AD authentication with Lasso (8.x)

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

AD authentication with Lasso (8.x)

Patrick Larkin-3
Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?  

I currently authenticate against a MySQL table.


Thanks!


——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Sprague, Gary
Patrick,

We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.

Here is a code snipped on the authentication part:

var('wa_addr'                   = 'ADserver.yourcompany.com');
var('win_auth_user'             = 'ADdomain\\' + $user);
var('login_successful'          = false);

protect;

    local('myLDAP' = LDAP);
    #myLDAP->Open($wa_addr);
    #myLDAP->Authenticate($win_auth_user, $password);
    #myLDAP->Close;

    handle_error;
        if(error_currenterror(-errorcode) == 49); // Invalid credentials
            //login_successful already set to false
        else; // Other error
            local('this_error' = error_currenterror->split('\r'));
            email_send(
                -host=$email_server,
                -from=$auto_email_from,
                -subject='LDAP Login Failure',
                -to=$admin_email,
                -body=(#this_error->get(1)));
        /if;
    /handle_error;

    var('login_successful'      = true);

/protect;

Gary Sprague
TV Systems Engineer
HSN, 1 HSN Drive, St. Petersburg, FL 33729
Office 727.872.4489
[hidden email]

> On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]> wrote:
>
> Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?  
>
> I currently authenticate against a MySQL table.
>
>
> Thanks!
>
>
> ——
> Patrick Larkin
> Application Management Group
> Information Technology
> Bethlehem Area School District
> https://www.beth.k12.pa.us
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Patrick Larkin-3
Gary -

Many thanks.  Is your Lasso server running on Windows?  You don’t have to have a domain admin account to query the AD?  

PLEASE NOTE:  My e-mail address has changed to:  [hidden email]
——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us

> On Aug 27, 2015, at 7:05 PM, Sprague, Gary <[hidden email]> wrote:
>
> Patrick,
>
> We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.
>
> Here is a code snipped on the authentication part:
>
> var('wa_addr'                   = 'ADserver.yourcompany.com');
> var('win_auth_user'             = 'ADdomain\\' + $user);
> var('login_successful'          = false);
>
> protect;
>
>    local('myLDAP' = LDAP);
>    #myLDAP->Open($wa_addr);
>    #myLDAP->Authenticate($win_auth_user, $password);
>    #myLDAP->Close;
>
>    handle_error;
>        if(error_currenterror(-errorcode) == 49); // Invalid credentials
>            //login_successful already set to false
>        else; // Other error
>            local('this_error' = error_currenterror->split('\r'));
>            email_send(
>                -host=$email_server,
>                -from=$auto_email_from,
>                -subject='LDAP Login Failure',
>                -to=$admin_email,
>                -body=(#this_error->get(1)));
>        /if;
>    /handle_error;
>
>    var('login_successful'      = true);
>
> /protect;
>
> Gary Sprague
> TV Systems Engineer
> HSN, 1 HSN Drive, St. Petersburg, FL 33729
> Office 727.872.4489
> [hidden email]
>
>> On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]> wrote:
>>
>> Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?  
>>
>> I currently authenticate against a MySQL table.
>>
>>
>> Thanks!
>>
>>
>> ——
>> Patrick Larkin
>> Application Management Group
>> Information Technology
>> Bethlehem Area School District
>> https://www.beth.k12.pa.us
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Sprague, Gary
Patrick,

We are on Windows with Lasso 8.6.3.  I have done this on Mac OS as well with Lasso 8.5.

Login domain only necessary if your AD is setup with one. (or more)  I hard coded the domain as our group is only logging into one of them.

Gary Sprague
TV Systems Engineer
HSN, 1 HSN Drive, St. Petersburg, FL 33729
Office 727.872.4489
[hidden email]<mailto:[hidden email]>

On Aug 28, 2015, at 8:18 AM, Patrick Larkin <[hidden email]<mailto:[hidden email]>> wrote:

Gary -

Many thanks.  Is your Lasso server running on Windows?  You don’t have to have a domain admin account to query the AD?

PLEASE NOTE:  My e-mail address has changed to:  [hidden email]<mailto:[hidden email]>
——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us

On Aug 27, 2015, at 7:05 PM, Sprague, Gary <[hidden email]> wrote:

Patrick,

We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.

Here is a code snipped on the authentication part:

var('wa_addr'                   = 'ADserver.yourcompany.com');
var('win_auth_user'             = 'ADdomain\\' + $user);
var('login_successful'          = false);

protect;

  local('myLDAP' = LDAP);
  #myLDAP->Open($wa_addr);
  #myLDAP->Authenticate($win_auth_user, $password);
  #myLDAP->Close;

  handle_error;
      if(error_currenterror(-errorcode) == 49); // Invalid credentials
          //login_successful already set to false
      else; // Other error
          local('this_error' = error_currenterror->split('\r'));
          email_send(
              -host=$email_server,
              -from=$auto_email_from,
              -subject='LDAP Login Failure',
              -to=$admin_email,
              -body=(#this_error->get(1)));
      /if;
  /handle_error;

  var('login_successful'      = true);

/protect;

Gary Sprague
TV Systems Engineer
HSN, 1 HSN Drive, St. Petersburg, FL 33729
Office 727.872.4489
[hidden email]

On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]> wrote:

Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?

I currently authenticate against a MySQL table.


Thanks!


——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
 the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Sprague, Gary
Patrick,

I realized I didn’t read your last question correctly.

We did not need an admin account to authenticate or to self register.

If you want to generate accounts in your system on behalf of others you may need an admin user account to do so.

Standard rules apply with failed authentications.  Accounts will lock out in AD after a few tries.

Gary Sprague
TV Systems Engineer
HSN, 1 HSN Drive, St. Petersburg, FL 33729
Office 727.872.4489
[hidden email]<mailto:[hidden email]>

On Aug 28, 2015, at 10:25 AM, Sprague, Gary <[hidden email]<mailto:[hidden email]>> wrote:

Patrick,

We are on Windows with Lasso 8.6.3.  I have done this on Mac OS as well with Lasso 8.5.

Login domain only necessary if your AD is setup with one. (or more)  I hard coded the domain as our group is only logging into one of them.

Gary Sprague
TV Systems Engineer
HSN, 1 HSN Drive, St. Petersburg, FL 33729
Office 727.872.4489
[hidden email]<mailto:[hidden email]><mailto:[hidden email]>

On Aug 28, 2015, at 8:18 AM, Patrick Larkin <[hidden email]<mailto:[hidden email]><mailto:[hidden email]>> wrote:

Gary -

Many thanks.  Is your Lasso server running on Windows?  You don’t have to have a domain admin account to query the AD?

PLEASE NOTE:  My e-mail address has changed to:  [hidden email]<mailto:[hidden email]><mailto:[hidden email]>
——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us

On Aug 27, 2015, at 7:05 PM, Sprague, Gary <[hidden email]<mailto:[hidden email]>> wrote:

Patrick,

We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.

Here is a code snipped on the authentication part:

var('wa_addr'                   = 'ADserver.yourcompany.com<http://ADserver.yourcompany.com>');
var('win_auth_user'             = 'ADdomain\\' + $user);
var('login_successful'          = false);

protect;

 local('myLDAP' = LDAP);
 #myLDAP->Open($wa_addr);
 #myLDAP->Authenticate($win_auth_user, $password);
 #myLDAP->Close;

 handle_error;
     if(error_currenterror(-errorcode) == 49); // Invalid credentials
         //login_successful already set to false
     else; // Other error
         local('this_error' = error_currenterror->split('\r'));
         email_send(
             -host=$email_server,
             -from=$auto_email_from,
             -subject='LDAP Login Failure',
             -to=$admin_email,
             -body=(#this_error->get(1)));
     /if;
 /handle_error;

 var('login_successful'      = true);

/protect;

Gary Sprague
TV Systems Engineer
HSN, 1 HSN Drive, St. Petersburg, FL 33729
Office 727.872.4489
[hidden email]<mailto:[hidden email]>

On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]<mailto:[hidden email]>> wrote:

Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?

I currently authenticate against a MySQL table.


Thanks!


——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]<mailto:[hidden email]>
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]<mailto:[hidden email]>>
Send administrative queries to  <[hidden email]<mailto:[hidden email]>>


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]<mailto:[hidden email]>
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]<mailto:[hidden email]>>
Send administrative queries to  <[hidden email]<mailto:[hidden email]>>


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]<mailto:[hidden email]>
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]<mailto:[hidden email]>>
Send administrative queries to  <[hidden email]<mailto:[hidden email]>>


#############################################################

This message is sent to you because you are subscribed to
 the mailing list Lasso [hidden email]<mailto:[hidden email]>
Official list archives available at http://www.lassotalk.com<http://www.lassotalk.com/>
To unsubscribe, E-mail to: <[hidden email]<mailto:[hidden email]>>
Send administrative queries to  <[hidden email]<mailto:[hidden email]>>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Patrick Larkin-3
In reply to this post by Sprague, Gary
Gary -

A couple questions.  This seems to be working for me but I’m not quite sure.

In this section

>    handle_error;
>        if(error_currenterror(-errorcode) == 49); // Invalid credentials
>            //login_successful already set to false

Should I be inserting an abort in there and sending the user an Invalid Credentials message?  I‘m assuming you chopped something out?  

Otherwise, the line

>    var('login_successful'      = true);

would always set the login success to “true”.  It seems if I abort and send the user an “Invalid” error message, it never gets to the above variable set.  

Are you able to get user attributes from AD as well?

Also, are you able to login to a domain and not specific a particular DC?  You seem to point to a specific server.

> var('wa_addr'                   = 'ADserver.yourcompany.com’);


Thanks again.






