The Joomla! Forum ™

afrugone,

thanks for sharing. It looks like I've done almost exactly what you've done. The only difference I see is that I'm using the distinguishedName for the mapping list. I've also tried what you did (just the cn and ou) with no success. Are you using MSSQL or MySQL for the backend? Could you share your parameters with me (scrubbed of course) from your jmapmyldap user plugin from the extensions table. I'm using MSSQL, and am curious if this is the problem.

Thanks!

Hi Shaun,

I have a IIS 7 server running on windows server 2008 R2 standard with joomla configured on ms sql2008.

This issue i am having is it seems that the user mapping is not happening in the database. I can authenticate just fine. And it seems the plugin is picking up the ldap groups for the user as it shows from the debug output.

I have not been able to find any errors related to this issue in any of my logs.

ldap: JMapMyEntry Object ( [rdn:protected] => Array ( [count] => 6 [0] => cn=john doe [1] => ou=support [2] => ou=users [3] => ou=company [4] => dc=domain [5] => dc=com ) [dn:protected] => CN=John Doe,OU=Support,OU=Users,OU=COMPANY,DC=DOMIAN,DC=com [valid] => 1 [groups:protected] => Array ( [0] => cn=webmaster,ou=emails,ou=company,dc=domain,dc=com [1] => cn=it admin,ou=support teams,ou=users,ou=company,dc=domain,dc=com [2] => cn=all,ou=users,ou=company,dc=domain,dc=com ) [_errors:protected] => Array ( ) [fullname] => Array ( [0] => John DOE ) [username] => Array ( [0] => jdoe ) [email] => Array ( [0] => user@domain.com ) )

compared: Array ( [0] => JMapMyEntry Object ( [rdn:protected] => Array ( [count] => 6 [0] => cn=hr salary [1] => ou=groups [2] => ou=users [3] => ou=company [4] => dc=domain [5] => dc=com ) [dn:protected] => CN=HR Salary,OU=Groups,OU=Users,OU=COMPANY,DC=DOMIAN,DC=com [valid] => 1 [groups:protected] => Array ( [0] => 10 ) [_errors:protected] => Array ( ) ) )

Hi specterman

My current config is as follows, Joomla 2.54, running on on ubuntu 10.0.4, PHP 5.3.2, Apache/2.2.14 and Mysql 5.1.62:
Windows 2003 AD

User - JMapMyLDAP
Use Group Mapping Yes
Allow Additions Yes
Allow Removals Yes&Default Managed
Unmanaged Groups 1;2;8
Public Group 1
Mapping List (try following options)

cn=testgroup,OU=TcGlobal,OU=Usuarios:9
cn=JoomlaAdmins,OU=TcGlobal,OU=Usuarios:7

Lookup Type Forward
Lookup Attribute memberOf
Lookup Member dn
Use Recursion Yes
DN Attribute distinguishedName
Max Depth 0

I hope this could be useful for you

Thanks for the plugin, have successfully connected to an ldap server. In the Mapping Attributes section of the configuration page I would like the value of Map Full Name to be giveName and sn concatenated. Could you let me know if this can be specified on the configuration page or the script changes required. Thanks

University finished at long last. I have all my time back.

I'm not sure what has been solved in here and what not. If anybody can repost if there problem is outstanding then I'll reply to it.

Going to get back to developing version 2, and will release a overdue maintenance release for version 1 in the coming week or so.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

I just implemented a 650 user intranet with JMapMyLDAP doing the user provisioning, group mapping, authentication CB integration and SSO. All working great. The only thing I would ask for in another release is to get more AD fields mapped in to CB.

Thanks for these really excellent plugins.

_________________
Nanagram Websites and Hosting: http://www.nanagram.co.uk

Hi Shaun my recent query regarding concatenating two fields for Map Full Name is still something I need to be able to do. Thanks

Cool, I will look into this as a separate plug-in for V2.



As it picks up single attributes then you will need to hack some code. I would suggest targetting the sync name/email method in /libraries/shmanic/jmapmyldap.php to something like (note - I haven't tested this):

FROM:


TO:


FROM:


TO:


This version is such a bad design on my part that it makes this kind of thing very hard to modifiy. Can't wait until I've put it right(ish).

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Thanks very much Shaun will try it out when I get back from holiday. Cheers

Hi Shaun, I searched the forum but couldn't find an answer to my question:

Is there a way to get all users form the active directory? I'm building an intranet and the client wants a telephonebook. So I have to get name, departement and thelephonenumber from the AD...

Tx

@mhabers - Currently on demand sync doesn't exist. The last commit on version 2 brings profile support (so you can map department, telephone, etc.). If you want to take a look then shoot me an email, and I'll reply with the built packages for V2 (the forum here says its too big to attach). Alternatively, you can download the source and build the packages yourself from the Github repository https://github.com/ShMaunder/JMapMyLDAP [note I will be committing new stuff on there soon and will probably break a lot of things].


