Joomla! Forum - community, help and support

Hello People,

This is a continuation of http://forum.joomla.org/viewtopic.php?f=624&t=600027 which wasn't intended to be taken over by one extension in a Joomla! general support forum.

I've today released the first stable version (1.0.4) of the JMapMyLDAP extensions. The extension was created to map LDAP groups to Joomla! 1.6 and 1.7 groups; though I hope in the future it will cover a wide range of LDAP integration features. The intended audience is mainly Intranet sites that use a LDAP server such as Active Directory to centrally authenticate users. It is a non-commercial GNU GPL extension currently consisting of a couple of plug-ins and a few libraries.

It has recently been added as a JED listing, and the project homepage contains the latest features, download and installation guide.

I would like to thank everyone that has provided me with suggestions and feedback during the alpha and beta stages. This project has taken me a couple of months just to get to this stage, though it is my first Joomla! extension.

Like the last thread, I would like to use this thread as a place for people to ask questions or feedback.

Reporting bugs can be done in the Joomlacode project tracker.

Thanks
Shaun

Hi Shaun

Firstly thanks for a great J1.6/1.7 plugin. I am using successfully using OpenLdap server and following your clear install guide I was easliy able to user Ldap Authorization/sync and group mapping working.

One question, for furture releases will it be possible for the the joomla User registration to create Ldap users?

Regards
Steve

Hi Steve,

Thanks for the feedback and your most welcome.

This is one of my future aims of the project. Version 2.0 will introduce a separated LDAP plugin type for adding/removing features (such as group mapping, profiles, and potentially new users). This means after the initial 2.0 release, it should be easier to add features like creating new users back to the LDAP directory. As for a timescale; I'm hoping to release an alpha version in the next 2-3 weeks depending on the amount of other work I currently have.

Hopefully that answers your question .

ShMaunder wrote:Hi Steve,

Thanks for the feedback and your most welcome.

This is one of my future aims of the project. Version 2.0 will introduce a separated LDAP plugin type for adding/removing features (such as group mapping, profiles, and potentially new users). This means after the initial 2.0 release, it should be easier to add features like creating new users back to the LDAP directory. As for a timescale; I'm hoping to release an alpha version in the next 2-3 weeks depending on the amount of other work I currently have.

Hopefully that answers your question .

Yes Thanks. Looking forwarding for Version2.

Hi Shaun,
can your plugin recognize windows user so they don't need to use Joomla's login in form? is there a way to bypass Joomla log-in if you are a AD recongnized user?

Thanks in advance.

@umbobabo - This sounds like single sign on? If so then yes. HTTP SSO is the most common way of achieving this and is currently the only SSO plugin in my set of extensions. Depending on your web server depends on the authentication protocol you use (i.e. kerberos or NTLM). After it is setup you will be able to:
1) Log into your Windows based workstation using an AD user account
2) Open up your Joomla! website
3) SSO automatically logs in your Joomla website using the same credentials as you used in step 1

Hope that answers your question.


--

On a project update: I haven't been around the last ~2 weeks and therefore, some things are behind schedule. Also I have a backlog of emails, so if you have emailed me, I will try to reply in the next coming days.

@Shaun
Sounds very good, i will try as soon as possibile.
I have on Apache webserver on a window 2003 server machine.
I already get work LDAP plugin with AD but the Joomla login seems to be required, simple LDAP read user from AD instead MySQL (with users bridge).

Thanks for now. See you soon.

sbubb wrote:Hi Shaun

Firstly thanks for a great J1.6/1.7 plugin. I am using successfully using OpenLdap server and following your clear install guide I was easliy able to user Ldap Authorization/sync and group mapping working.

One question, for furture releases will it be possible for the the joomla User registration to create Ldap users?

Regards
Steve

If this is in fact added, I believe that this extension would be a dream come true.

I think it would also be hugely useful if it could alternatively be plugged into Community Builder registration (to directly create Active Directory users).

Using AD to centrally manage users is of course amazing...but never before this was I able to find a Joomla project that actually aimed to allow for complete user data synchronization and Joomla-based AD registration.

Did I miss a precursor to this project that worked for 1.5 (and did I spend unnecessary time writing my own sync code)? In any event I am very excited for this extension now that I am moving my site to 1.7...

EDIT: I think JAuthTools (which seems like the closest thing for Joomla/LDAP syncing 1.5) never allowed for such registration features or "two-way" syncing of users, but maybe I just missed that. Since JAuthTools itself is apparently not available for 1.7 though, I guess that isn't relevant anyway. As far as I can tell then, your extension must be even more critically needed!

I've been having trouble configuring this for my AD environment. I've successfully configured the built-in Joomla LDAP authentication with no issues, but this one seems to be baffling me.

