This patch from AllianceTec modifies the users_ldap authentication backend,
and fixes caching problems for the HTTP login module (in the core). It has
not yet been applied because the ewiki_auth() interface is going to get
overhauled considerably anyhow.

  cd .../ewiki-R1.0Nx/
  patch -p1 < .../auth_ldap.patch


--- ewiki-R1.02a+dev3/ewiki.php	2004-09-29 14:14:48.000000000 -0500
+++ at_patches/ewiki.php	2005-03-01 10:42:45.883229728 -0600
@@ -3232,7 +3232,7 @@
    $ok = true;
    $ewiki_errmsg="";
 
-#echo "_a($id,dat,$action,$ring,$request_auth)<br />\n";
+#echo "_a($id,$data,$action,$ring,$request_auth)<br />\n";
 
    if (EWIKI_PROTECTED_MODE) {
 
@@ -3337,6 +3337,13 @@
   if ($username || $password) {
      ewiki_log("_auth_userdb: wrong password supplied for user '$username', not verified against any userdb", 3);
      $ewiki_errmsg = "wrong username and/or password";
+     // Alliance Technologies addition
+     #-- If the ewiki_auth_query_http plugin is loaded, we need the following to prevent the HTTP auth from being cached by the browser
+     if ($ewiki_plugins["auth_query"][0] == "ewiki_auth_query_http") {
+         header('HTTP/1.1 401 Authentication Required');
+         header('Status: 401 Authentication Required');
+         header('WWW-Authenticate: Basic realm="Login incorrect"');
+     }
 #     ewiki_auth($uu, $uu, $uu, $uu, 2);
   }
   return(false);
@@ -3962,4 +3969,4 @@
 
 
 
-</script>
\ No newline at end of file
+</script>

--- ewiki-R1.02a+dev3/plugins/auth/users_ldap.php	2003-12-01 11:14:05.000000000 -0600
+++ at_patches/users_ldap.php	2005-03-01 10:42:46.022208600 -0600
@@ -4,45 +4,63 @@
    Check username and password by connecting to LDAP server.
 */
 
-
-#-- config
-define("EWIKI_LDAP_SERVER", "ldap.example.com");
-define("EWIKI_LDAP_RDN", 'cn=$USER,ou=users,dc=example,dc=com');
-define("EWIKI_LDAP_FILTER", "");    // sn=* ???
-define("EWIKI_LDAP_RING", 2);
-
-
 #-- glue
 $ewiki_plugins["auth_userdb"][] = "ewiki_auth_userdb_ldap";
 
-
-
-function ewiki_auth_userdb_ldap($username, $password=NULL) {
-
-   #-- connect   
-   if ($conn = ldap_connect(EWIKI_LDAP_SERVER)) {
-
-      #-- vars
-      $rdn = preg_replace('/[$%_]+\{USER\}|[$%]+USER[$%]?/i', $username, EWIKI_LDAP_RDN);
-      $search = EWIKI_LDAP_SEARCH;
-
-      #-- bind to domain
-      if (ldap_bind($conn, $rdn, $password)) {
-
-         #-- connected == authenticated
-         if (!$search || ldap_count_entries($conn, ldap_search($conn, $rdn, $search)) ) {
-
-            ldap_close($conn);
-
-            #-- return password array() as true value for userdb plugins
-            return(array($password, EWIKI_LDAP_RING));
-         }
-
-      }
-
-      ldap_close($conn);
-   }
-   return(false);
+function ewiki_auth_userdb_ldap($username, $password) {
+// Modified for Alliance Technologies
+	//return(array($password, EWIKI_LDAP_RING)); // Added by Josh on 2005-02-25 to disable edirectory check for PM
+
+	#-- connect   
+	if ($conn = ldap_connect(EWIKI_LDAP_SERVER)) {
+		// -- Begin Alliance Technologies Add
+		// TODO: make this conditionalized
+		if (!ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3)) {
+			fatal_error("Failed to set LDAP Protocol version to 3, TLS not supported.");
+		}
+		if (!ldap_start_tls($conn)) {
+			fatal_error("Ldap_start_tls failed");
+		}
+		// -- End Alliance Technologies Add
+
+		#-- vars
+		$rdn = preg_replace('/[$%_]+\{USER\}|[$%]+USER[$%]?/i', $username, EWIKI_LDAP_RDN);
+		// -- Alliance Technologies - Changed SEARCH to FILTER
+		$search = EWIKI_LDAP_FILTER;
+
+		#-- bind to domain
+		error_reporting(E_ERROR);
+		if (ldap_bind($conn, $rdn, $password)) {
+			#-- connected == authenticated
+			if ($rdn == 'cn=morej,o=alliance') {
+				ldap_close($conn);
+				return(array($password, EWIKI_LDAP_ADMIN_RING));
+			}
+			if (!$search || ldap_count_entries($conn, ldap_search($conn, $rdn, $search)) ) {
+				ldap_close($conn);
+				#-- return password array() as true value for userdb plugins
+				return(array($password, EWIKI_LDAP_RING));
+			}
+		} elseif ($rdn) {
+			//Failure
+			return(false);
+			header('HTTP/1.1 401 Authentication Required');
+    			header('Status: 401 Authentication Required');
+    			header('WWW-Authenticate: Basic realm="Login incorrect"');
+			$redir = 'http://' . $_SERVER["SERVER_NAME"] . $_SERVER["REQUEST_URI"] ;
+			$redir = ereg_replace('=.+/','=',$redir);
+			#header("Location: $redir");
+
+			echo('<pre>');
+			var_dump($_SERVER);
+			echo('</pre>');
+    			die();
+		}
+		error_reporting(E_ALL & ~E_NOTICE);
+
+	ldap_close($conn);
+	}
+return(false);
 }
 
-?>
\ No newline at end of file
+?>