As for an update for version 2. I haven't implemented any new major features. However, I've reworked the entire Ldap client library which now makes use of consistent error handling & checking via custom Exceptions. Automatic unit testing has been partially implemented and most of the code now abides by the Joomla coding standard (Joomla's Sniff file). An autoloader and factory have been implemented. A big list of custom error IDs & descriptions which should make it easier to help with problems. Also starting a mini upgrade script for easy migration from 1 to 2. These things should make it easier and faster to implement new features (and the remaining features missing from version 2 like on demand sync).

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hi Shaun,

First of all many tx for a great plugin with superb support.

I've allready build version 2 and installed it. I've now got an LDAP-profile plugin installed.
I'm not sure how to use it however.

Regards Marc

I normally send this in emails - I will add to the site at some point:

Future updates to version 2 till the final release will not be backward compatible - i.e. the configuration options will change and/or delete between each update till the final release. Therefore, do not update without prior testing in any live environment.

Use pkg_jmmldap_basics to install version 2's core. Then you can optionally install any of the following:

pkg_ldap_mapping - The group mapping plug-in.
pkg_ldap_profile - The profile plug-in.
plg_sso_http - To use HTTP SSO. Download from http://shmanic.com/media/file.php?proje ... o_http.zip as this is the same as version 1.

Error logging and SSO configuration can be found in Components->Ldap Admin->Options.

Documentation:
pkg_ldap_profile - http://shmanic.com/tools/jmapmyldap/doc ... plugin.htm
pkg_ldap_mapping - http://shmanic.com/tools/jmapmyldap/doc ... plugin.htm

SSO & Authentication - http://shmanic.com/tools/jmapmyldap/guide.htm

It is recommended to delete version 1 before installing version 2 or at least disable the "User - JMapMyLDAP" plug-in.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hi Shaun,

I've done all this. My problem is that I want to know if and, if so, where users can edit their own proile. Is there a special view or something?

Marc

They should be able to change their own profile using Joomla's profile editor. This as long as "com_users.profile" is contained in the permitted forms.

Access from the front end using /?option=com_users&task=profile.edit&user_id=[Joomla's UID] or back end using 'Site->My Profile'. Front end should have a menu link to profile though.

Also, the user must be an LDAP user for it to display. This means it must authenticate against the LDAP server on logon.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hi Shaun,

Aha perfect, that's what i was looking for. I'll get modifying de plugin to create an adressbook.

Tx,

Marc

Hi Shaun,

I've installed, en activated the profile plugin. I've set it up with the default.xml for testing purposes but de edit section doesn't show the form as expected. [edit]In the screenshot it says profiel for profile name Corrected that but still won't work[/edit]

I've used the following parameters (see attachment)
and the edit profile screen as it comes out.

What am i doing wrong?????

Regards Marc

Hi Shaun,

with the profile mapping, I have included the following field from AD to grab country:

<field
name="co"
type="text"
description="Country"
label="Country"
size="30"
filter="string"
required="false"
sync="true"
disabled="true"
/>
If Country is empty, is there anyway of adding a default value in this XML - I have tried a couple of things but nothing works,

regards

Mike

don't you remember it or not, I mentioned it one or two months ago, i think a domain selector is good for mutiple domain ldap login, since if there is mutiple domain, and it is possible that same account name will exist in different domain, so, a domain selector will be suitable to avoid problem happen in this case, please note and thanks.

@chrisyeung168 - I haven't forgotten . I'm building the underlying code for multiple servers first - well actually, I have nearly finished that and will commit to the repository soon. I will look at building a module for the front-end multiple domains soon after - Not sure what I can do on the back end (J! Administrator) to support this.

@mikesturmey - Did you try default="mycounty"? The majority of the syntax is processed by Joomla's JForm (i.e. same syntax).

@mhabers - What is the name of the XML file you're using for the profile? It should be profiel.xml. Add me on Skype (shaun.maunder) if you can because this may take a lot of posts to debug on here.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

hello shaun,
you are great! you can still remember that feature request, i 'm always checking this thread to see when will you come back, anyway, can't wait to see the result.

Cool. The multiple servers are now implemented (I will commit to Git soon on the 'platform' branch). The configurations can either be loaded from a PHP config file (primarily for platform applications) or SQL table (which will be used for the CMS). I'm currently making some unit tests which is taking forever and is seriously boring :/.

Got to re-sync up the LDAP plug-ins like Group Mapping and Profile to use the new libraries. Then I will do the little login module - I will need to figure out if a front-end component is also required. Then I need to concentrate on the back-end administrator component to integrated Ldap debugging and configuration.

After the above (and a release of a stable version), I will start proper work on a specific CB plug-in and password plug-in.