> On Aug 27, 2015, at 7:05 PM, Sprague, Gary <[hidden email]> wrote:
>
> Patrick,
>
> We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.
>
> Here is a code snipped on the authentication part:
>
> var('wa_addr'                   = 'ADserver.yourcompany.com');
> var('win_auth_user'             = 'ADdomain\\' + $user);
> var('login_successful'          = false);
>
> protect;
>
>    local('myLDAP' = LDAP);
>    #myLDAP->Open($wa_addr);
>    #myLDAP->Authenticate($win_auth_user, $password);
>    #myLDAP->Close;
>
>    handle_error;
>        if(error_currenterror(-errorcode) == 49); // Invalid credentials
>            //login_successful already set to false
>        else; // Other error
>            local('this_error' = error_currenterror->split('\r'));
>            email_send(
>                -host=$email_server,
>                -from=$auto_email_from,
>                -subject='LDAP Login Failure',
>                -to=$admin_email,
>                -body=(#this_error->get(1)));
>        /if;
>    /handle_error;
>
>    var('login_successful'      = true);
>
> /protect;
>
> Gary Sprague
> TV Systems Engineer
> HSN, 1 HSN Drive, St. Petersburg, FL 33729
> Office 727.872.4489
> [hidden email]
>
>> On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]> wrote:
>>
>> Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?  
>>
>> I currently authenticate against a MySQL table.
>>
>>
>> Thanks!
>>
>>
>> ——
>> Patrick Larkin
>> Application Management Group
>> Information Technology
>> Bethlehem Area School District
>> https://www.beth.k12.pa.us
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Sprague, Gary
Patrick,

I am going to attach a sanitized version of our code below that will likely answer most of your questions and raise a few others.  We have created some of our own tags (prefixed with ACME) in this code to handle specific needs.  Hopefully they will be somewhat self explanatory.

Our IT department let us know what server to point to for AD.  There may be more than one, but one should suffice.


<?LassoScript

/*  Session cookie set or read  */

    include('/includes/session.las');

/*  Prep login parameters  */
    var('user'                  = action_param('user'));
        $user->replace(' ','');
        $user->replace('ADdomain\\','');

    var('password'              = action_param('password'));
    var('encrypted_password'    = 'UNKNOWN');

    var('act'                   = action_param('act'));
    var('type'                  = action_param('type')); //"ajax" or ""
    var('badtry'                = '');
    var('session_guid_found'    = 'n');
    var('password_sent'         = 'n');
    var('my_dest'               = action_param('my_dest'));
    var('login_err_msg'         = '');

    if($my_dest == '');
        $my_dest = ('/home.lasso?cache=' + $cache);
    /if;


/*  Start of login logic:  */

/*  Check if too many attempts.  */
    if($login_attempt > 100);

        if($type == 'ajax');
            output('You have made too many login attempts.  Please contact IT at x1234 for assistance.');
        else;
            local('html' = '<html><head><title>Login Failure</title></head><body bgcolor="#ffffff"><div align="center"><br>&nbsp;<p>');
                #html += 'You have made too many login attempts.  Please contact IT at x1234 for assistance.</div></body></html>';

            output(#html,-encodenone);
        /if;

/*  Check for page "get"  */
    else($act=='' && $type != 'ajax');

        redirect_url('/');

/*  Search User database to validate login parameters and gather info.  */
    else($act=='login' && $user != '' && $user->size >= 2 && $password->size >= 8); //Company policy: passwords at least 8 characters.

        var('wa_addr'                   = 'ADdomain.companydomain.com');
        var('win_auth_user'             = 'ADdomain\\' + $user);
        var('login_successful'          = false);

        inline(
            -host=$db_host,
            -database=$db_name,
            -sql='
SELECT
    *
FROM
    site_users
WHERE
    user_login_name = \'' + encode_sql92($user) + '\'
;');

            //This error trap was added to address unavailable database issue.
            local('db_access_error' = (error_currenterror->split('\r'))->get(1));

            if(found_count == 1 && field('active') == '1');

                var('encrypted_password' = ACME_Hash($password,string(field('user_login_name')),string(field('user_guid'))));

                if(var_defined('login_using_db') == false || $login_using_db != true); //We are attempting LDAP authentication here

                    protect;

                        local('myLDAP' = LDAP);
                        #myLDAP->Open($wa_addr);
                        #myLDAP->Authenticate($win_auth_user, $password);
                        #myLDAP->Close;

                        handle_error;
                            if(error_currenterror(-errorcode) == 49); // Invalid credentials
                                //login_successful already set to false
                            else; // Other error
                                local('this_error' = error_currenterror->split('\r'));
                                email_send(
                                    -host=$email_server,
                                    -from=$auto_email_from,
                                    -subject='LDAP Login Failure',
                                    -to=$admin_email,
                                    -body=(#this_error->get(1)));
                            /if;
                        /handle_error;

                        var('login_successful'      = true);

                    /protect;

                else(var_defined('login_using_db') == true && $login_using_db == true && $encrypted_password == field('user_password_hash'));

                    var('login_successful'      = true);

                /if;

                if($login_successful == true);
                    var('my_firstname'          = field('first_name'));
                    var('my_full_name'          = field('first_name') + ' ' + field('last_name'));
                    var('my_user_email'         = field('user_email'));
                    var('my_user_guid'          = field('user_guid'));
                    var('my_username'           = field('user_login_name'));
                /if;

            else(found_count == 0 && #db_access_error == 'No Error' && $user != '' && $user->size >= 2 && $password->size >= 8 && $login_using_db == false);
            //This is here for self registration

                local('myResult'                = ''); //This is here in case login fails.

                protect;

                    local('myfilter'            = '(&(sAMAccountName=' + $user + ')(objectClass=User))');

                    local('myLDAP'              = LDAP);

                    #myLDAP->Open($wa_addr);

                    #myLDAP->Authenticate($win_auth_user, $password);

                    #myLDAP->Search('dc=ADdomain,dc=companydomain,dc=com', LDAP_Scope_Subtree, #myfilter, Array('sn','givenName','mail','telephoneNumber','mobile','sAMAccountName','userPrincipalName'));

                    local('myResult'            = #myLDAP->Results);

                    #myLDAP->Close;

                    handle_error;
                        if(error_currenterror(-errorcode) == 49); // Invalid credentials
                            //login_successful already set to false
                        else; // Other error
                            local('this_error' = error_currenterror->split('\r'));
                            email_send(
                                -host=$email_server,
                                -from=$auto_email_from,
                                -subject='Self Registration LDAP Failure',
                                -to=$admin_email,
                                -body=(#this_error->get(1)));
                        /if;
                    /handle_error;

                /protect;

                local('ldap_firstname'          ='');
                local('ldap_lastname'           ='');
                local('ldap_email'              ='');
                local('ldap_workphone'          ='');
                local('ldap_mobilephone'        ='');
                local('ldap_login'              ='');

                if(#myResult->size == 1);

                    local('my_info' = (#myResult->get(1))->get(2));

                    if(#my_info->findposition('givenName')->size > 0);
                        #ldap_firstname = (((#my_info->find('givenName'))->first)->second)->get(1);
                    /if;

                    if(#my_info->findposition('sn')->size > 0);
                        #ldap_lastname = (((#my_info->find('sn'))->first)->second)->get(1);
                    /if;

                    if(#my_info->findposition('mail')->size > 0);
                        #ldap_email = string((((#my_info->find('mail'))->first)->second)->get(1)); //make it string to make email server happy
                    /if;

                    if(#my_info->findposition('telephoneNumber')->size > 0);
                        #ldap_workphone = (((#my_info->find('telephoneNumber'))->first)->second)->get(1);
                        #ldap_workphone->replace(' ','');
                        #ldap_workphone->replace('-','.');
                        #ldap_workphone->replace('/','.');
                        #ldap_workphone->replace(')','.');
                        #ldap_workphone->replace('(','');
                    /if;

                    if(#my_info->findposition('mobile')->size > 0);
                        #ldap_mobilephone = (((#my_info->find('mobile'))->first)->second)->get(1);
                        #ldap_mobilephone->replace(' ','');
                        #ldap_mobilephone->replace('-','.');
                        #ldap_mobilephone->replace('/','.');
                        #ldap_mobilephone->replace(')','.');
                        #ldap_mobilephone->replace('(','');
                    /if;

                    if(#my_info->findposition('sAMAccountName')->size > 0);
                        #ldap_login = (((#my_info->find('sAMAccountName'))->first)->second)->get(1);
                    /if;

                    if(#ldap_login != '' && #ldap_firstname != '' && #ldap_lastname != '' && #ldap_email != '');

                        var('user_guid'             = ACME_UUID);
                        var('encrypted_password'    = ACME_Hash(string($password),string(#ldap_login),string($user_guid)));

                        var('non_query_sql'='
INSERT INTO
    site_users
(
    user_guid,
    first_name,
    last_name,
    user_login_name,
    user_password_hash,
    change_password,
    user_email,
    user_phone_work,
    user_phone_mobile,
    active,
    created_datetime
)
VALUES
(
    \'' + encode_sql92($user_guid) + '\',
    \'' + encode_sql92(#ldap_firstname) + '\',
    \'' + encode_sql92(#ldap_lastname) + '\',
    \'' + encode_sql92(#ldap_login) + '\',
    \'' + encode_sql92($encrypted_password) + '\',
    0,
    \'' + encode_sql92(#ldap_email) + '\',
    \'' + encode_sql92(#ldap_workphone) + '\',
    \'' + encode_sql92(#ldap_mobilephone) + '\',
    1,
    \'' + date_format(date, -format='%Y-%m-%d %H:%M:%S') + '\'
)
;');