If I provide my settings, would you be able to help point me in the right direction? Iv'e been banging my head on this for about 2 hours now.

Thanks,
Larry

@lgwapnitsky

I've replied to your email; your search option is certainly not correct in the second screenshot.

Filters must be used in the User DN/Filter with search on (sAMAccountName=[username]). Otherwise if search is off then User DN/Filter needs to be a DN (i.e. cn=[username],ou=[users],o=company OR additional with AD you could use DOMAIN\[username]).

@mk14
This is the aim of the project. Firstly coding the mini framework, then at a later date, releasing extension specific plug-ins. Other extension specific plug-ins like JomSocial have also be mentioned. I'm a little tied up with University stuff atm; however should have time this weekend to near a version 2.0 alpha.

I'm hoping to have a final version 2 around the release of J! 2.5 LTS in January.

I keep getting the error that the user, which whom I am trying to log in with, is either not known or the password is incorrect. I am absolutely sure the creds are OK. I have tried almost every possible combination of config options, but all with the same result.
I have searched for a log file of some kind to find out what really happens, but no luck.
Can anyone give me a hint?

Hello,
I'm Nicola.
First....sorry for my bad english.

I'm trying to set "user plugin" like your example:
http://shmanic.com/tool/jmapmyldap/?id= ... -plugin-ad

I have a joomla 1.7.1 intranet in a linux suse server, apache 2, php 5.
In my intranet there are 2 windows 2003 server.

I set successfully "authentication plugin", so I can login in my intranet with my windows credential.
That works fine: new user was created with his name and email but no group associated, only "registered"

My configuration is like the example.
In "Mapping list" I have:
CN=AMMINISTRAZIONE:10

"AMMINISTRAZIONE" is a group.

Users--->Domain Users--->PROVA--->AMMINISTRAZIONE


How can I understand if my windows group is a CN or a OU?

Can you help me?
Thank in advance

Nicola

Got it working thanks to your e-mails, but SSO does not work. I've set up a PHPInfo.PHP file, but it's not showing any usernames in the _Server array. I know SSO works on our IIS systems (but I did not configure those).

Thanks.

I'm loosing track with who's emailing me and posting here.

@jborgman
The log file should be in a PHP file called error.php in <joomla directory>/logs/error.php (this is the default location of the log directory). If your log directory hasn't been setup correctly then enable Joomla system debugging mode in the global configuration.

@barnic
Groups in AD are normally referred to by common name (CN), so your group mapping does indeed look correct - can you post your Lookup Type, Lookup Attribute and Lookup Member?

@lgwapnitsky
I can only really help after you get the username into one of the $_SERVER keys. SSO is only limited to HTTP at the moment. If you are using IIS, then you need to turn off anonymous access and tick integrated windows authentication.

Hello, thankyou for your fast answer.

Lookup Type: Forward
Lookup Attribute: memberOf
Lookup Member: dn

ShMaunder wrote:I'm loosing track with who's emailing me and posting here.

@lgwapnitsky
I can only really help after you get the username into one of the $_SERVER keys. SSO is only limited to HTTP at the moment. If you are using IIS, then you need to turn off anonymous access and tick integrated windows authentication.

I only mentioned IIS as we have other servers where SSO is not an issue.

I'm currently on Debian Squeeze with Apache. I'm still trying to determine how to populate the proper $_SERVER key. (that's where I"m stuck)

@barnic
Hmm, that looks all correct. Are you using the "Authentication - JMapMyLDAP" plug-in and disabled "Authentication - LDAP"?

Check the log file /logs/error.php for any potential errors - though the user plugin isn't silent and should always tell you if an error occurs.

Can you test enabling "Sync Name" or "Sync Email", then changing a single LDAP user's name or email in Joomla's user manager then trying to re-login again. Does the name change back? This will test if the user plugin is even being called.

@lgwapnitsky
Ah i see. I normally use this guide http://acksyn.org/diary/?p=460 to configure my apache server with AD to achieve HTTP authentication.

ShMaunder wrote:@barnic
@lgwapnitsky
Ah i see. I normally use this guide http://acksyn.org/diary/?p=460 to configure my apache server with AD to achieve HTTP authentication.

I'll give that a shot, but that should hopefully populate the fields I need?

Thanks

lgwapnitsky wrote:

ShMaunder wrote:@barnic
@lgwapnitsky
Ah i see. I normally use this guide http://acksyn.org/diary/?p=460 to configure my apache server with AD to achieve HTTP authentication.

I'll give that a shot, but that should hopefully populate the fields I need?

Thanks

Yes, once setup, it will populate the $_SERVER['remote_user'] field. Towards the bottom of the guide, it shows how your browser should be setup if you want to automatically login using your Windows workstation AD credentials.

