JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

This forum is for general questions about extensions for Joomla! 2.5.

Moderators: pe7er, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
Spudda
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Mon Oct 24, 2011 5:30 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by Spudda » Tue Oct 25, 2011 12:40 am

ShMaunder wrote:
@Spudda
Sounds like you've not enabled "SSO - HTTP" ?
It was enabled so i uninstalled the SSO plugins and then reinstalled and reconfigured. Not getting the plugin error anymore but SSO still isnt working.

Will keep plugging away to see if i can get this resolved.

lgwapnitsky
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Sep 02, 2005 8:52 pm

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by lgwapnitsky » Tue Oct 25, 2011 11:46 am

Somehow it started working yesterday...no reboots at all

adikusdianto
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Wed Oct 26, 2011 7:44 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by adikusdianto » Wed Oct 26, 2011 7:47 am

i get this error when try to log in
LDAP FAILURE: JLDAP2: Could not get dn for username 'xxxxxxx'. Check user dn/filter parameter and the authenticating user exists. LDAP reported: Success
what's wrong with my configuration ?

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Wed Oct 26, 2011 7:46 pm

@Spudda
Not by any chance are you using IIS? I still have some open bugs with IIS HTTP which I haven't got round to fixing. This involves case sensitive and backslash issues for the replacement parameter http://joomlacode.org/gf/project/jmapmy ... m_id=26858

@adikusdianto
If you're using search then your filter specified in 'User DN/Filter' parameter isn't returning results. If you're not using search then your dn specified in 'User DN/Filter' parameter is wrong. What LDAP server are you using?


I've put this up http://shmanic.com/tool/jmapmyldap/?id= ... bug-method to help with setting up the authentication with "instant feedback". It's not 100% but should help setup the authentication plug-in much quicker.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

epttmacias
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Oct 11, 2011 2:54 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by epttmacias » Sat Oct 29, 2011 6:19 am

Hello

I am running into the same issue as barnic discussed earlier. Users are mapped to only registered group. My site is running on IIS, PHP 5.3.8 and Joomla 1.7 and the authentication plugin is working with the following parameters:

LDAP V3 Yes
Start TLS No
Follow Referrals No

Connect User domain\username
Connect Password *******

Use Search Yes
Base DN DC=domain,DC=LOCAL
User DN / Filter (sAMAccountName=[username])

Map User ID sAMAccountName
Map Full Name name
Map Email email

Joomla LDAP is disabled and Auth and User JMapMyLDAP plugins are enabled. Authenticated user is created but only the registered group is added to the user account.

User parameters are:

Authentication Plugin jmapmyldap
Auto Register Yes
Sync Name No
Sync Email No

Use Group Mapping Yes
Allow Additions Yes
Allow Removals No
Unmanaged Groups 1;2;8
Public Group 1

Mapping List CN=Users,DC=domain,DC=LOCAL:25
(I want any user of the domain to map to group named Empoyee which has ID 25)
Lookup Type Forward
Lookup Attribute memberOf
Lookup Member dn

Use Recursion Yes
DN Attribute name
Max Depth 0

Here is the debug output:

ldap: JMapMyEntry Object ( [rdn:protected] => Array ( [count] => 4 [0] => cn=lastname\2c firstname [1] => cn=users [2] => dc=domain [3] => dc=local ) [dn:protected] => CN=lastname\, firstname,CN=Users,DC=domain,DC=LOCAL [valid] => 1 [groups:protected] => Array ( ) [_errors:protected] => Array ( ) [username] => Array ( [0] => fullname ) [fullname] => Array ( [0] => lastname, firstname ) [email] => Array ( [0] => [email protected] ) )

compared: Array ( )

Any help is appreciated. Thank you

itstaff
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Apr 15, 2011 12:46 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by itstaff » Mon Oct 31, 2011 3:43 am

Hello,

I use Active Directory and IIS7 and am getting the following message when using the PHP Ldap Debug.

----------------------------------------------------------------------------
:: PHP LDAP debug script started ::

Attempting to bind to LDAP server using connect username and password...
LDAP bind successful.

Attempting to find user based on userdn and username...
Successfully found user

Attempting to logon with user [email protected] ...
Successfully logged on with user

Attempting to retrieve all user attributes and print them...