                        ACME_NonQuery(-sql = $non_query_sql);

                        var('my_firstname'      = #ldap_firstname);
                        var('my_full_name'      = #ldap_firstname + ' ' + #ldap_lastname);
                        var('my_user_email'     = #ldap_email);
                        var('my_user_guid'      = $user_guid);
                        var('my_username'       = #ldap_login);

                        email_send(
                            -host=$email_server,
                            -from=$auto_email_from,
                            -username=$smtp_auth_user,
                            -password=$smtp_auth_pass,
                            -subject='New Self-Registered User',
                            -to='[hidden email]',
                            -body=include('/includes/admin/new_user_email.las'));

                        email_send(
                            -host=$email_server,
                            -from=$auto_email_from,
                            -username=$smtp_auth_user,
                            -password=$smtp_auth_pass,
                            -subject='Welcome!',
                            -to=$my_user_email,
                            -bcc='[hidden email]',
                            -body=include('/includes/self_register_welcome_email.las'));

                        var('login_successful'  = true);

                    /if;

                /if;

            else; //Likely landed here to due a database error

                email_send(
                    -host=$email_server,
                    -from=$auto_email_from,
                    -subject='Login Issue with Database',
                    -to='[hidden email]',
                    -body=#db_access_error);

            /if;


            if($login_successful == true);

                var('login_attempt'     = 0);
                var('session_guid'      = ACME_UUID);
                var('ok'                = 'y');

                cookie_set('user' = $user, -path='/', -expires=259200);


            /*  Log visitor login  */


                var('login_expire_datetime' = date_format(date_add(date,-hour=1),-dateformat='%Y-%m-%d %H:%M:%S'));


                var('non_query_sql' = '
DECLARE @NEWGUID AS NVARCHAR(36);
SET @NEWGUID = \'' + ACME_UUID + '\';
DECLARE @BROWSER AS NVARCHAR(255);
SET @BROWSER = \'' + encode_sql92(client_type) + '\';
DECLARE @NOW AS DATETIME;
SET @NOW = \'' + $now + '\';
DECLARE @BGUID AS NVARCHAR(36);
SET @BGUID = @NEWGUID;
BEGIN TRY
INSERT INTO site_browsers (client_browser_guid, browser_identifier, created_datetime, last_access_datetime) VALUES (@NEWGUID, @BROWSER, @NOW, @NOW);
END TRY
BEGIN CATCH
SET @BGUID = (SELECT client_browser_guid FROM site_browsers WHERE browser_identifier = @BROWSER);
UPDATE site_browsers SET last_access_datetime = @NOW WHERE client_browser_guid = @BGUID;
END CATCH
;

INSERT INTO
    site_login_activity
(
    user_guid,
    login_datetime,
    client_ip,
    session_guid,
    login_expire_datetime,
    server_ip,
    client_browser_guid
)
VALUES
(
    \'' + $my_user_guid + '\',
    \'' + date_format(date,-dateformat='%Y-%m-%d %H:%M:%S') + '\',
    \'' + client_ip + '\',
    \'' + $session_guid + '\',
    \'' + $login_expire_datetime + '\',
    \'' + server_ip + '\',
    @BGUID
)
;

UPDATE
    site_users
SET
    last_login_datetime = \'' + date_format(date,-dateformat='%Y-%m-%d %H:%M:%S') + '\',
    user_password_hash = \'' + encode_sql92($encrypted_password) + '\'
WHERE
    user_guid = \'' + $my_user_guid + '\'
;');

                ACME_NonQuery(-sql = $non_query_sql);

                if($type == 'ajax');
                    output('OK');
                else;
                    redirect_url($my_dest);
                /if;

            else; // Failed Login Attempt

                var('badtry'            = 'y');
                var('login_attempt'     = ($login_attempt + 1));
                if($login_attempt < 5);
                    var('login_err_msg' = 'Login failed.\rYou have ' + (5 - $login_attempt) + ' more tries before\rlocking your account for 10 minutes.');
                else;
                    var('login_err_msg' = 'Login failed.\rYou have likely locked your account.\rTry again in 10 minutes.');
                /if;
                var('ok'                = 'n');

                if($type == 'ajax');
                    output($login_err_msg,-encodebreak);
                else;
                    var('content_inc' = '/includes/login.las');
                    include('/includes/page.las');
                /if;

            /if;

        /inline;

    else;

        //If you landed here it's because your login credentials did not meet then
        //OUR policy minimums

        var('badtry'            = 'y');
        var('login_err_msg'     = 'Login failed.\rUser or Password does not meet\rOUR Policy minimums.\rTry again.');
        var('ok'                = 'n');

        if($type == 'ajax');
            output($login_err_msg,-encodebreak);
        else;
            var('content_inc' = '/includes/login.las');
            include('/includes/page.las');
        /if;

    /if;

?>


________________________________________
From: [hidden email] <[hidden email]> on behalf of Patrick Larkin <[hidden email]>
Sent: Sunday, August 30, 2015 11:08 PM
To: [hidden email]
Subject: [EXTERNAL] Re: AD authentication with Lasso (8.x)

Gary -

A couple questions.  This seems to be working for me but I’m not quite sure.

In this section

>    handle_error;
>        if(error_currenterror(-errorcode) == 49); // Invalid credentials
>            //login_successful already set to false

Should I be inserting an abort in there and sending the user an Invalid Credentials message?  I‘m assuming you chopped something out?

Otherwise, the line

>    var('login_successful'      = true);

would always set the login success to “true”.  It seems if I abort and send the user an “Invalid” error message, it never gets to the above variable set.

Are you able to get user attributes from AD as well?

Also, are you able to login to a domain and not specific a particular DC?  You seem to point to a specific server.

> var('wa_addr'                   = 'ADserver.yourcompany.com’);


Thanks again.






> On Aug 27, 2015, at 7:05 PM, Sprague, Gary <[hidden email]> wrote:
>
> Patrick,
>
> We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.
>
> Here is a code snipped on the authentication part:
>
> var('wa_addr'                   = 'ADserver.yourcompany.com');
> var('win_auth_user'             = 'ADdomain\\' + $user);
> var('login_successful'          = false);
>
> protect;
>
>    local('myLDAP' = LDAP);
>    #myLDAP->Open($wa_addr);
>    #myLDAP->Authenticate($win_auth_user, $password);
>    #myLDAP->Close;
>
>    handle_error;
>        if(error_currenterror(-errorcode) == 49); // Invalid credentials
>            //login_successful already set to false
>        else; // Other error
>            local('this_error' = error_currenterror->split('\r'));
>            email_send(
>                -host=$email_server,
>                -from=$auto_email_from,
>                -subject='LDAP Login Failure',
>                -to=$admin_email,
>                -body=(#this_error->get(1)));
>        /if;
>    /handle_error;
>
>    var('login_successful'      = true);
>
> /protect;
>
> Gary Sprague
> TV Systems Engineer
> HSN, 1 HSN Drive, St. Petersburg, FL 33729
> Office 727.872.4489
> [hidden email]
>
>> On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]> wrote:
>>
>> Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?
>>
>> I currently authenticate against a MySQL table.
>>
>>
>> Thanks!
>>
>>
>> ——
>> Patrick Larkin
>> Application Management Group
>> Information Technology
>> Bethlehem Area School District
>> https://www.beth.k12.pa.us
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Installing 8.6.3 on Windows Server 2008

Michael Benedict
Hello,

Anyone running this system?
Lasso Pro 8.6.3 on Win Server 2008

Any recommendations on the JRE I should install?
v6 as the install guide mentioned? But that was for Win server 2003
http://java.sun.com/javase/downloads/index.jsp

Thanks,
Michael


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Installing 8.6.3 on Windows Server 2008

Rachel Guthrie
Hi Michael,
Java 6 is still the one recommended.

Rachel Guthrie


> On Sep 4, 2015, at 6:44 PM, Michael Benedict <[hidden email]> wrote:
>
> Hello,
>
> Anyone running this system?
> Lasso Pro 8.6.3 on Win Server 2008
>
> Any recommendations on the JRE I should install?
> v6 as the install guide mentioned? But that was for Win server 2003
> http://java.sun.com/javase/downloads/index.jsp
>
> Thanks,
> Michael
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Sprague, Gary
In reply to this post by Patrick Larkin-3
Patrick,

I am going to attach a sanitized version of our code below that will likely answer most of your questions and raise a few others.  We have created some of our own tags (prefixed with ACME) in this code to handle specific needs.  Hopefully they will be somewhat self explanatory.

Our IT department let us know what server to point to for AD.  There may be more than one, but one should suffice.


