The Joomla! Forum ™

Sorry that I've not been around for a while; had a big deadline to meet for uni. Anybody that has emailed me in the last 2 weeks will get replies this weekend.

@trgriffith - have you tried port 3268 (AD global catalog) ?

@forkman - I'm not sure how much I can help. This sounds like a security policy that has been configured somewhere. I will try to find out what is going on over the weekend when I get time.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

As a few people have asked me, I will quickly summarise the current progress of version 2.x.

Group mapping has been ported to a new plug-in called 'LDAP - Group Mapping' - this plug-in uses mostly the same libraries as version 1's group mapping. I believe this works as well as version 1.

The new profile plug-in called 'LDAP - Profile' is taking me a lot longer to complete then expected. I have successfully got it syncing from LDAP to Joomla, though the reverse is giving me some headaches - there is some inconsistent behavior with PHP's LDAP when dealing with blank values. Also, the delimiting for multiple attribute values isn't quite complete yet.

The password plug-in doesn't exist in its own entity yet - don't expect this to be included in the first alpha.

JLog logging is being added which will help with debugging and audit trails. The code for version 2 is in the SVN (I will try to keep this up-to-date).

My main objectives for the release of Alpha 1 (should be out very early Jan) is completion of the profile plug-in, tidying up the new LDAP routines (it is spaghetti junction atm), and adding the on-demand sync in the component.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

@ShMaunder - If are my problems caused by internal security policy, I'll try to revolve them with our domain administrator. But it seems the plugin needs allowed login to domain controller for all users using it. For example Kerberos don't need it - this difference was the reason of my question.

Hello,

We're about to build a Joomla 1.7 intranet website which uses Active Directory. Would it be possible to have the main homepage or any page of this website detect who is currently logged into the workstation of this intranet and pass his/her credentials into the application without having him or her having to login to the site?

If not, is there a way that we could use a cookie to store the user login credentials after they log in for the first time so they wouldn't need to login to the website on future visits, and would we need to use another extension or maybe cookies to enable it to work this way?

Also, the user would not be accessing the Joomla 1.7 intranet website from anywhere outside of the intranet domain.

Thanks very much in advance,
Victoria

Thanks for JMapMyLDAP! Great product!

In my company, we have multiple LDAP servers (e.g., one for Europe, one for Asia, one for the Americas). What I want is to have 3 instances of the JMapMyLDAP, each with information for the different LDAP servers we use. Each would be tried and if any succeed, the user is logged in with the first one to pass.

How can I "install" 3 copies of the JMapMyLDAP, or otherwise how can I authenticate against each of these servers?

_________________
Steve Amerige, Fat Bear Incorporated, http://www.fatbear.com
Server Leasing | Web Software Development | User Experience & Graphic Design
Managed Services, Website, Java, and Source-Code Hosting

My goodness, its been a month since I last replied here - exam season finished.

@forkman - Hmm interesting, did you manage to fix this? All I could think of was security policy issues but I haven't had too much experience on this.

@llau34 - I'm sure you've resolved this now but the SSO HTTP should allow you to do this.

@fatbear - This must be a feature that people want; I've been asked how to query from more than one LDAP server at least 3 times now. I always assumed that everybody used trusts in the case of multiple directories to allow binding on a single LDAP server. OK, the only way I see is to create 3 authentication plug-ins (i.e. each with a unique name). To change the name to say, jmmLdap2 then:
1) extract the plg_authentication_jmapmyldap.
2) change the filename of both jmapmyldap.php and jmapmyldap.xml to jmmldap2.php and jmmldap2.xml. Also change the language files from en-GB.plg_authentication_jmapmyldap.* to en-GB.plg_authentication_jmmldap2.*
3) open the jmmldap2.php and change the class name definition from plgAuthenticationJMapMyLdap to plgAuthenticationJmmLdap2
4) open the jmmldap2.xml and change

to

Also change

to

5) Zip them up and try to install them into Joomla. You may want to change the display name of the extensions in the respected language file.

^ I haven't tested this so if you experience any problems then give me a shout on here, email or skype.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hi,

this is a great plugin! i would like to know if it works also with Joomla 2.5?

Best Regards

@kanzy - I've heard it works with 2.5 but haven't fully tested it myself. There is a non-fatal error that is presented during the installation due to no client_id in the XMLs (well I think thats the problem). This shouldn't cause any problems though.


