YALT (Yet Another LDAP Thread)

futhwo · 2007-11-14 17:42:53

Hi
i saw this question posted a lot in this forum, but still i cannot resolve my problem.

I have an OpenLDAP directory; in this directory group membership is regulated by multiple "memberUid" (valorized with users "uid" attribute value) in the group entry.

I set up external authentication, but still when a user logs in it's not automatically added to the groups i created.

Here is my configuration:

LDAP Host = ldap://my.ldap.server
LDAP Port (default=389) = 389
Basedn = dc=mycompany,dc=mycountry
rootdn (for non anonymous binds) = cn=myadmin,dc=mycompany,dc=mycountry
Pass (for non-anonymous binds) = ********
Connection filter = <blank>
Login Field = uid
Use TLS = no

Belonging to groups
Search type = In groups
User attribute containing its groups = <blank>
Filter to search in groups = <blank>
Group attribute containing its users = memberuid (i tried with memberUid too but nothing changes)
GLPI/LDAP Links
Surname = sn
Firstname = givenname
Location = <blank>
E-Mail = mail
Phone = <blank>
Phone 2 = <blank>
Mobile = <blank>

In the definition of groups i put:

Name: groupName

In users:
User attribute containing its groups: <blank>
LDAP Value: <blank>
In groups:
Group DN: cn=groupName,ou=groupsOU,dc=mycompany,dc=mycountry (note: the dn is correct, i triple checked it)

Comments: <blank>

The users can login, and thir attributes (mail, name, surname) are correctly valorized, but even if i created one of the groups the user belongs to in LDAP i cannot see the user as belonging to the group in glpi admin interface after his login

Thanks in advance for any help

wawa · 2007-11-14 17:47:29

you must indicate a Filter to search in groups I think.
For example (objectclass=groupOfNames) if the group's class is groupOfNames

futhwo · 2007-11-14 18:12:45

In wich format?

I tried with:

filter to search in groups: (&(objectClass=posixGroup))

and:

filter to search in groups: (objectClass=posixGroup)

and:

filter to search in groups: objectClass=posixGroup

but with no luck at all.

To give more elements i say that i am using glpi 0.68.3.2 on a FreeBSD 6.2 server (if any other info is needed to help me i'd be glad to aswer)

wawa · 2007-11-14 19:12:33

(objectClass=posixGroup)

futhwo · 2007-11-15 10:40:38

as i said i tried it but it do not work

shm · 2007-11-15 17:54:23

I was having the same problem,

My settings are similar to futhwo's.

Everything else worked fine so far for ldap, but when it attempted to query for groups, glpi forms an invalid filter.
eg.
From the ldap server logs:

SRCH base="dc=inter,dc=localdomain" scope=2 deref=0 filter="(&(objectClass=posixGroup)(memberUid=uid=shm))"

The correct filter would have memberUid=shm, instead of memberUid=uid=shm

After a bit of investigation I found where this happens. Inside the function getFromLDAP($ldap_method, $userdn, $login, $password = "")

In "inc/user.class.php" on line 522

Change $user_tmp = $ldap_method["ldap_login"]."=".$login;
to $user_tmp = $login;

Now when you use the option 'Use DN in the search: No', you should get the correct filter showing up.

As long as whatever field you use for the Group attr contains items that would match the login field.
ie. memberUid containing valid uid's of people.

Forum GLPI-Project

Announcement

#1 2007-11-14 17:42:53

YALT (Yet Another LDAP Thread)

#2 2007-11-14 17:47:29

Re: YALT (Yet Another LDAP Thread)

#3 2007-11-14 18:12:45

Re: YALT (Yet Another LDAP Thread)

#4 2007-11-14 19:12:33

Re: YALT (Yet Another LDAP Thread)

#5 2007-11-15 10:40:38

Re: YALT (Yet Another LDAP Thread)

#6 2007-11-15 17:54:23

Re: YALT (Yet Another LDAP Thread)

Board footer