<?LassoScript

/*  Session cookie set or read  */

   include('/includes/session.las');

/*  Prep login parameters  */
   var('user'                  = action_param('user'));
       $user->replace(' ','');
       $user->replace('ADdomain\\','');

   var('password'              = action_param('password'));
   var('encrypted_password'    = 'UNKNOWN');

   var('act'                   = action_param('act'));
   var('type'                  = action_param('type')); //"ajax" or ""
   var('badtry'                = '');
   var('session_guid_found'    = 'n');
   var('password_sent'         = 'n');
   var('my_dest'               = action_param('my_dest'));
   var('login_err_msg'         = '');

   if($my_dest == '');
       $my_dest = ('/home.lasso?cache=' + $cache);
   /if;


/*  Start of login logic:  */

/*  Check if too many attempts.  */
   if($login_attempt > 100);

       if($type == 'ajax');
           output('You have made too many login attempts.  Please contact IT at x1234 for assistance.');
       else;
           local('html' = '<html><head><title>Login Failure</title></head><body bgcolor="#ffffff"><div align="center"><br>&nbsp;<p>');
               #html += 'You have made too many login attempts.  Please contact IT at x1234 for assistance.</div></body></html>';

           output(#html,-encodenone);
       /if;

/*  Check for page "get"  */
   else($act=='' && $type != 'ajax');

       redirect_url('/');

/*  Search User database to validate login parameters and gather info.  */
   else($act=='login' && $user != '' && $user->size >= 2 && $password->size >= 8); //Company policy: passwords at least 8 characters.

       var('wa_addr'                   = 'ADdomain.companydomain.com');
       var('win_auth_user'             = 'ADdomain\\' + $user);
       var('login_successful'          = false);

       inline(
           -host=$db_host,
           -database=$db_name,
           -sql='
SELECT
   *
FROM
   site_users
WHERE
   user_login_name = \'' + encode_sql92($user) + '\'
;');

           //This error trap was added to address unavailable database issue.
           local('db_access_error' = (error_currenterror->split('\r'))->get(1));

           if(found_count == 1 && field('active') == '1');

               var('encrypted_password' = ACME_Hash($password,string(field('user_login_name')),string(field('user_guid'))));

               if(var_defined('login_using_db') == false || $login_using_db != true); //We are attempting LDAP authentication here

                   protect;

                       local('myLDAP' = LDAP);
                       #myLDAP->Open($wa_addr);
                       #myLDAP->Authenticate($win_auth_user, $password);
                       #myLDAP->Close;

                       handle_error;
                           if(error_currenterror(-errorcode) == 49); // Invalid credentials
                               //login_successful already set to false
                           else; // Other error
                               local('this_error' = error_currenterror->split('\r'));
                               email_send(
                                   -host=$email_server,
                                   -from=$auto_email_from,
                                   -subject='LDAP Login Failure',
                                   -to=$admin_email,
                                   -body=(#this_error->get(1)));
                           /if;
                       /handle_error;

                       var('login_successful'      = true);

                   /protect;

               else(var_defined('login_using_db') == true && $login_using_db == true && $encrypted_password == field('user_password_hash'));

                   var('login_successful'      = true);

               /if;

               if($login_successful == true);
                   var('my_firstname'          = field('first_name'));
                   var('my_full_name'          = field('first_name') + ' ' + field('last_name'));
                   var('my_user_email'         = field('user_email'));
                   var('my_user_guid'          = field('user_guid'));
                   var('my_username'           = field('user_login_name'));
               /if;

           else(found_count == 0 && #db_access_error == 'No Error' && $user != '' && $user->size >= 2 && $password->size >= 8 && $login_using_db == false);
           //This is here for self registration

               local('myResult'                = ''); //This is here in case login fails.

               protect;

                   local('myfilter'            = '(&(sAMAccountName=' + $user + ')(objectClass=User))');

                   local('myLDAP'              = LDAP);

                   #myLDAP->Open($wa_addr);

                   #myLDAP->Authenticate($win_auth_user, $password);

                   #myLDAP->Search('dc=ADdomain,dc=companydomain,dc=com', LDAP_Scope_Subtree, #myfilter, Array('sn','givenName','mail','telephoneNumber','mobile','sAMAccountName','userPrincipalName'));

                   local('myResult'            = #myLDAP->Results);

                   #myLDAP->Close;

                   handle_error;
                       if(error_currenterror(-errorcode) == 49); // Invalid credentials
                           //login_successful already set to false
                       else; // Other error
                           local('this_error' = error_currenterror->split('\r'));
                           email_send(
                               -host=$email_server,
                               -from=$auto_email_from,
                               -subject='Self Registration LDAP Failure',
                               -to=$admin_email,
                               -body=(#this_error->get(1)));
                       /if;
                   /handle_error;

               /protect;

               local('ldap_firstname'          ='');
               local('ldap_lastname'           ='');
               local('ldap_email'              ='');
               local('ldap_workphone'          ='');
               local('ldap_mobilephone'        ='');
               local('ldap_login'              ='');

               if(#myResult->size == 1);

                   local('my_info' = (#myResult->get(1))->get(2));

                   if(#my_info->findposition('givenName')->size > 0);
                       #ldap_firstname = (((#my_info->find('givenName'))->first)->second)->get(1);
                   /if;

                   if(#my_info->findposition('sn')->size > 0);
                       #ldap_lastname = (((#my_info->find('sn'))->first)->second)->get(1);
                   /if;

                   if(#my_info->findposition('mail')->size > 0);
                       #ldap_email = string((((#my_info->find('mail'))->first)->second)->get(1)); //make it string to make email server happy
                   /if;

                   if(#my_info->findposition('telephoneNumber')->size > 0);
                       #ldap_workphone = (((#my_info->find('telephoneNumber'))->first)->second)->get(1);
                       #ldap_workphone->replace(' ','');
                       #ldap_workphone->replace('-','.');
                       #ldap_workphone->replace('/','.');
                       #ldap_workphone->replace(')','.');
                       #ldap_workphone->replace('(','');
                   /if;

                   if(#my_info->findposition('mobile')->size > 0);
                       #ldap_mobilephone = (((#my_info->find('mobile'))->first)->second)->get(1);
                       #ldap_mobilephone->replace(' ','');
                       #ldap_mobilephone->replace('-','.');
                       #ldap_mobilephone->replace('/','.');
                       #ldap_mobilephone->replace(')','.');
                       #ldap_mobilephone->replace('(','');
                   /if;

                   if(#my_info->findposition('sAMAccountName')->size > 0);
                       #ldap_login = (((#my_info->find('sAMAccountName'))->first)->second)->get(1);
                   /if;

                   if(#ldap_login != '' && #ldap_firstname != '' && #ldap_lastname != '' && #ldap_email != '');

                       var('user_guid'             = ACME_UUID);
                       var('encrypted_password'    = ACME_Hash(string($password),string(#ldap_login),string($user_guid)));

                       var('non_query_sql'='
INSERT INTO
   site_users
(
   user_guid,
   first_name,
   last_name,
   user_login_name,
   user_password_hash,
   change_password,
   user_email,
   user_phone_work,
   user_phone_mobile,
   active,
   created_datetime
)
VALUES
(
   \'' + encode_sql92($user_guid) + '\',
   \'' + encode_sql92(#ldap_firstname) + '\',
   \'' + encode_sql92(#ldap_lastname) + '\',
   \'' + encode_sql92(#ldap_login) + '\',
   \'' + encode_sql92($encrypted_password) + '\',
   0,
   \'' + encode_sql92(#ldap_email) + '\',
   \'' + encode_sql92(#ldap_workphone) + '\',
   \'' + encode_sql92(#ldap_mobilephone) + '\',
   1,
   \'' + date_format(date, -format='%Y-%m-%d %H:%M:%S') + '\'
)
;');

                       ACME_NonQuery(-sql = $non_query_sql);

                       var('my_firstname'      = #ldap_firstname);
                       var('my_full_name'      = #ldap_firstname + ' ' + #ldap_lastname);
                       var('my_user_email'     = #ldap_email);
                       var('my_user_guid'      = $user_guid);
                       var('my_username'       = #ldap_login);

                       email_send(
                           -host=$email_server,
                           -from=$auto_email_from,
                           -username=$smtp_auth_user,
                           -password=$smtp_auth_pass,
                           -subject='New Self-Registered User',
                           -to='[hidden email]',
                           -body=include('/includes/admin/new_user_email.las'));

                       email_send(
                           -host=$email_server,
                           -from=$auto_email_from,
                           -username=$smtp_auth_user,
                           -password=$smtp_auth_pass,
                           -subject='Welcome!',
                           -to=$my_user_email,
                           -bcc='[hidden email]',
                           -body=include('/includes/self_register_welcome_email.las'));

                       var('login_successful'  = true);

                   /if;

               /if;

           else; //Likely landed here to due a database error

               email_send(
                   -host=$email_server,
                   -from=$auto_email_from,
                   -subject='Login Issue with Database',
                   -to='[hidden email]',
                   -body=#db_access_error);

           /if;


           if($login_successful == true);

               var('login_attempt'     = 0);
               var('session_guid'      = ACME_UUID);
               var('ok'                = 'y');

               cookie_set('user' = $user, -path='/', -expires=259200);


           /*  Log visitor login  */


               var('login_expire_datetime' = date_format(date_add(date,-hour=1),-dateformat='%Y-%m-%d %H:%M:%S'));


               var('non_query_sql' = '
DECLARE @NEWGUID AS NVARCHAR(36);
SET @NEWGUID = \'' + ACME_UUID + '\';
DECLARE @BROWSER AS NVARCHAR(255);
SET @BROWSER = \'' + encode_sql92(client_type) + '\';
DECLARE @NOW AS DATETIME;
SET @NOW = \'' + $now + '\';
DECLARE @BGUID AS NVARCHAR(36);
SET @BGUID = @NEWGUID;
BEGIN TRY
INSERT INTO site_browsers (client_browser_guid, browser_identifier, created_datetime, last_access_datetime) VALUES (@NEWGUID, @BROWSER, @NOW, @NOW);
END TRY
BEGIN CATCH
SET @BGUID = (SELECT client_browser_guid FROM site_browsers WHERE browser_identifier = @BROWSER);
UPDATE site_browsers SET last_access_datetime = @NOW WHERE client_browser_guid = @BGUID;
END CATCH
;

INSERT INTO
   site_login_activity
(
   user_guid,
   login_datetime,
   client_ip,
   session_guid,
   login_expire_datetime,
   server_ip,
   client_browser_guid
)
VALUES
(
   \'' + $my_user_guid + '\',
   \'' + date_format(date,-dateformat='%Y-%m-%d %H:%M:%S') + '\',
   \'' + client_ip + '\',
   \'' + $session_guid + '\',
   \'' + $login_expire_datetime + '\',
   \'' + server_ip + '\',
   @BGUID
)
;