I will add some extra SSO HTTP info to the site soon.
When using SSO HTTP you must ensure that you have either a AUTH_USER OR REMOTE_USER defined somewhere in your phpinfo (J! Backend->Site->System Information->PHP Information). This is outside of Joomla and must be setup depending on your platform.

If you're using AD and Apache on Linux then you could use Kerberos to authenticate. This guide http://acksyn.org/diary/?p=460 is a very good resource to get things setup.

If you're using AD and Apache on Windows then you could use SSPI to authenticate. More information on this can be found here http://wiki.apache.org/httpd/ModAuthSSPI. A guide for setting it up can be found here http://docs.moodle.org/22/en/NTLM_authe ... on_Windows (remember that guide is for Moodle, so you will need to modify it slightly to work for Joomla).


EDIT: jmmLDAP 1.x works fine on Joomla 2.5.1 from what I tested. The error I mentioned above no longer happens. Guess it was fixed in J!.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hello Shaun!

I've been able to use your plugin suite with Open Ldap and Joomla! 2.5.1
I do have my users well created, and I try to setup group mapping...
Unfortunatly, and as other posters asked, could it be possible to assign the groups to an attribute ?

I also would like to be able to add multiple ldap servers...

Thanks for your help !

_________________
Enjoy J!

@crony - Just to make sure I'm on the same thinking; do you want to use attributes that are non DN's as the mapping (i.e. any string attributes). This wouldn't require much work to get working - just need an extra parameter to disable DN validation. As for multiple LDAP servers - I still do not have any working plans on getting this to work. For now you will need to duplicate the authentication plug-in.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Yes Shaun, I think this is it !
I'm not very good with this ldap thing, I hope you get it better with this explanation :
In fact, we do have proper statics groups using DN and populating these groups manually, but it concerns few applications, and it seems not relevant for our intranet.
So we use a simple attribute that specifies a group for most of our users, and this is this attribute I would like to use to populate the groups.

To duplicate the plugin I'll use the how to you provide to @fatbear, that's good enough

Thanks !

_________________
Enjoy J!

As I thought. OK, I think I will implement with an extra parameter called "Validate DNs" defaulted to Yes.

When it is set to Yes: full or partial DNs must be used in the mapping list. For example if the lookup attribute was set to "groupMembership", then the mapping list may contain "cn=public relations:4 [NEWLINE] cn=finance:7".

When it is said to No: full DNs or any string value can be used in the mapping list. For example if the lookup attribute was set to "department", then the mapping list may contain "Public Relations:4 [NEWLINE] Finance:7".

Should be easy to implement - I will be back soon.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hi,

I'm try to get your SSO plugin working, but no luck yet. (still have to login manually).

I get this debug message: SSO: Failed to authenticate user 'testuser'.

REMOTE_USER is available in phpinfo and has the username testuser. I'm a bit out of options what this could be.

@dthy - do you have a valid "Connect User" in the authentication plug-in? You may need to send over some of your config so I can try to work out what is going on. Unfortunately the debugging is total trash in these extensions and really doesn't provide much insight.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Shaun,
Sorry didn't saw your answer ! This will be great ! I have my test platform running if you need beta testers on Open ldap !

Thanks again , have a nice week-end !

_________________
Enjoy J!

First let me say your code saved me a ton of time (Thank You!), this is just because of our implementation here at The Clinic, I am required me to use Windows (2k8R2), IIS7, MySQL, and PHP5 for our web server.
I am certain there are others out there with this requirement.

To make this work it took me a couple days to get it right, but in the end I got it to go with only a couple modifications.
Just wanted to pass the modifications along to you so you could incorporate them if you wished, or at the very least help anyone else who runs into this issue.
I put the modified files into the attached zip file, I assume you guys can figure out what I changed pretty easily. (I provided in-line documentation and the folder structure to the two files are all in the zip file)

With these modifications your plugin should work on any platform as it no longer is dependent on Apache.
Basically I manually send the 'WWW-Authenticate: NTLM' header if the $remote_user string is empty or null, before assuming authentication failure and returning null.

Please also note how I had to make it map the name out of the data structure… I assume this is because you are getting the name in a module prior to where I am interjecting my code, but Joomla cries when it tries to make the new account with out this modification.
----I know there is a more eloquent way of doing that but I was kinda pressed for time so I just parsed the output of the “print_r($response->jmapmyentry, true);” command using a preg_match_all.
----If you could make it access the “[dn:protected]” piece of the array directly it would work better.

In http.php I found that the location of your implementation for the statement:
“if(is_null($remote_user) || $remote_user=='') return null;”
fails -> if the “WWW-Authentication: NTLM” header hasn’t been sent yet.