I would highly recommend using this guide on a non-live server for the first time. It took me about half an hour to get working the first time.

ShMaunder wrote:@barnic
Hmm, that looks all correct. Are you using the "Authentication - JMapMyLDAP" plug-in and disabled "Authentication - LDAP"?

yes

at one point worked honestly .... but then I started to make changes because it did not work for a group ("EDC") and users who were part of several groups could not let them associate all.

I tried to improve but I got worse and went to the confusion!

ShMaunder wrote:

lgwapnitsky wrote:

ShMaunder wrote:@barnic
@lgwapnitsky
Ah i see. I normally use this guide http://acksyn.org/diary/?p=460 to configure my apache server with AD to achieve HTTP authentication.

I'll give that a shot, but that should hopefully populate the fields I need?

Thanks

Yes, once setup, it will populate the $_SERVER['remote_user'] field. Towards the bottom of the guide, it shows how your browser should be setup if you want to automatically login using your Windows workstation AD credentials.

I would highly recommend using this guide on a non-live server for the first time. It took me about half an hour to get working the first time.

GRRR...on my test server, fully configured and nothing showing up in the $_SERVER fields. IE is already configured for my other servers, so that wasn't necessary to run. Maybe something in the .htaccess file? paths are all correct and all files exist...

Got it - needed to add

KrbVerifyKDC off

But, still being prompted for a login in IE.

@barnic
So it did work before, then it stopped? Take a backup of your current list, then delete the entire contents of the mapping list, put a single entry back and see if it works?

I'm not sure what is really going on here.

@lgwapnitsky
This could be the keytab. I sometimes have to recreate the keytab and restart apache.

Here's my apache conf file:


DocumentRoot "/var/www/joomla"
<Directory "/var/www/joomla">
allow from all
Options +Indexes
</Directory>

<Location "/">
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd On
KrbAuthRealms DOMAIN.COM
Krb5KeyTab /etc/krb5.keytab
KrbVerifyKDC off
require valid-user
</Location>

Debug log:


[Thu Oct 20 15:11:58 2011] [debug] mod_deflate.c(615): [client 10.102.50.60] Zlib: Compressed 483 to 326 : URL /
[Thu Oct 20 15:11:58 2011] [debug] src/mod_auth_kerb.c(1628): [client 10.102.50.60] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Oct 20 15:11:58 2011] [debug] src/mod_auth_kerb.c(1240): [client 10.102.50.60] Acquiring creds for [email protected]
[Thu Oct 20 15:11:58 2011] [debug] src/mod_auth_kerb.c(1385): [client 10.102.50.60] Verifying client data using KRB5 GSS-API
[Thu Oct 20 15:11:58 2011] [debug] src/mod_auth_kerb.c(1401): [client 10.102.50.60] Client didn't delegate us their credential
[Thu Oct 20 15:11:58 2011] [debug] src/mod_auth_kerb.c(1429): [client 10.102.50.60] Warning: received token seems to be NTLM, which isn't supported by the Kerberos module. Check your IE configuration.
[Thu Oct 20 15:11:58 2011] [debug] src/mod_auth_kerb.c(1101): [client 10.102.50.60] GSS-API major_status:00010000, minor_status:00000000
[Thu Oct 20 15:11:58 2011] [error] [client 10.102.50.60] gss_accept_sec_context() failed: An unsupported mechanism was requested (, Unknown error)
[Thu Oct 20 15:11:58 2011] [debug] mod_deflate.c(615): [client 10.102.50.60] Zlib: Compressed 483 to 326 : URL /
[Thu Oct 20 15:12:02 2011] [debug] src/mod_auth_kerb.c(1628): [client 10.102.50.60] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Oct 20 15:12:02 2011] [debug] src/mod_auth_kerb.c(994): [client 10.102.50.60] Using HTTP/[email protected] as server principal for password verification
[Thu Oct 20 15:12:02 2011] [debug] src/mod_auth_kerb.c(698): [client 10.102.50.60] Trying to get TGT for user [email protected]
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1073): [client 10.102.50.60] kerb_authenticate_user_krb5pwd ret=0 user=[email protected] authtype=Basic
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1534): [client 10.102.50.60] kerb_authenticate_a_name_to_local_name [email protected] -> lwapnitsky
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1628): [client 10.102.50.60] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1566): [client 10.102.50.60] matched previous auth request
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1534): [client 10.102.50.60] kerb_authenticate_a_name_to_local_name [email protected] -> lwapnitsky
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1628): [client 10.102.50.60] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1566): [client 10.102.50.60] matched previous auth request
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1534): [client 10.102.50.60] kerb_authenticate_a_name_to_local_name [email protected] -> lwapnitsky
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1628): [client 10.102.50.60] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1566): [client 10.102.50.60] matched previous auth request
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1534): [client 10.102.50.60] kerb_authenticate_a_name_to_local_name [email protected] -> lwapnitsky
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1628): [client 10.102.50.60] kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1566): [client 10.102.50.60] matched previous auth request
[Thu Oct 20 15:12:07 2011] [debug] src/mod_auth_kerb.c(1534): [client 10.102.50.60] kerb_authenticate_a_name_to_local_name [email protected] -> lwapnitsky
[Thu Oct 20 15:12:07 2011] [debug] mod_deflate.c(615): [client 10.102.50.60] Zlib: Compressed 16011 to 3915 : URL /index.php