UPDATE
   site_users
SET
   last_login_datetime = \'' + date_format(date,-dateformat='%Y-%m-%d %H:%M:%S') + '\',
   user_password_hash = \'' + encode_sql92($encrypted_password) + '\'
WHERE
   user_guid = \'' + $my_user_guid + '\'
;');

               ACME_NonQuery(-sql = $non_query_sql);

               if($type == 'ajax');
                   output('OK');
               else;
                   redirect_url($my_dest);
               /if;

           else; // Failed Login Attempt

               var('badtry'            = 'y');
               var('login_attempt'     = ($login_attempt + 1));
               if($login_attempt < 5);
                   var('login_err_msg' = 'Login failed.\rYou have ' + (5 - $login_attempt) + ' more tries before\rlocking your account for 10 minutes.');
               else;
                   var('login_err_msg' = 'Login failed.\rYou have likely locked your account.\rTry again in 10 minutes.');
               /if;
               var('ok'                = 'n');

               if($type == 'ajax');
                   output($login_err_msg,-encodebreak);
               else;
                   var('content_inc' = '/includes/login.las');
                   include('/includes/page.las');
               /if;

           /if;

       /inline;

   else;

       //If you landed here it's because your login credentials did not meet then
       //OUR policy minimums

       var('badtry'            = 'y');
       var('login_err_msg'     = 'Login failed.\rUser or Password does not meet\rOUR Policy minimums.\rTry again.');
       var('ok'                = 'n');

       if($type == 'ajax');
           output($login_err_msg,-encodebreak);
       else;
           var('content_inc' = '/includes/login.las');
           include('/includes/page.las');
       /if;

   /if;

?>


________________________________________
From: [hidden email] <[hidden email]> on behalf of Patrick Larkin <[hidden email]>
Sent: Sunday, August 30, 2015 11:08 PM
To: [hidden email]
Subject: [EXTERNAL] Re: AD authentication with Lasso (8.x)

Gary -

A couple questions.  This seems to be working for me but I’m not quite sure.

In this section

>   handle_error;
>       if(error_currenterror(-errorcode) == 49); // Invalid credentials
>           //login_successful already set to false

Should I be inserting an abort in there and sending the user an Invalid Credentials message?  I‘m assuming you chopped something out?

Otherwise, the line

>   var('login_successful'      = true);

would always set the login success to “true”.  It seems if I abort and send the user an “Invalid” error message, it never gets to the above variable set.

Are you able to get user attributes from AD as well?

Also, are you able to login to a domain and not specific a particular DC?  You seem to point to a specific server.

> var('wa_addr'                   = 'ADserver.yourcompany.com’);


Thanks again.






> On Aug 27, 2015, at 7:05 PM, Sprague, Gary <[hidden email]> wrote:
>
> Patrick,
>
> We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.
>
> Here is a code snipped on the authentication part:
>
> var('wa_addr'                   = 'ADserver.yourcompany.com');
> var('win_auth_user'             = 'ADdomain\\' + $user);
> var('login_successful'          = false);
>
> protect;
>
>   local('myLDAP' = LDAP);
>   #myLDAP->Open($wa_addr);
>   #myLDAP->Authenticate($win_auth_user, $password);
>   #myLDAP->Close;
>
>   handle_error;
>       if(error_currenterror(-errorcode) == 49); // Invalid credentials
>           //login_successful already set to false
>       else; // Other error
>           local('this_error' = error_currenterror->split('\r'));
>           email_send(
>               -host=$email_server,
>               -from=$auto_email_from,
>               -subject='LDAP Login Failure',
>               -to=$admin_email,
>               -body=(#this_error->get(1)));
>       /if;
>   /handle_error;
>
>   var('login_successful'      = true);
>
> /protect;
>
> Gary Sprague
> TV Systems Engineer
> HSN, 1 HSN Drive, St. Petersburg, FL 33729
> Office 727.872.4489
> [hidden email]
>
>> On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]> wrote:
>>
>> Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?
>>
>> I currently authenticate against a MySQL table.
>>
>>
>> Thanks!
>>
>>
>> ——
>> Patrick Larkin
>> Application Management Group
>> Information Technology
>> Bethlehem Area School District
>> https://www.beth.k12.pa.us
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
 the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Patrick Larkin-3
Thanks Gary!

I’ve had the AD authentication running for a couple weeks now thank to your help.  I just authenticate them against AD and then once authenticated, look up the user details from another MySQL database.  One day, perhaps I’ll get those details from AD itself.  

Look forward to examining your code further.  Thanks again.


