Forum GLPI-Project

matthieu

Member

Registered: 2008-04-01

Posts: 3

edirectory and groups

Hello GLPI users,

first post here... I'm trying to setup GLPI using a ldap edirectory.
I'm about to succeed but there is still an annoying blocking point as you will see...

Here is my config:
================================
GPLI : 0.70.2
SLES 10sp1 (x86_64)
Apache : 2.2.3 / PHP : 5.1.2 / MySQL : 5.0.26
================================

Authentication
==========
LDAP
Server = edirserver
Basedn = o=mycompany
Login Field = uid
Use TLS = no
Belonging to groups
Search type = In users
Use DN in the search = no
GLPI/LDAP Links
Surname = sn
...
==========

I can retrieve/sync all the user from the ldap.
The problem I have is with the groups:

a] this one is working:
Groups
==========
Name: IT - ALL
In users:
User attribute containing its groups:   groupmembership
LDAP Value: cn=IT - ALL,ou=groups,o=mycompany
==========

b] this one is not working:
Groups
==========
Name: Location
In users:
User attribute containing its groups:   l       <=== this is the letter "l" like in LIMA.
LDAP Value: mycity
==========

For information, here is the result of the ldap search from my sled box:
================================================================
sledbox# ldapsearch -x -LLL uid=myuserid -h edirserver dn l groupmembership
dn: cn=myuserid,ou=mycity,o=NIWA
groupmembership: cn=IT - ALL,ou=groups,o=mycompany
l: mycity
================================================================

I can't figure out why b] is not working... any idea?
If the group a] is the only defined and that I force the synchronization : my user is correctly associated to the group.
As soon as I add the definition for the group b]  and that I force the synchronization my user is no more associated to any group... I really need to get this city location associated to a group...

I already tried to get the location information from the OU include in the DN of the user without any success...
http://glpi-project.org/wiki/doku.php?i … uaire_ldap

c] this one is not working too...
Authentication
==========
User attribute containing its groups = dn
==========
Groups
==========
Name: Location
In users:
User attribute containing its groups:   ou
LDAP Value: mycity
==========

I would greatly appreciate any help... Otherwise we will have to go to a novel closed solution for managing our helpdesk... this would be a very bad news... :-)

Cheers,

Matthieu

Last edited by matthieu (2008-04-08 11:34:12)

---

-= Matthieu =-
GPLI : 0.70.2
SLES 10sp1 (x86_64)
Apache : 2.2.3 / PHP : 5.1.2 / MySQL : 5.0.26

wawa

GLPI-DEV

From: Montpellier / France

Registered: 2006-07-03

Posts: 6,019

Website

Re: edirectory and groups

Hello, thanks for this very detailled report.

I'll try to reproduce this bug
anyway, if you could come on irc (irc.freenode.net #glpi), it'll be easier to talk about you problem

matthieu

Member

Registered: 2008-04-01

Posts: 3

Re: edirectory and groups

Hello Wawa,

Thanks for your help yesterday evening on the irc...
What I've learned yesterday is:
# in login.php comment the lines 240 and 242 so as not to be redirected at login and be able to debug the thing...

I've done some testing today, and here are the results.

I've installed SLES10sp2rc1 [this is the latest RC in date: 2008/03/26] on another box to do the testing.
apache      2.2.3-16.18
php5         5.2.5-9.5
mysql        5.0.26-12.18

1] In debug mode I do not have anymore all the "php deprecated" messages, it's a good thing...

2] In inc/user.class.php, I've added before and after the line 501 [$group_fields = array_unique($group_fields);] the following lines : print_r($group_fields);

In a wrong situation the result is :

Array ( [0] => groupmembership [1] => groupmembership [2] => l )
PHP ERROR: ldap_read(): Array initialization wrong in /srv/www/htdocs/glpi/inc/user.class.php at line 503
PHP ERROR: ldap_get_entries(): supplied argument is not a valid ldap result resource in /srv/www/htdocs/glpi/inc/user.class.php at line 504
Array ( [0] => groupmembership [2] => l )

I've noticed that if I add after the line 501 this line : sort($group_fields); I get:

Array ( [0] => groupmembership [1] => groupmembership [2] => l )
Array ( [0] => groupmembership [1] => l )

It looks like that ldap_read [line 503] do not like the array $group_fields unsorted to query an edirectory...

===> the "definitive" solution for me is to add in inc/user.class.php after the line 501: sort($group_fields);

Last edited by matthieu (2008-04-10 07:02:59)

---

-= Matthieu =-
GPLI : 0.70.2
SLES 10sp1 (x86_64)
Apache : 2.2.3 / PHP : 5.1.2 / MySQL : 5.0.26

wawa

GLPI-DEV

From: Montpellier / France

Registered: 2006-07-03

Posts: 6,019

Website

Re: edirectory and groups

hello matthieu
1/ good news, to was really coming from PHP...
2/ I've commited your fix, https://dev.indepnet.net/glpi/changeset/6694. It changes nothing with OpenLDAP

So now it works fine for you ?

matthieu

Member

Registered: 2008-04-01

Posts: 3

Re: edirectory and groups

Merci Wawa!

It works fine now with the fix. Hopefully, I will soon be able to prepare a demo for my collegues...

I still have some minor issues regarding the mass synchronization. But I will first go throught the forum, maybe there is a solution somewhere... otherwise I will open a new ticket...

cheers.

Last edited by matthieu (2008-04-10 11:57:47)

---

-= Matthieu =-
GPLI : 0.70.2
SLES 10sp1 (x86_64)
Apache : 2.2.3 / PHP : 5.1.2 / MySQL : 5.0.26