ShMaunder wrote: So it did work before, then it stopped? Take a backup of your current list, then delete the entire contents of the mapping list, put a single entry back and see if it works?

I'm not sure what is really going on here.

I'm going crazy!

This is my last Mapping List:
CN=TITOLARI:14
CN=AMMINISTRAZIONE:10,30
CN=PERSONALE:11,30
CN=ESTERO:12,30
CN=TECNICO:13,30
CN=AREZZO:20,29,30
CN=ITALIA:20,29,30
CN=PROG.PRODUZIONE:19,29,30
CN=REPPREPTUBO:27,17
CN=REPPREPLASTRA:26,17
CN=REPCHIUSURE:28,17
CN=MANUTENZIONE:25,17
CN=MEC CAD:21,18
CN=MEC OFF:24,18
CN=MEC PROD:22,18
CN=MEC TECNICO:23,18



I've just tried with user "lorella": it works, not 100% but it works (pheraps it's normal...."CN=MEC PROD:22,18" overwrite "CN=AMMINISTRAZIONE:10,30" ? ? ? )
Then, logout and login with user "tiziana": it doesn't work.
So, another login with "claudio": it doesn't work
Another one, "nicola": it works 100%

In AD "lorella" is in: "AMMINISTRAZIONE" (primary group), "INTERNET SENZA RESTRIZIONI", "MEC PROD"
In AD "tiziana" is in: "AMMINISTRAZIONE" (primary group), "INTERNET SENZA RESTRIZIONI"
In AD "claudio" is in: "AMMINISTRAZIONE" (primary group), "CED", "Domain Admins"
In AD "nicola" is in: "AMMINISTRAZIONE" (primary group), "CED", "Domain Admins"


This is the AD structure:
Users--->Domain Users--->PROVA--->AMMINISTRAZIONE
Users--->Domain Users--->PROVA--->MECCANICA--->MEC PROD
Users--->INTERNET SENZA RESTRIZIONI
Users--->Domain Users--->CED
Administrators--->Domain Admins


"CED" is not in mapping list, I don't want. Same thing for "Domain Admins"


So, why users "tiziana" and "claudio" don't work?

• I've to try from different PC (ip address)?
  I've to wait between two different login if I use the same PC?
  Something in cache? (in server? in PC?)

However....thanks thanks thanks.
It's a great plugin, the greatest for "intranet".

Sorry for the delay.

@lgwapnitsky
I've only ever implemented apache AD HTTP authentication a couple of times, so I've not had much experience with setup problems. Did you try some other browser other than IE to check if basic authentication is working at all?

@barnic
None of those things would affect your problem. Overrides don't happen neither. The plugin will choose as many of the groups as it matches (i.e. not limited to 1). This could be a bug, though I'm not sure why its occurring.

I'm going to ask you to debug the code to find out if the plugin is picking up any LDAP groups for a user. Open <joomla>/libraries/shmanic/jmapmyldap.php browse down to line 477 and insert the echo out and die line like: Try to logon with one of the users that do not work. Remove any personal information from any of the entries and either post, PM or email me the output.

Maybe this is a character set problem

Hello

Getting the following error in the logs/error.php file.

SSO Fail: SSO: Failed to import SSO plugins.

This is occuring each time the page is getting hit. Authentication is working if the credentials are entered manually.

Any advice?

TY

ShMaunder wrote:Sorry for the delay.

@lgwapnitsky
I've only ever implemented apache AD HTTP authentication a couple of times, so I've not had much experience with setup problems. Did you try some other browser other than IE to check if basic authentication is working at all?

Shaun-

All 3 browsers on my system are having the same issue - IE, FF, Chrome. I may have to abandon the SSO portion. But otherwise, this works great.

@lgwapnitsky
Ah right I see. I wouldn't know what to suggest. Even after googling some of those errors, its unclear to what part is broken. If you've the time, then find another guide and try again.

@Spudda
Sounds like you've not enabled "SSO - HTTP" ?