——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us

> On Sep 15, 2015, at 11:14 AM, Sprague, Gary <[hidden email]> wrote:
>
> Patrick,
>
> I am going to attach a sanitized version of our code below that will likely answer most of your questions and raise a few others.  We have created some of our own tags (prefixed with ACME) in this code to handle specific needs.  Hopefully they will be somewhat self explanatory.
>
> Our IT department let us know what server to point to for AD.  There may be more than one, but one should suffice.
>
>
> <?LassoScript
>
> /*  Session cookie set or read  */
>
>   include('/includes/session.las');
>
> /*  Prep login parameters  */
>   var('user'                  = action_param('user'));
>       $user->replace(' ','');
>       $user->replace('ADdomain\\','');
>
>   var('password'              = action_param('password'));
>   var('encrypted_password'    = 'UNKNOWN');
>
>   var('act'                   = action_param('act'));
>   var('type'                  = action_param('type')); //"ajax" or ""
>   var('badtry'                = '');
>   var('session_guid_found'    = 'n');
>   var('password_sent'         = 'n');
>   var('my_dest'               = action_param('my_dest'));
>   var('login_err_msg'         = '');
>
>   if($my_dest == '');
>       $my_dest = ('/home.lasso?cache=' + $cache);
>   /if;
>
>
> /*  Start of login logic:  */
>
> /*  Check if too many attempts.  */
>   if($login_attempt > 100);
>
>       if($type == 'ajax');
>           output('You have made too many login attempts.  Please contact IT at x1234 for assistance.');
>       else;
>           local('html' = '<html><head><title>Login Failure</title></head><body bgcolor="#ffffff"><div align="center"><br>&nbsp;<p>');
>               #html += 'You have made too many login attempts.  Please contact IT at x1234 for assistance.</div></body></html>';
>
>           output(#html,-encodenone);
>       /if;
>
> /*  Check for page "get"  */
>   else($act=='' && $type != 'ajax');
>
>       redirect_url('/');
>
> /*  Search User database to validate login parameters and gather info.  */
>   else($act=='login' && $user != '' && $user->size >= 2 && $password->size >= 8); //Company policy: passwords at least 8 characters.
>
>       var('wa_addr'                   = 'ADdomain.companydomain.com');
>       var('win_auth_user'             = 'ADdomain\\' + $user);
>       var('login_successful'          = false);
>
>       inline(
>           -host=$db_host,
>           -database=$db_name,
>           -sql='
> SELECT
>   *
> FROM
>   site_users
> WHERE
>   user_login_name = \'' + encode_sql92($user) + '\'
> ;');
>
>           //This error trap was added to address unavailable database issue.
>           local('db_access_error' = (error_currenterror->split('\r'))->get(1));
>
>           if(found_count == 1 && field('active') == '1');
>
>               var('encrypted_password' = ACME_Hash($password,string(field('user_login_name')),string(field('user_guid'))));
>
>               if(var_defined('login_using_db') == false || $login_using_db != true); //We are attempting LDAP authentication here
>
>                   protect;
>
>                       local('myLDAP' = LDAP);
>                       #myLDAP->Open($wa_addr);
>                       #myLDAP->Authenticate($win_auth_user, $password);
>                       #myLDAP->Close;
>
>                       handle_error;
>                           if(error_currenterror(-errorcode) == 49); // Invalid credentials
>                               //login_successful already set to false
>                           else; // Other error
>                               local('this_error' = error_currenterror->split('\r'));
>                               email_send(
>                                   -host=$email_server,
>                                   -from=$auto_email_from,
>                                   -subject='LDAP Login Failure',
>                                   -to=$admin_email,
>                                   -body=(#this_error->get(1)));
>                           /if;
>                       /handle_error;
>
>                       var('login_successful'      = true);
>
>                   /protect;
>
>               else(var_defined('login_using_db') == true && $login_using_db == true && $encrypted_password == field('user_password_hash'));
>
>                   var('login_successful'      = true);
>
>               /if;
>
>               if($login_successful == true);
>                   var('my_firstname'          = field('first_name'));
>                   var('my_full_name'          = field('first_name') + ' ' + field('last_name'));
>                   var('my_user_email'         = field('user_email'));
>                   var('my_user_guid'          = field('user_guid'));
>                   var('my_username'           = field('user_login_name'));
>               /if;
>
>           else(found_count == 0 && #db_access_error == 'No Error' && $user != '' && $user->size >= 2 && $password->size >= 8 && $login_using_db == false);
>           //This is here for self registration
>
>               local('myResult'                = ''); //This is here in case login fails.
>
>               protect;
>
>                   local('myfilter'            = '(&(sAMAccountName=' + $user + ')(objectClass=User))');
>
>                   local('myLDAP'              = LDAP);
>
>                   #myLDAP->Open($wa_addr);
>
>                   #myLDAP->Authenticate($win_auth_user, $password);
>
>                   #myLDAP->Search('dc=ADdomain,dc=companydomain,dc=com', LDAP_Scope_Subtree, #myfilter, Array('sn','givenName','mail','telephoneNumber','mobile','sAMAccountName','userPrincipalName'));
>
>                   local('myResult'            = #myLDAP->Results);
>
>                   #myLDAP->Close;
>
>                   handle_error;
>                       if(error_currenterror(-errorcode) == 49); // Invalid credentials
>                           //login_successful already set to false
>                       else; // Other error
>                           local('this_error' = error_currenterror->split('\r'));
>                           email_send(
>                               -host=$email_server,
>                               -from=$auto_email_from,
>                               -subject='Self Registration LDAP Failure',
>                               -to=$admin_email,
>                               -body=(#this_error->get(1)));
>                       /if;
>                   /handle_error;
>
>               /protect;
>
>               local('ldap_firstname'          ='');
>               local('ldap_lastname'           ='');
>               local('ldap_email'              ='');
>               local('ldap_workphone'          ='');
>               local('ldap_mobilephone'        ='');
>               local('ldap_login'              ='');
>
>               if(#myResult->size == 1);
>
>                   local('my_info' = (#myResult->get(1))->get(2));
>
>                   if(#my_info->findposition('givenName')->size > 0);
>                       #ldap_firstname = (((#my_info->find('givenName'))->first)->second)->get(1);
>                   /if;
>
>                   if(#my_info->findposition('sn')->size > 0);
>                       #ldap_lastname = (((#my_info->find('sn'))->first)->second)->get(1);
>                   /if;
>
>                   if(#my_info->findposition('mail')->size > 0);
>                       #ldap_email = string((((#my_info->find('mail'))->first)->second)->get(1)); //make it string to make email server happy
>                   /if;
>
>                   if(#my_info->findposition('telephoneNumber')->size > 0);
>                       #ldap_workphone = (((#my_info->find('telephoneNumber'))->first)->second)->get(1);
>                       #ldap_workphone->replace(' ','');
>                       #ldap_workphone->replace('-','.');
>                       #ldap_workphone->replace('/','.');
>                       #ldap_workphone->replace(')','.');
>                       #ldap_workphone->replace('(','');
>                   /if;
>
>                   if(#my_info->findposition('mobile')->size > 0);
>                       #ldap_mobilephone = (((#my_info->find('mobile'))->first)->second)->get(1);
>                       #ldap_mobilephone->replace(' ','');
>                       #ldap_mobilephone->replace('-','.');
>                       #ldap_mobilephone->replace('/','.');
>                       #ldap_mobilephone->replace(')','.');
>                       #ldap_mobilephone->replace('(','');
>                   /if;
>
>                   if(#my_info->findposition('sAMAccountName')->size > 0);
>                       #ldap_login = (((#my_info->find('sAMAccountName'))->first)->second)->get(1);
>                   /if;
>
>                   if(#ldap_login != '' && #ldap_firstname != '' && #ldap_lastname != '' && #ldap_email != '');
>
>                       var('user_guid'             = ACME_UUID);
>                       var('encrypted_password'    = ACME_Hash(string($password),string(#ldap_login),string($user_guid)));
>
>                       var('non_query_sql'='
> INSERT INTO
>   site_users
> (
>   user_guid,
>   first_name,
>   last_name,
>   user_login_name,
>   user_password_hash,
>   change_password,
>   user_email,
>   user_phone_work,
>   user_phone_mobile,
>   active,
>   created_datetime
> )
> VALUES
> (
>   \'' + encode_sql92($user_guid) + '\',
>   \'' + encode_sql92(#ldap_firstname) + '\',
>   \'' + encode_sql92(#ldap_lastname) + '\',
>   \'' + encode_sql92(#ldap_login) + '\',
>   \'' + encode_sql92($encrypted_password) + '\',
>   0,
>   \'' + encode_sql92(#ldap_email) + '\',
>   \'' + encode_sql92(#ldap_workphone) + '\',
>   \'' + encode_sql92(#ldap_mobilephone) + '\',
>   1,
>   \'' + date_format(date, -format='%Y-%m-%d %H:%M:%S') + '\'
> )
> ;');
>
>                       ACME_NonQuery(-sql = $non_query_sql);
>
>                       var('my_firstname'      = #ldap_firstname);
>                       var('my_full_name'      = #ldap_firstname + ' ' + #ldap_lastname);
>                       var('my_user_email'     = #ldap_email);
>                       var('my_user_guid'      = $user_guid);
>                       var('my_username'       = #ldap_login);
>
>                       email_send(
>                           -host=$email_server,
>                           -from=$auto_email_from,
>                           -username=$smtp_auth_user,
>                           -password=$smtp_auth_pass,
>                           -subject='New Self-Registered User',
>                           -to='[hidden email]',
>                           -body=include('/includes/admin/new_user_email.las'));
>
>                       email_send(
>                           -host=$email_server,
>                           -from=$auto_email_from,
>                           -username=$smtp_auth_user,
>                           -password=$smtp_auth_pass,
>                           -subject='Welcome!',
>                           -to=$my_user_email,
>                           -bcc='[hidden email]',
>                           -body=include('/includes/self_register_welcome_email.las'));
>
>                       var('login_successful'  = true);
>
>                   /if;
>
>               /if;
>
>           else; //Likely landed here to due a database error
>
>               email_send(
>                   -host=$email_server,
>                   -from=$auto_email_from,
>                   -subject='Login Issue with Database',
>                   -to='[hidden email]',
>                   -body=#db_access_error);
>
>           /if;
>
>
>           if($login_successful == true);
>
>               var('login_attempt'     = 0);
>               var('session_guid'      = ACME_UUID);
>               var('ok'                = 'y');
>
>               cookie_set('user' = $user, -path='/', -expires=259200);
>
>
>           /*  Log visitor login  */
>
>
>               var('login_expire_datetime' = date_format(date_add(date,-hour=1),-dateformat='%Y-%m-%d %H:%M:%S'));
>
>
>               var('non_query_sql' = '
> DECLARE @NEWGUID AS NVARCHAR(36);
> SET @NEWGUID = \'' + ACME_UUID + '\';
> DECLARE @BROWSER AS NVARCHAR(255);
> SET @BROWSER = \'' + encode_sql92(client_type) + '\';
> DECLARE @NOW AS DATETIME;
> SET @NOW = \'' + $now + '\';
> DECLARE @BGUID AS NVARCHAR(36);
> SET @BGUID = @NEWGUID;
> BEGIN TRY
> INSERT INTO site_browsers (client_browser_guid, browser_identifier, created_datetime, last_access_datetime) VALUES (@NEWGUID, @BROWSER, @NOW, @NOW);
> END TRY
> BEGIN CATCH
> SET @BGUID = (SELECT client_browser_guid FROM site_browsers WHERE browser_identifier = @BROWSER);
> UPDATE site_browsers SET last_access_datetime = @NOW WHERE client_browser_guid = @BGUID;
> END CATCH
> ;
>
> INSERT INTO
>   site_login_activity
> (
>   user_guid,
>   login_datetime,
>   client_ip,
>   session_guid,
>   login_expire_datetime,
>   server_ip,
>   client_browser_guid
> )
> VALUES
> (
>   \'' + $my_user_guid + '\',
>   \'' + date_format(date,-dateformat='%Y-%m-%d %H:%M:%S') + '\',
>   \'' + client_ip + '\',
>   \'' + $session_guid + '\',
>   \'' + $login_expire_datetime + '\',
>   \'' + server_ip + '\',
>   @BGUID
> )
> ;
>
> UPDATE
>   site_users
> SET
>   last_login_datetime = \'' + date_format(date,-dateformat='%Y-%m-%d %H:%M:%S') + '\',
>   user_password_hash = \'' + encode_sql92($encrypted_password) + '\'
> WHERE
>   user_guid = \'' + $my_user_guid + '\'
> ;');
>
>               ACME_NonQuery(-sql = $non_query_sql);
>
>               if($type == 'ajax');
>                   output('OK');
>               else;
>                   redirect_url($my_dest);
>               /if;
>
>           else; // Failed Login Attempt
>
>               var('badtry'            = 'y');
>               var('login_attempt'     = ($login_attempt + 1));
>               if($login_attempt < 5);
>                   var('login_err_msg' = 'Login failed.\rYou have ' + (5 - $login_attempt) + ' more tries before\rlocking your account for 10 minutes.');
>               else;
>                   var('login_err_msg' = 'Login failed.\rYou have likely locked your account.\rTry again in 10 minutes.');
>               /if;
>               var('ok'                = 'n');
>
>               if($type == 'ajax');
>                   output($login_err_msg,-encodebreak);
>               else;
>                   var('content_inc' = '/includes/login.las');
>                   include('/includes/page.las');
>               /if;
>
>           /if;
>
>       /inline;
>
>   else;
>
>       //If you landed here it's because your login credentials did not meet then
>       //OUR policy minimums
>
>       var('badtry'            = 'y');
>       var('login_err_msg'     = 'Login failed.\rUser or Password does not meet\rOUR Policy minimums.\rTry again.');
>       var('ok'                = 'n');
>
>       if($type == 'ajax');
>           output($login_err_msg,-encodebreak);
>       else;
>           var('content_inc' = '/includes/login.las');
>           include('/includes/page.las');
>       /if;
>
>   /if;
>
> ?>
>
>
> ________________________________________
> From: [hidden email] <[hidden email]> on behalf of Patrick Larkin <[hidden email]>
> Sent: Sunday, August 30, 2015 11:08 PM
> To: [hidden email]
> Subject: [EXTERNAL] Re: AD authentication with Lasso (8.x)
>
> Gary -
>
> A couple questions.  This seems to be working for me but I’m not quite sure.
>
> In this section
>
>>  handle_error;
>>      if(error_currenterror(-errorcode) == 49); // Invalid credentials
>>          //login_successful already set to false
>
> Should I be inserting an abort in there and sending the user an Invalid Credentials message?  I‘m assuming you chopped something out?
>
> Otherwise, the line
>
>>  var('login_successful'      = true);
>
> would always set the login success to “true”.  It seems if I abort and send the user an “Invalid” error message, it never gets to the above variable set.
>
> Are you able to get user attributes from AD as well?
>
> Also, are you able to login to a domain and not specific a particular DC?  You seem to point to a specific server.
>
>> var('wa_addr'                   = 'ADserver.yourcompany.com’);
>
>
> Thanks again.
>
>
>
>
>
>
>> On Aug 27, 2015, at 7:05 PM, Sprague, Gary <[hidden email]> wrote:
>>
>> Patrick,
>>
>> We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.
>>
>> Here is a code snipped on the authentication part:
>>
>> var('wa_addr'                   = 'ADserver.yourcompany.com');
>> var('win_auth_user'             = 'ADdomain\\' + $user);
>> var('login_successful'          = false);
>>
>> protect;
>>
>>  local('myLDAP' = LDAP);
>>  #myLDAP->Open($wa_addr);
>>  #myLDAP->Authenticate($win_auth_user, $password);
>>  #myLDAP->Close;
>>
>>  handle_error;
>>      if(error_currenterror(-errorcode) == 49); // Invalid credentials
>>          //login_successful already set to false
>>      else; // Other error
>>          local('this_error' = error_currenterror->split('\r'));
>>          email_send(
>>              -host=$email_server,
>>              -from=$auto_email_from,
>>              -subject='LDAP Login Failure',
>>              -to=$admin_email,
>>              -body=(#this_error->get(1)));
>>      /if;
>>  /handle_error;
>>
>>  var('login_successful'      = true);
>>
>> /protect;
>>
>> Gary Sprague
>> TV Systems Engineer
>> HSN, 1 HSN Drive, St. Petersburg, FL 33729
>> Office 727.872.4489
>> [hidden email]
>>
>>> On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]> wrote:
>>>
>>> Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?
>>>
>>> I currently authenticate against a MySQL table.
>>>
>>>
>>> Thanks!
>>>
>>>
>>> ——
>>> Patrick Larkin
>>> Application Management Group
>>> Information Technology
>>> Bethlehem Area School District
>>> https://www.beth.k12.pa.us
>>>
>>>
>>> #############################################################
>>>
>>> This message is sent to you because you are subscribed to
>>> the mailing list Lasso [hidden email]
>>> Official list archives available at http://www.lassotalk.com
>>> To unsubscribe, E-mail to: <[hidden email]>
>>> Send administrative queries to  <[hidden email]>
>>
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>> the mailing list Lasso [hidden email]
>> Official list archives available at http://www.lassotalk.com
>> To unsubscribe, E-mail to: <[hidden email]>
>> Send administrative queries to  <[hidden email]>
>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
> the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>  the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: AD authentication with Lasso (8.x)

