imap_auth (eg to gmail)

imap_auth (eg to gmail)

Postby mark.reynolds » Tue Mar 01, 2016 3:05 pm

Following on from other suggestions and working code for ldap_auth, I have modified the
approach, files and php code in nuapi.php to accommodate for an imap_auth. Seems to work.

The approach being that most people have a gmail account already, and if it has imap
enabled, then it can be used to authenticate users in nuBuilderPro, just like ldap can.
The big difference between the 2 for me, is that there is no easy way to use gmail
as your ldap auth source, and the other options (oAuth) require much larger effort.

I'm interested in hearing from anyone of any problems with this approach?
Or any suggestions on better ways to achieve the same thing?

I'm also wondering about the process to add code to the main distribution, so that
user accounts can be authenticated from local stored password, imap or ldap, and
how that would work. It would need some major changes to enable more settings
options, and perhaps, different ways to authenticate a user.

There is also the question (sorry, more code) about whether a new user who does
authenticate, should then be able to have a local account auto created or not.
More settings options required.

Before I start on any of that, I'd like feedback on whether those things are needed,
requested, or not, and whether the additions would get support or not?

Anyway, to the code.

=======================================================================

First, you need your standard lamp stack to have php5-imap installed and working.
Try something like (depending on your platform of course) :
aptitude install php5-imap

Just like for ldap_auth, you would need php5-ldap installed
aptitude install php5-ldap

=======================================================================

You can (should) test that you can run this test script from command line first,
before proceeding. If you can't get this script saying Connected! you won't get
much further with the next step.

#!/usr/bin/php
<?php

$authhost="{imap.gmail.com:993/imap/ssl/readonly/validate-cert}";
$user="username@gmail.com";
$pass="put your password in here temp like";

$options = 0;
$retry = 1;

if ($mbox=imap_open( $authhost, $user, $pass, $options, $retry ))
{
echo "<h1>Connected</h1>\n";
imap_close($mbox);
} else
{
echo "<h1>FAIL!</h1>\n";
}

?>

=======================================================================

Then take a copy of your nuapi.php file as a backup, and edit the function
nuLogin to replace this code chunk
-----
$s = "
SELECT *
FROM zzzsys_user
WHERE sus_login_name = '$u' AND zzzsys_user_id != 'globeadmin'
";
-----
with this code chunk

// ========= start new MLR section for imap auth =========

$authhost="{imap.gmail.com:993/imap/ssl/readonly/validate-cert}";
$imapuser= $u . "@gmail.com";
$options = 0;
$retry = 1;
if ($mbox=imap_open( $authhost, $imapuser, $p, $options, $retry ))
{
// print "<h1>IMAP Auth succeeded ! </h1>\n";
imap_close($mbox);

$s = "SELECT * FROM zzzsys_user WHERE sus_login_name = '$u' ";

// $s = "SELECT * FROM zzzsys_user WHERE sus_login_name = '$u' AND zzzsys_user_id != 'globeadmin'";


// } else {
// print "<h1>IMAP AUTH LOGIN FAILURE !</h1>\n";
}

// ========= end new MLR section for imap auth =========

=======================================================================
This is what a diff file between new and old file would look like:

# diff new-nuapi.php old-nuapi.php
1075,1097c1075,1080
< // ========= start new MLR section for imap auth =========
<
< $authhost="{imap.gmail.com:993/imap/ssl/readonly/validate-cert}";
< $imapuser= $u . "@gmail.com";
< $options = 0;
< $retry = 1;
< if ($mbox=imap_open( $authhost, $imapuser, $p, $options, $retry ))
< {
< // print "<h1>IMAP Auth succeeded ! </h1>\n";
< imap_close($mbox);
<
< $s = "SELECT * FROM zzzsys_user WHERE sus_login_name = '$u' ";
<
< // $s = "SELECT * FROM zzzsys_user WHERE sus_login_name = '$u' AND zzzsys_user_id != 'globeadmin'";
<
<
< // } else {
< // print "<h1>IMAP AUTH LOGIN FAILURE !</h1>\n";
< }
<
< // ========= end new MLR section for imap auth =========
<
<
---
> $s = "
> SELECT *
> FROM zzzsys_user
> WHERE (sus_login_name = ? AND sus_login_password = md5(CONCAT(?, ?)))
> AND zzzsys_user_id != 'globeadmin'
> ";

=======================================================================

To test, this mod requires you to already have a nubuilderpro account created, with
a dummy local password that is then ignored.

So you need to have a local account, with the same username as your gmail
account, which will then authenticate to gmail.

You can also use other domains other than gmail.com, if you have google apps,
or even your own IMAP server somewhere.

Other things to check if you have 'issues':
1. does outbound firewall allow port 993?
2. are you using selinux? (turn it off maybe)
3. does your command line php have the modules and config?
4. don't fail login too often, else gmail may lock you out of your account!

=======================================================================
regards
Mark
mark.reynolds
 
Posts: 6
Joined: Thu Jul 30, 2015 12:49 pm
Location: Canberra, Australia.

Return to Custom Code