Failed to retrieve user attributes

:: PHP LDAP debug script finished ::
----------------------------------------------------------------------------

I have configured LDAP with the following:

LDAP V3 Yes
Start TLS No
Follow Referrals No

Connect User domain\username
Connect Password *******

Use Search No
Base DN DC=domain,DC=com
User DN / Filter [username]@domain.com

Map User ID sAMAccountName
Map Full Name displayName
Map Email email

I can successfully authenticate using the default Joomla LDAP plugin, however it is the SSO and group mapping that i need, hence why I would like to get this plugin working. Any suggestions? Thanks in advance

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Mon Oct 31, 2011 10:10 pm

I've just updated the LDAP debug tool as it had quite a lot of bugs when not using search. It also has far better error strings and such.

@epttmacias & @barnic
I'm trying to get my head around exactly what is going on here. I'm finding it hard without being able to debug in the environments. Can both of you re-try the LDAP debug tool here http://shmanic.com/tool/jmapmyldap/?id= ... bug-method as I need to determine if PHP is picking up your groups.

If PHP is picking up your groups then I can simulate them here and find the bug.

Edit: actually on second looks, this could be problem with escape characters. Let me investigate...


@itstaff
Can you get the latest LDAP debug tool (PHP LDAP Debug V1.0.3) and try it again.


Just on the off chance, if you're using AD, then try port 3268 (global catalog).

I will try to be more proactive with these problems; though I currently have a very full schedule.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

itstaff
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Apr 15, 2011 12:46 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by itstaff » Mon Oct 31, 2011 10:59 pm

Hello,

Thankyou for such great response time. I downloaded and tried the new ldapdebug and receive the following now.

:: PHP LDAP debug V1.03 script started ::

Building full User DN based on 'User DN/Filter' and 'Test User'...
Appears to have been successful

Attempting to logon with user [email protected] ...
Successfully logged on with user

Attempting to retrieve all user attributes and print them...


Warning: ldap_read() [function.ldap-read]: Search: Invalid DN syntax in C:\inetpub\wwwroot\intranet\ldapdebug.php on line 39

Failed to retrieve user attributes.


:: PHP LDAP debug V1.03 script finished ::

Also the same when trying port 3268 as suggested.

Thankyou in advance

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Mon Oct 31, 2011 11:24 pm

hmm, I think the major difference between the inbuilt and JMapMyLDAP authentication is the use of ldap_read() in place of ldap_search().

After a Google of the invalid dn syntax error, it says that it might be related to apostrophe use; which relates to the escape characters. I'm trying to reproduce this right now. Does your test user use any special characters inside the DN or any other attribute?

Edit: Just realised what you have inserted as a "User DN/Filter". You really need to be using search to find your user like:
Search: On
User DN/Filter: (sAMAccountName=[username])
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

itstaff
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Apr 15, 2011 12:46 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by itstaff » Tue Nov 01, 2011 12:35 am

Fantastic! Amazing work. I had tried with search on and that particular User DN/Filter, however I had not put the start and end brackets around it. oops.

So now I am playing with SSO and having some difficulty. Does it work with Firefox?

For the user key in SSO - http plugin I have tried REMOTE_USER AND AUTH_USER and no luck.

Username Replacement: DOMAIN\;@DOMAIN.com
IP Rule: Allow all

I have found in phpinfo the following lines:

_SERVER["REMOTE_USER"] no value
_SERVER["AUTH_USER"] no value
_SERVER["USERNAME"] CAVSERVER51$ (my test server)

I'm not really sure what i'm looking for here.

Also the System - JSSOMySite plugin is enabled and IP rule is allow all.

IIS authentication has been set to Anonymous Authentication enabled and Windows Authentication enabled. Any hints where I could possilby be going wrong?

Once again thankyou for your time.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Tue Nov 01, 2011 1:26 am

Turn on integrated windows authentication then, turn off anonymous access should do the trick. This is as long as the IIS server is a member of the authenticating domain and you aren't using the server to browse locally.

Once you've done this then the $_SERVER[REMOTE_USER] should populate. Both Firefox and Internet Explorer can successfully single sign on a user.

I believe there are more advanced methods you can also use in IIS7 then having to deny all anonymous access - but I don't know how to do this yet.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

itstaff
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Apr 15, 2011 12:46 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by itstaff » Tue Nov 01, 2011 1:38 am

Mate fantastic. That was it. I want to thankyou for your unreal support on a free Joomla extension. Amazing!!!!! Much better than alot of my paid extensions. Firefox asks for Username and Password but Internet Explorer logs staight in no questions asked. I assume there wont be anyway for Firefox to work as well?