Sprague, Gary
Patrick,

I had sent this reply to you on September 3, but I noticed today that it didn’t show up in Lassotalk.

So I resent.

Gary Sprague
TV Systems Engineer
HSN, 1 HSN Drive, St. Petersburg, FL 33729
Office 727.872.4489
[hidden email]<mailto:[hidden email]>

On Sep 15, 2015, at 11:16 AM, Patrick Larkin <[hidden email]<mailto:[hidden email]>> wrote:

Thanks Gary!

I’ve had the AD authentication running for a couple weeks now thank to your help.  I just authenticate them against AD and then once authenticated, look up the user details from another MySQL database.  One day, perhaps I’ll get those details from AD itself.

Look forward to examining your code further.  Thanks again.


——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us

On Sep 15, 2015, at 11:14 AM, Sprague, Gary <[hidden email]> wrote:

Patrick,

I am going to attach a sanitized version of our code below that will likely answer most of your questions and raise a few others.  We have created some of our own tags (prefixed with ACME) in this code to handle specific needs.  Hopefully they will be somewhat self explanatory.

Our IT department let us know what server to point to for AD.  There may be more than one, but one should suffice.


<?LassoScript

/*  Session cookie set or read  */

 include('/includes/session.las');

/*  Prep login parameters  */
 var('user'                  = action_param('user'));
     $user->replace(' ','');
     $user->replace('ADdomain\\','');

 var('password'              = action_param('password'));
 var('encrypted_password'    = 'UNKNOWN');

 var('act'                   = action_param('act'));
 var('type'                  = action_param('type')); //"ajax" or ""
 var('badtry'                = '');
 var('session_guid_found'    = 'n');
 var('password_sent'         = 'n');
 var('my_dest'               = action_param('my_dest'));
 var('login_err_msg'         = '');

 if($my_dest == '');
     $my_dest = ('/home.lasso?cache=' + $cache);
 /if;


/*  Start of login logic:  */

/*  Check if too many attempts.  */
 if($login_attempt > 100);

     if($type == 'ajax');
         output('You have made too many login attempts.  Please contact IT at x1234 for assistance.');
     else;
         local('html' = '<html><head><title>Login Failure</title></head><body bgcolor="#ffffff"><div align="center"><br>&nbsp;<p>');
             #html += 'You have made too many login attempts.  Please contact IT at x1234 for assistance.</div></body></html>';

         output(#html,-encodenone);
     /if;

/*  Check for page "get"  */
 else($act=='' && $type != 'ajax');

     redirect_url('/');

/*  Search User database to validate login parameters and gather info.  */
 else($act=='login' && $user != '' && $user->size >= 2 && $password->size >= 8); //Company policy: passwords at least 8 characters.

     var('wa_addr'                   = 'ADdomain.companydomain.com');
     var('win_auth_user'             = 'ADdomain\\' + $user);
     var('login_successful'          = false);

     inline(
         -host=$db_host,
         -database=$db_name,
         -sql='
SELECT
 *
FROM
 site_users
WHERE
 user_login_name = \'' + encode_sql92($user) + '\'
;');

         //This error trap was added to address unavailable database issue.
         local('db_access_error' = (error_currenterror->split('\r'))->get(1));

         if(found_count == 1 && field('active') == '1');

             var('encrypted_password' = ACME_Hash($password,string(field('user_login_name')),string(field('user_guid'))));

             if(var_defined('login_using_db') == false || $login_using_db != true); //We are attempting LDAP authentication here

                 protect;

                     local('myLDAP' = LDAP);
                     #myLDAP->Open($wa_addr);
                     #myLDAP->Authenticate($win_auth_user, $password);
                     #myLDAP->Close;

                     handle_error;
                         if(error_currenterror(-errorcode) == 49); // Invalid credentials
                             //login_successful already set to false
                         else; // Other error
                             local('this_error' = error_currenterror->split('\r'));
                             email_send(
                                 -host=$email_server,
                                 -from=$auto_email_from,
                                 -subject='LDAP Login Failure',
                                 -to=$admin_email,
                                 -body=(#this_error->get(1)));
                         /if;
                     /handle_error;

                     var('login_successful'      = true);

                 /protect;

             else(var_defined('login_using_db') == true && $login_using_db == true && $encrypted_password == field('user_password_hash'));

                 var('login_successful'      = true);

             /if;

             if($login_successful == true);
                 var('my_firstname'          = field('first_name'));
                 var('my_full_name'          = field('first_name') + ' ' + field('last_name'));
                 var('my_user_email'         = field('user_email'));
                 var('my_user_guid'          = field('user_guid'));
                 var('my_username'           = field('user_login_name'));
             /if;

         else(found_count == 0 && #db_access_error == 'No Error' && $user != '' && $user->size >= 2 && $password->size >= 8 && $login_using_db == false);
         //This is here for self registration

             local('myResult'                = ''); //This is here in case login fails.

             protect;

                 local('myfilter'            = '(&(sAMAccountName=' + $user + ')(objectClass=User))');

                 local('myLDAP'              = LDAP);

                 #myLDAP->Open($wa_addr);

                 #myLDAP->Authenticate($win_auth_user, $password);

                 #myLDAP->Search('dc=ADdomain,dc=companydomain,dc=com', LDAP_Scope_Subtree, #myfilter, Array('sn','givenName','mail','telephoneNumber','mobile','sAMAccountName','userPrincipalName'));

                 local('myResult'            = #myLDAP->Results);

                 #myLDAP->Close;

                 handle_error;
                     if(error_currenterror(-errorcode) == 49); // Invalid credentials
                         //login_successful already set to false
                     else; // Other error
                         local('this_error' = error_currenterror->split('\r'));
                         email_send(
                             -host=$email_server,
                             -from=$auto_email_from,
                             -subject='Self Registration LDAP Failure',
                             -to=$admin_email,
                             -body=(#this_error->get(1)));
                     /if;
                 /handle_error;