So I did this:

(NOTE: The return null on empty conditional statement most likely could go directly after the send header on empty conditional statement to avoid parsing null.)

Let me know if you update your extension I would be interested in seeing the final implementation for this aspect of your code.

Hi,

The plugin is great - I have 2 instances one for staff and one for student AD. I have mapped the student groups but something weird seems to happen on the first login - an alert error message comes up "LDAP can not have blank password", however the student is actually logged in and there are no problems. On the students second login there is no issue. Any ideas? - how can I prevent the error coming up (Joomla 2.5.1)

Also, how difficult would it be to map fields from an AD user field to a field in Joomla? I want to populate a profile file in Joomla containing the students enrolled courses - this data is stored in a field in their AD profile,

regards

Mike

actually, I setup my 1.5 by using this method long time ago, just duplicate the plugin and change two or three parameters, then you will have another set ldap plugin, lets say if you have 3 domain, then make sure 3 ldap plugin there, each set with the corresponding AD info, the joomla authen process will search the available login plugin to do the process. by the way, what i want to do is, since some users may have account in the 3 domains, such as the administrator, if set it in this way, the authen process will look into the ldap from top to down position, so, this will have problem with the login on the lower position plugin with the same account name, in order to handle this problem, i think the most easy way is to modify the mob_login, make a domain drop down menu, and let user to select the suitable domain, the selection will call the suitable domain plugin to carry the process, this can make sure the account will go to the target domain, which will avoid the above problem. however, i 'm not a programmer, even go to make such a simple domain selection and call corresponding ldap plugin, anyway know how to modify it?

Can this plugin do the other way round? I have joomla 2.5 installation configured to accept user logins from opeldap. Than i have some other sensitive sites which are protected with apache basic auth via ldap. They are placed inside joomla via iframe. So is it possible that a user logins from the joomla frontend and when he reaches the sensitive iframe - his credentials are passed to apache?

P.S. If it is not possible with this plugin - maybe some suggestions where to look for it?

Hello and really thanks for the plugin. I have gotten it working and now I can authenticate my intranet users on LDAP using the plugin.

The next aim is to allow users edit their LDAP profiles and I landed on your documentation about LDAP-Profile.

The download link in the post is below:

http://shmanic.com/media/file.php?proje ... ap_profile

Unfortunately, the link is broken as it generates an invalid file error on trying to download it. I will highly appreciate it if you sent me another link.

Meanwhile, thanks for the plugin

anyone can help to modify the mod_login in order to use muti domain login? please

Hello Shawn,

Hope I'm not pushing too much but assigning the groups to an attribute is a feature that I really need now...
Any idea of a possible release ? Of a v2 maybe ?
Thanks so much !

_________________
Enjoy J!

Sorry guys, I've been ill and University has got a bit insane lately.

I will get through the posts above in time though if you have a quick question - or have a problem that shouldn't take too long to fix then IM me on Skype (shaun.maunder). I'm also responding to emails rather slowly until University disappears.

JoomlaCode SVN is no longer being updated for version 2 at the moment. The latest is here https://github.com/ShMaunder/JMapMyLDAP - I will include a full build script and 'template' directory so everyone can build their own packages automatically to install directly into Joomla 2.5. I may also release an alpha (or beta) after I get SSO back in.

@crony - Hopefully will have something by the weekend's end.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hello ShMaunder,

I've been trying out your plugin and works great!
But I've some problems with group Mappings. All users are added to group Registered, and y don't know why.

I've tryied ldapdebug.php and this is the result:
http://imageshack.us/f/15/ldapdebug.png/
Edit:
solved errors Map User ID-->dn
and Map Full Name-->name
(this is also the current configuration in Auth Plugin)


I think, the correct configuration in user's plugin is:
Use Group Mapping: Yes
Allow Additions: Yes
Allow Removals: Yes
Unmanaged Groups: 1,2,8
Public Group: 1

Mapping List: CN=G_Recepcion,OU=Recepcion,OU=Staff,OU=CCAFONO,DC=XXXXXXXX,DC=com
Lookup Type: Forward
Lookup Attribute: MemberOf
Lookup Member: dn

Do you know, what I'm doing wrong?
My joomla version is 2.5.2

Many thanks

OMG!

I found the problem:
In the Plug-in: User - JMapMyLDAP>Access, the option selected was Registered. I change it to Public, and all my headaches go away! This option is selected by default?!?

Thank you for your plugin! It's really, really interesting and useful!