Thanks again for a fantastic effort.....

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Tue Nov 01, 2011 1:43 am

That's OK :)

For Firefox I normally do:
1) Go to about:config
2) Find "network.automatic-ntlm-auth.trusted-uris" (string) and set the value of it to your intranet site(s) like "http://intranet.domain.local,http://intranet2.domain.local"
3) I also have this set to true "network.ntlm.send-lm-response" (boolean)
4) Restart Firefox and try to logon

Source: http://sivel.net/2007/05/firefox-ntlm-sso/
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

itstaff
Joomla! Apprentice
Joomla! Apprentice
Posts: 13
Joined: Fri Apr 15, 2011 12:46 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by itstaff » Tue Nov 01, 2011 3:21 am

Wow!!! Perfect. I cant thank you enough for sharing your knowledge and being so responsive with helping me through this. You made my day and made it so much easier for me......:) Thankyou

epttmacias
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Oct 11, 2011 2:54 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by epttmacias » Tue Nov 01, 2011 3:40 am

Shaun, I ran the LDAP debug tool. What should I be looking for?

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Tue Nov 01, 2011 5:05 am

@itstaff
You're welcome :)

@epttmacias
Make sure you have a table of attributes displayed and no error.

Though I think I initially skipped over your post a bit too quickly. Sounds like you only need a minimum (or default) group assigned to all users? If thats the case you can change the "Public Group" to 25.

I have come to see that the "Public Group" parameter has far more uses then I initially thought. This will probably be renamed to "default group" in version 2.

Alternatively, see if you can find a common group that is displayed in the debug to all users. It must be in the memberOf attribute. Domain users is unfortunately not usually displayed.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Tue Nov 01, 2011 4:03 pm

I've just found out that a primary group in AD means that it won't be listed as a entry in the memberOf attribute. Therefore, currently the plug-in won't pick up the group. I'm putting this as a future feature in the wish list for inclusion in version 2.

@barnic
I believe this could be your problem.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

lgwapnitsky
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Sep 02, 2005 8:52 pm

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by lgwapnitsky » Tue Nov 01, 2011 5:32 pm

ShMaunder wrote:I've just found out that a primary group in AD means that it won't be listed as a entry in the memberOf attribute. Therefore, currently the plug-in won't pick up the group. I'm putting this as a future feature in the wish list for inclusion in version 2.

@barnic
I believe this could be your problem.
Shaun - thanks for the hard work. Looking forward to the updates.

epttmacias
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Oct 11, 2011 2:54 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by epttmacias » Tue Nov 01, 2011 7:18 pm

Thanks for the reply however I tried changing the the public group to 25 but the user account is still created in the Registered group. I am still using the same user plugin settings as posted earlier however the public group is now set to 25.

I also enabled email sync and tested changes to the email of my test account and that appears to be working just not the group mappings. Below are the debug output.

:: PHP LDAP debug V1.03 script started ::

Attempting to bind to LDAP server using connect username and password...
LDAP bind successful.

Attempting to use search to find user...
Successfully found user

Attempting to logon with user CN=lastname\, firstname,CN=Users,DC=domain,DC=LOCAL ...
Successfully logged on with user

Attempting to retrieve all user attributes and print them...

User ID: username
Full Name: lastname, firstname
Email: [email protected]


LDAP Attribute Value(s)
objectClass Array ( [0] => top [1] => person [2] => organizationalPerson [3] => user )
cn Array ( [0] => lastname, firstname )
sn Array ( [0] => lastname )
givenName Array ( [0] => firstname)
distinguishedName Array ( [0] => CN=lastname\, firstname,CN=Users,DC=domain,DC=LOCAL )
instanceType Array ( [0] => 4 )
whenCreated Array ( [0] => 20111028171846.0Z )
whenChanged Array ( [0] => 20111101185853.0Z )
displayName Array ( [0] => lastname, firstname )
uSNCreated Array ( [0] => 22963566 )
uSNChanged Array ( [0] => 23001139 )
name Array ( [0] => lastname, firstname )
objectGUID Array ( [0] => �#h�H�%j{���
userAccountControl Array ( [0] => 66048 )
badPwdCount Array ( [0] => 0 )
codePage Array ( [0] => 0 )
countryCode Array ( [0] => 0 )
badPasswordTime Array ( [0] => 0 )
lastLogoff Array ( [0] => 0 )
lastLogon Array ( [0] => 0 )
pwdLastSet Array ( [0] => 129643183600715000 )
primaryGroupID Array ( [0] => 513 )
objectSid Array ( [0] =>

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Tue Nov 01, 2011 10:51 pm

@epttmacias
The only way it will kick in is if you set "Allow Removals" to Yes & Default Managed. If you're unable to do this then maybe you will need to put in a code hack.