             /protect;

             local('ldap_firstname'          ='');
             local('ldap_lastname'           ='');
             local('ldap_email'              ='');
             local('ldap_workphone'          ='');
             local('ldap_mobilephone'        ='');
             local('ldap_login'              ='');

             if(#myResult->size == 1);

                 local('my_info' = (#myResult->get(1))->get(2));

                 if(#my_info->findposition('givenName')->size > 0);
                     #ldap_firstname = (((#my_info->find('givenName'))->first)->second)->get(1);
                 /if;

                 if(#my_info->findposition('sn')->size > 0);
                     #ldap_lastname = (((#my_info->find('sn'))->first)->second)->get(1);
                 /if;

                 if(#my_info->findposition('mail')->size > 0);
                     #ldap_email = string((((#my_info->find('mail'))->first)->second)->get(1)); //make it string to make email server happy
                 /if;

                 if(#my_info->findposition('telephoneNumber')->size > 0);
                     #ldap_workphone = (((#my_info->find('telephoneNumber'))->first)->second)->get(1);
                     #ldap_workphone->replace(' ','');
                     #ldap_workphone->replace('-','.');
                     #ldap_workphone->replace('/','.');
                     #ldap_workphone->replace(')','.');
                     #ldap_workphone->replace('(','');
                 /if;

                 if(#my_info->findposition('mobile')->size > 0);
                     #ldap_mobilephone = (((#my_info->find('mobile'))->first)->second)->get(1);
                     #ldap_mobilephone->replace(' ','');
                     #ldap_mobilephone->replace('-','.');
                     #ldap_mobilephone->replace('/','.');
                     #ldap_mobilephone->replace(')','.');
                     #ldap_mobilephone->replace('(','');
                 /if;

                 if(#my_info->findposition('sAMAccountName')->size > 0);
                     #ldap_login = (((#my_info->find('sAMAccountName'))->first)->second)->get(1);
                 /if;

                 if(#ldap_login != '' && #ldap_firstname != '' && #ldap_lastname != '' && #ldap_email != '');

                     var('user_guid'             = ACME_UUID);
                     var('encrypted_password'    = ACME_Hash(string($password),string(#ldap_login),string($user_guid)));

                     var('non_query_sql'='
INSERT INTO
 site_users
(
 user_guid,
 first_name,
 last_name,
 user_login_name,
 user_password_hash,
 change_password,
 user_email,
 user_phone_work,
 user_phone_mobile,
 active,
 created_datetime
)
VALUES
(
 \'' + encode_sql92($user_guid) + '\',
 \'' + encode_sql92(#ldap_firstname) + '\',
 \'' + encode_sql92(#ldap_lastname) + '\',
 \'' + encode_sql92(#ldap_login) + '\',
 \'' + encode_sql92($encrypted_password) + '\',
 0,
 \'' + encode_sql92(#ldap_email) + '\',
 \'' + encode_sql92(#ldap_workphone) + '\',
 \'' + encode_sql92(#ldap_mobilephone) + '\',
 1,
 \'' + date_format(date, -format='%Y-%m-%d %H:%M:%S') + '\'
)
;');

                     ACME_NonQuery(-sql = $non_query_sql);

                     var('my_firstname'      = #ldap_firstname);
                     var('my_full_name'      = #ldap_firstname + ' ' + #ldap_lastname);
                     var('my_user_email'     = #ldap_email);
                     var('my_user_guid'      = $user_guid);
                     var('my_username'       = #ldap_login);

                     email_send(
                         -host=$email_server,
                         -from=$auto_email_from,
                         -username=$smtp_auth_user,
                         -password=$smtp_auth_pass,
                         -subject='New Self-Registered User',
                         -to='[hidden email]',
                         -body=include('/includes/admin/new_user_email.las'));

                     email_send(
                         -host=$email_server,
                         -from=$auto_email_from,
                         -username=$smtp_auth_user,
                         -password=$smtp_auth_pass,
                         -subject='Welcome!',
                         -to=$my_user_email,
                         -bcc='[hidden email]',
                         -body=include('/includes/self_register_welcome_email.las'));

                     var('login_successful'  = true);

                 /if;

             /if;

         else; //Likely landed here to due a database error

             email_send(
                 -host=$email_server,
                 -from=$auto_email_from,
                 -subject='Login Issue with Database',
                 -to='[hidden email]',
                 -body=#db_access_error);

         /if;


         if($login_successful == true);

             var('login_attempt'     = 0);
             var('session_guid'      = ACME_UUID);
             var('ok'                = 'y');

             cookie_set('user' = $user, -path='/', -expires=259200);


         /*  Log visitor login  */


             var('login_expire_datetime' = date_format(date_add(date,-hour=1),-dateformat='%Y-%m-%d %H:%M:%S'));


             var('non_query_sql' = '
DECLARE @NEWGUID AS NVARCHAR(36);
SET @NEWGUID = \'' + ACME_UUID + '\';
DECLARE @BROWSER AS NVARCHAR(255);
SET @BROWSER = \'' + encode_sql92(client_type) + '\';
DECLARE @NOW AS DATETIME;
SET @NOW = \'' + $now + '\';
DECLARE @BGUID AS NVARCHAR(36);
SET @BGUID = @NEWGUID;
BEGIN TRY
INSERT INTO site_browsers (client_browser_guid, browser_identifier, created_datetime, last_access_datetime) VALUES (@NEWGUID, @BROWSER, @NOW, @NOW);
END TRY
BEGIN CATCH
SET @BGUID = (SELECT client_browser_guid FROM site_browsers WHERE browser_identifier = @BROWSER);
UPDATE site_browsers SET last_access_datetime = @NOW WHERE client_browser_guid = @BGUID;
END CATCH
;

INSERT INTO
 site_login_activity
(
 user_guid,
 login_datetime,
 client_ip,
 session_guid,
 login_expire_datetime,
 server_ip,
 client_browser_guid
)
VALUES
(
 \'' + $my_user_guid + '\',
 \'' + date_format(date,-dateformat='%Y-%m-%d %H:%M:%S') + '\',
 \'' + client_ip + '\',
 \'' + $session_guid + '\',
 \'' + $login_expire_datetime + '\',
 \'' + server_ip + '\',
 @BGUID
)
;

UPDATE
 site_users
SET
 last_login_datetime = \'' + date_format(date,-dateformat='%Y-%m-%d %H:%M:%S') + '\',
 user_password_hash = \'' + encode_sql92($encrypted_password) + '\'
WHERE
 user_guid = \'' + $my_user_guid + '\'
;');

             ACME_NonQuery(-sql = $non_query_sql);

             if($type == 'ajax');
                 output('OK');
             else;
                 redirect_url($my_dest);
             /if;

         else; // Failed Login Attempt

             var('badtry'            = 'y');
             var('login_attempt'     = ($login_attempt + 1));
             if($login_attempt < 5);
                 var('login_err_msg' = 'Login failed.\rYou have ' + (5 - $login_attempt) + ' more tries before\rlocking your account for 10 minutes.');
             else;
                 var('login_err_msg' = 'Login failed.\rYou have likely locked your account.\rTry again in 10 minutes.');
             /if;
             var('ok'                = 'n');

             if($type == 'ajax');
                 output($login_err_msg,-encodebreak);
             else;
                 var('content_inc' = '/includes/login.las');
                 include('/includes/page.las');
             /if;

         /if;

     /inline;

 else;

     //If you landed here it's because your login credentials did not meet then
     //OUR policy minimums

     var('badtry'            = 'y');
     var('login_err_msg'     = 'Login failed.\rUser or Password does not meet\rOUR Policy minimums.\rTry again.');
     var('ok'                = 'n');

     if($type == 'ajax');
         output($login_err_msg,-encodebreak);
     else;
         var('content_inc' = '/includes/login.las');
         include('/includes/page.las');
     /if;

 /if;

?>


________________________________________
From: [hidden email] <[hidden email]> on behalf of Patrick Larkin <[hidden email]>
Sent: Sunday, August 30, 2015 11:08 PM
To: [hidden email]
Subject: [EXTERNAL] Re: AD authentication with Lasso (8.x)

Gary -

A couple questions.  This seems to be working for me but I’m not quite sure.

In this section

handle_error;
    if(error_currenterror(-errorcode) == 49); // Invalid credentials
        //login_successful already set to false

Should I be inserting an abort in there and sending the user an Invalid Credentials message?  I‘m assuming you chopped something out?

Otherwise, the line

var('login_successful'      = true);

would always set the login success to “true”.  It seems if I abort and send the user an “Invalid” error message, it never gets to the above variable set.

Are you able to get user attributes from AD as well?

Also, are you able to login to a domain and not specific a particular DC?  You seem to point to a specific server.

var('wa_addr'                   = 'ADserver.yourcompany.com’);


Thanks again.






On Aug 27, 2015, at 7:05 PM, Sprague, Gary <[hidden email]> wrote:

Patrick,

We are doing it at our company.  I have a solution that not only does authentication, but will allow self registration where I store basic information pulled from AD.

Here is a code snipped on the authentication part:

var('wa_addr'                   = 'ADserver.yourcompany.com');
var('win_auth_user'             = 'ADdomain\\' + $user);
var('login_successful'          = false);

protect;

local('myLDAP' = LDAP);
#myLDAP->Open($wa_addr);
#myLDAP->Authenticate($win_auth_user, $password);
#myLDAP->Close;

handle_error;
    if(error_currenterror(-errorcode) == 49); // Invalid credentials
        //login_successful already set to false
    else; // Other error
        local('this_error' = error_currenterror->split('\r'));
        email_send(
            -host=$email_server,
            -from=$auto_email_from,
            -subject='LDAP Login Failure',
            -to=$admin_email,
            -body=(#this_error->get(1)));
    /if;
/handle_error;

var('login_successful'      = true);

/protect;

Gary Sprague
TV Systems Engineer
HSN, 1 HSN Drive, St. Petersburg, FL 33729
Office 727.872.4489
[hidden email]

On Aug 27, 2015, at 8:59 AM, Patrick Larkin <[hidden email]> wrote:

Before I embark on trying stuff, can anyone confirm that they have a working solution authenticating people against the AD using the Lasso LDAP tags?  Is there another route to explore?  Any working examples of code out there?

I currently authenticate against a MySQL table.


Thanks!


——
Patrick Larkin
Application Management Group
Information Technology
Bethlehem Area School District
https://www.beth.k12.pa.us


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>

#############################################################

This message is sent to you because you are subscribed to
the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
 the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>


#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>