Edit:

For those that are interested in V2 progress, I have written a little blog style progress report here http://shmanic.com/tools/jmapmyldap/news.htm (a few have asked on email).

Though its been a very long (and unexpected) development period for V2, I'm becoming more happier with the code and the potential extendibility of the entire project.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hi Shaun,

I'm trying to configure SSO with Apache and mod_auth_kerb. I've successfully got Kerb passing across the remote_user env variable however I've hit a roadblock configuring this for a site accessed both internally and publicly.

The limitation of this Apache module is that it doesn't gracefully degrade when its unable to authenticate (for it to attempt to negotiate SSO the Apache directive 'require user' needs to be set!). If they fail SSO I either have the choice of a 401 error screen or a basic auth prompt (KrbMethodK5Passwd On).

Unfortunately this particularly site has content that needs to be publicly accessible so having a basic auth prompt is not acceptable.

How do you suggest implementing SSO at such a site? Is there any other Apache module that will work better, or perhaps does IIS with it's SSPI component actually do this gracefully?

Here are the two workarounds I've thought of that might work:
-Separate public and internal site
-Have a standalone php file to do logins internally, having the mod_kerb directive only set on this specific file and just redirect them to the normal page
-Somehow using the Apache ErrorDoc directive combined with KrbMethodK5Passwd Off (if transparent sso negotiate fails, fail the auth) to load the site. (Probably a massive hack)
-Modify the mod_auth_kerb code and program a new parameter IfAuthFailLoadAnyway which simply serves the webpages withour the REMOTE_USER variable set if they fail SSO.

fyi. I've also emailed the mod_auth_kerb devs about this to see what they suggest. Its obviously a limitation of their module and not yours!

I should start that I don't know the answer *yet*. But, I was trying to accomplish this the other day.

There are a few methods that I'm currently trailing:

- Use of a forced 401 error with a WWW-Authenticate header (like negotiate) being sent to the browser. This would be modified into the HTTP plug-in to allow you to select specific IP ranges (i.e. internal ones). Though I haven't found the correct htaccess config to get this working yet. I believe this works on IIS.

- As you said, using a file to attempt it. The htaccess config for this one is easy, but it doesn't feel a elegant solution. I guess it could be executed through an IFrame or through a (Joomla or htaccess) redirect based on IP.


Though I will use some of today to hopefully figure out how I can get the first point to work.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Its implemented (well at least for the front-end)! The result:

http://i61.[spam].com/albums/h63/t ... Module.png


My next and last job before I can post packages for everything is an administrator component to configure everything & redo the package builder. Its been quiet on the support (& downloads) lately which has meant I've been able to pump a lot of hours into this version.

All code here: https://github.com/ShMaunder/JMapMyLDAP/tree/platform - will commit the front-end component shortly.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

wow, great, is it available to download and try it out? for the ldap login module, things seems more logically, just like if you need to login in your windows workstation, you need to choose the correct domain.

I've still not committed the front-end component which is needed for the module to work. This is mainly because I was hesitant if I should spend a day getting LDAP registration working, or just remove the view/model/controller for it. But I will remove registration for now and get the domain support committed so we can get a beta out ASAP.

Also, the SQL files for the new tables haven't been written - so its probably best to wait another week and with some luck, I may have updated the package builder.

I'm currently implementing "user adapters" (very much like JAuthTools' User Source system) to make it easier to integrate other authentication services into jmmLDAP after 2 is released. This will hopefully allow services like ADFS, which has had 4 requests so far for integration, to be integrated.



Lastly, if anybody is willing to do any translations for any of the language files, then please let me know. The website is getting between 5-15 unique hits a day via Google's translation service, and I don't know how well its being translated. Even if its a partial translation, it would make a difference

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

hello everybody,

I'm not able to map my ldap group to joomla group.
I can authenticate myself, get the right username, email..., but I belong to the Joomla Registered users group (my mapping list: CN=mygroup:7).
Everything seems to be Ok when I test my parameters with ldapdebug.php (ie my openldap group is printed out).
I've tried to insert ShMaunder's code in line 477 (echo 'ldap: '; print_r($ldapUser); echo '<br /><br />compared: '; print_r($mapLists); die();)
$mapLists displays nothing whereas $ldapUser displays the right values...that's strange !
Any idea ?

joomla 2.5.6
mysql 5.1.52
php 5.3.2
JMapMyLDAP 1.0.5

Regards from Toulouse

Hmm. Are you using a popular LDAP server/vendor?

What is the LDAP attribute groups are being printed out as? It sounds like the "Lookup Attribute" isn't correct maybe?

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Openldap...very popular :-)
schema: cn=mygroup, ou=Groups, dc=auth,dc=mydomain, dc=fr
attribute type (my lookup attribute): businessCategory
ldapdebug.php returns me the right group (mygroup) with this attribute.

thanks a lot Shaun !

Nota: I'm in holidays tonight and i'll be back on the forum in a week