on Tuesday, July 20, 2010:

Hi Rod, I have used your scripts as above and it downloads the users to the openemr but for some reason it does not authenticate against the AD (Server 2008). Any thoughts on what I might be doing wrong?

juggernautsei wrote on Monday, December 07, 2015:

Jason,
I was reading your thread and you said that you have gotten this to work. Is it possible that you would like to share the code with the community?