Code hack:-
In /libraries/shmanic/jmapmyldap.php line ~494

Code: Select all

493: }
494: self::addUserToGroup($joomlaUser, 25);
495: return true;
This code will always add the group 25 to any LDAP user.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

epttmacias
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Oct 11, 2011 2:54 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by epttmacias » Tue Nov 01, 2011 11:29 pm

I had to add the self::addUserToGroup($joomlaUser, 25); to get it to work. This is good, I can move forward now but I would like to be able to map between groups in the future. Any suggestions on how to get it working properly?

Thanks for your assistance.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Tue Nov 01, 2011 11:39 pm

You should be able to still map groups even with the code hack.

i.e. If you put CN=group1:26 in the group mapping then all users will still be added to the group 25 and users in the LDAP group, group1, are added to group 26.

A better alternative is to create a common group (this cannot be a OU) for each user. e.g. the group "Employees" to each user and inserting the entry CN=employees:25.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

epttmacias
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Oct 11, 2011 2:54 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by epttmacias » Wed Nov 02, 2011 12:30 am

I'll test that out. Thank you.

barnic
Joomla! Apprentice
Joomla! Apprentice
Posts: 14
Joined: Fri Oct 03, 2008 12:13 pm

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by barnic » Wed Nov 02, 2011 9:20 am

ShMaunder wrote:I've just updated the LDAP debug tool as it had quite a lot of bugs when not using search. It also has far better error strings and such.

@epttmacias & @barnic
I'm trying to get my head around exactly what is going on here. I'm finding it hard without being able to debug in the environments. Can both of you re-try the LDAP debug tool here http://shmanic.com/tool/jmapmyldap/?id= ... bug-method as I need to determine if PHP is picking up your groups.

If PHP is picking up your groups then I can simulate them here and find the bug.

Edit: actually on second looks, this could be problem with escape characters. Let me investigate...
Hi,
this is the result of the new debugging:

Code: Select all

:: PHP LDAP debug V1.03 script started ::

Attempting to bind to LDAP server using connect username and password...

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: 
Invalid credentials in /u/htdocs/test/ldapdebug.php on line 294

LDAP bind failed. Check host, port, connect username and connect password.


:: PHP LDAP debug V1.03 script finished ::
---------------------------------
I read only now:
I've just found out that a primary group in AD means that it won't be listed as a entry in the memberOf attribute. Therefore, currently the plug-in won't pick up the group. I'm putting this as a future feature in the wish list for inclusion in version 2.

@barnic
I believe this could be your problem.
ok, I look forward

epttmacias
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Tue Oct 11, 2011 2:54 am

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by epttmacias » Wed Nov 02, 2011 4:41 pm

Shaun, thank you for all your help. Can you tell me if PHP is picking up my groups based on the debug output that I posted on Tue Nov 01, 2011 12:18 pm?

ckozler
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Nov 02, 2011 5:38 pm

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ckozler » Wed Nov 02, 2011 7:17 pm

ShMaunder wrote:@ckozler
There is now a dedicated thread specific to this extension http://forum.joomla.org/viewtopic.php?f=46&t=657124

OK, not sure what you've tried so far but your lookup type and attribute doesn't look good.

Firstly, shorten your mapping list to "cn=operations : 13" - once the lookup stuff is working, then you can put it back.
Done. I do not see any change.
Secondly, check the /logs/error.php for any mapping errors.
Nope, nothing :/

Thirdly, to check the mapping plugin is working correctly, set the "Sync Name" to enabled then change a user's name in Joomla. Try to re-login and see if the name has been set back to the LDAP name.