@threemcc - not sure if i replied via email. Anyway, it looks good - may have to add an extra parameter depending on how this code performs on non-IIS platforms otherwise I will certainly add in version 2. Thanks!

@chrisyeung168 - yea, this makes sense. Much better then attempting each LDAP server in order. Modifying a new version of mod_login shouldn't be too difficult. Without checking, I think we can use the $options to store the domain from the module to the authentication plug-in (bit like the remember me from module to user plug-in). This certainly isn't for V2. I guess the best thing to do is drop the J! parameters currently used on the jmmLDAP authentication and either use a new SQL table or use config files to store multiple configurations.

@tisugol - I haven't got a clue. Guess you would want to send Joomla's session ID over the iframe, then on the iFrame script check it against local cookies, get the username from it then set the header for username HTTP then redirect. <- that is a total guess without any research.

@amwotil - The documentation has been posted early. It refers to version 2 that still doesn't have any releases. Look at https://github.com/ShMaunder/JMapMyLDAP for the latest code.

@pop3 - Bit weird. That certainly shouldn't be defaulted to Registered. The plug-in XML doesn't specify anything so I would guess that Joomla decided to default to it.


Ah yea, the ?nosso variable is bugged since 1.7 (only worked for 1.6 that is). The J! routing is removing the variable on a redirect. I guess session variables will need to be set for this now.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Shaun,

Sorry for the dumb question...
I've installed the release 1.05 of pkg_jmapmyldap.zip.
Then I've been there :
https://github.com/ShMaunder/JMapMyLDAP
And downloaded the archive generated.
For the upgrade, I guess I need to launch the build.sh in the console but :

I just have to upload the all directory unziped of the new archive, then launch the build.sh on the root directory ?

Also, it seems ther's a bug with Community Builder, first authentification works, then, at 2nd time it does not...
CB team has fixed a bug very recently on CB 1.8 (available next release or on the forge) but there was something else wrong, and seems to be related to your plugin.
Just to let you know...I'll come back with more infos soon...
Thanks !

_________________
Enjoy J!

Theres gonna be a few things to note about version 2. One is that I haven't generated a script for an upgrade path yet. So the "User - JMapMyLDAP" is gonna get left behind. You'll have to manually disable this. Edit: actually, I would go as far as removing all of version 1 before installing version 2.

I forgot to adjust the build script to take the current directory as the trunk. It currently takes TRUNK="$DIR/git" and should be TRUNK="$DIR". I will upload the template directory (probably rename it to extras to avoid confusion) and make this little adjustment once my Internet at home restores itself. Then run the build script something like "bash build.sh", type in a version like "2.0.0.25", then all the packages should be built inside the directory 2.0.0.25/public/. I'll add these instructions to the build script itself. I'll further test this script on a Mac as well.

I haven't done the direct string comparasion yet btw on version 2 - hopefully will figure out a quick way to do it either tonight or tomorrow night.

As for CB - I shall investigate. At a guess, its probably to do with the bodge job in jmmLDAP version 1's user plugin (like setting the login session maybe). Wonder if its the same for version 2 as it doesn't use a user plugin or set the login session.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/

Hmm...Ok
Thanks !

_________________
Enjoy J!

Right, I believe that packages are now being built correctly. If anybody can test building them, then install into a clean test Joomla (e.g. no version 1 installed) that would be great.

I still have to do:
- Direct string comparison / Disable DN validation (as described some posts back)
- SSO

If you don't need those things above then go ahead and try using version 2.

To build package (Mac/Linux with xmlstarlet package installed):
1) Download the git repository https://github.com/ShMaunder/JMapMyLDAP (e.g. "git init && git pull git://github.com/ShMaunder/JMapMyLDAP.git" or download a zipball).

2) Run build.sh with "bash build.sh".

3) Put some random version in like "2.0.0.30" then press enter.

4) If no errors occurred, then ./_build/2.0.0.30/public/ should contain all the installable Joomla packages.

5) Try to install pkg_ldap_core & pkg_ldap_profile & pkg_ldap_mapping.

6) You must enable "System - LDAP Dispatcher" for anything to work. Also either using "Authentication - LDAP" or "Authentication - JMapMyLDAP" should work though JMapMyLDAP one is better.

Documentation for the profile is online.

Note: in components->ldap admin->options there are global ldap options such as logging levels.

_________________
Shaun Maunder
JMapMyLDAP extensions - Joomla! 1.7/2.5 LDAP Group Mapping & SSO
http://shmanic.com/tools/jmapmyldap/