Try these combinations:

lookup type: forward
lookup attribute: groupMembership
lookup member: dn

lookup type: reverse
lookup attribute: member
lookup member: dn

lookup type: reverse
lookup attribute: members
lookup member: dn

lookup type: reverse
lookup attribute: member
lookup member: uid

lookup type: reverse
lookup attribute: members
lookup member: uid

Edit: I'm not sure what attributes are used with sambaGroupMapping. Do you get a 'member' or 'members' attribute for users?
Tried all of them...nothing.

When you say
Edit: I'm not sure what attributes are used with sambaGroupMapping. Do you get a 'member' or 'members' attribute for users?
What do you mean exactly? sambaGroupMapping is an attribute inside my dn cn=operations,ou=Group,dc=dc,dc=local,dc=domain. The DN cn=operations,ou=Group,dc=dc,dc=local,dc=domain contains a list of of members in that group and store it in the attribute field 'memberUid' (as seen in my previous post).

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Thu Nov 03, 2011 1:38 am

@ckozler
Sorry, I didn't read your post all the way through. From your previous post I could see the only way is by using

lookup type: reverse
lookup attribute: membersUid
lookup member: uid

@epttmacias
I don't believe I saw a forward lookup possibility; though I will post some instructions on how you can check in the next ~15 minutes or so.

@barnic
I don't understand how your authentication is working if your connect user and password are wrong. Don't forget the connect user needs to be a full DN or like [username]@DOMAIN for AD.


I'm currently working on a mapping tab on the ldapdebug to try and resolve mapping issues quickly. I'm getting quite a lot of requests here and on the email.

Edit: actually, just thought of something better for the ldapdebug - give me a bit longer than 15 mins...
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Thu Nov 03, 2011 3:40 am

I've just uploaded PHP LDAP Debug V1.04 which contains some helpers for group mapping.

I will have to put some documentation together for this, though I will briefly explain what it does here and how to use it.

I'll start off by saying the latest debugger could be buggy as its code has become a mess and therefore, I've left 1.03 as an option.

Firstly, complete the authentication tab so that it completes a successful result.

Secondly, look at the attributes in the authentication results for groups. This could be in the 'memberOf' or 'groupMembership' LDAP attribute. If you find the attribute then you can use "Forward Lookup" however, if you CANNOT find any LDAP attributes relating to groups then you probably need to use "Reverse Lookup".

Forward Lookup
Click on the 'Group Mapping' tab in the ldapdebug and populate the 'Lookup Attribute' field under Forward Lookup with the attribute name you found in the previous step. Click on 'Show Result' to ensure a list of groups are shown.

Reverse Lookup
Firstly, you need to get a list of group attributes from the "Group DN" field. Put a full DN pointing at a group into this text box (e.g. cn=group1,o=company) then click 'Show Result'.

Secondly, find the LDAP attribute that contains members (i.e. cn=user1,o=company) then populate the name of that LDAP attribute into the 'Lookup Attribute' field under Reverse Lookup.

Thirdly, if the values inside the 'Lookup Attribute' are usernames and not DN's then use the User ID (e.g. uid) as the 'Lookup Member'.

Test with 'Show Result'.


This is tricky to describe in words. I may upload a video to [youtube] describing this process.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

ckozler
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Nov 02, 2011 5:38 pm

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ckozler » Thu Nov 03, 2011 3:44 am

ShMaunder wrote:@ckozler
Sorry, I didn't read your post all the way through. From your previous post I could see the only way is by using

lookup type: reverse
lookup attribute: membersUid
lookup member: uid
Tried it...user only gets the 'registered' group or whichever though they are apart of the 'operations' LDAP group :(.

Should I try your debug tools and report back?

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

Post by ShMaunder » Thu Nov 03, 2011 3:54 am

Yep, try the debug tool. If it doesn't work in the debug tool then I'm not sure what to suggest - if you can code in PHP then see if you can get LDAP to print out your groups to screen; then send me the code and I'll either make changes to the plug-in or find the correct parameters.


I've already found a bug in the ldapdebug tool, but not sure if it extends to the plug-ins yet: I've only found this affecting AD where the Pre-Windows 2000 name is different from the Principle Name. When this happens, no groups are found in both forward or reverse lookups. Edit: actually, I don't understand this "bug". I will look into it further later.

Edit 2:
@ckozler
If you go to your phpLdapAdmin search, then type into the search filter membersUid=ckozler does it come back with result(s)? Also, did the "Sync Name" work or not? If it didn't then the whole plug-in is broke anyway.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Locked

Return to “Extensions for Joomla! 2.5”