LDAP Group Mapping

This forum is for general questions about extensions for Joomla! version 1.5.x.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
uriah_hittite
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Tue Sep 16, 2008 12:11 pm
Location: Australia

Re: LDAP Group Mapping

Post by uriah_hittite » Thu Jun 18, 2009 3:14 am

I am sooooo close to getting this to work.

I have LDAP authentication set up and working and I am trying to get the group mapping going. I have followed all of the steps in this post and it has all worked..... except the group mapping from AD.

My problem is that when a new user is added, they are only added as a "Registered User" even if they are actually part of a different group in AD.

I tried the usersourcechecker in the JDiagnostics plugin and it works fine. Any of the users I try here are found and the group they are part of in AD is found. I tried this step again but this time ticked the option to Attempt Autocreation and it worked.... it added the user to the Joomla user group list.

So why will it not add them to the correct group when I try to log in to the frontend? I really want to get this going soon please....... Help please ??!!
You do not have the required permissions to view the files attached to this post.
"What a magnificent shot!
........ No, he's out." - Tony Greig

User avatar
uriah_hittite
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Tue Sep 16, 2008 12:11 pm
Location: Australia

Re: LDAP Group Mapping

Post by uriah_hittite » Thu Jun 18, 2009 4:23 am

;D ;D ;D ;D ;D ;D ;D ;D ;D

I did it!!!

I needed to install the System - JAuthTools Synchronization Plugin and make sure that the "Demote Users" option is set to "YES".

I can now die happily.
"What a magnificent shot!
........ No, he's out." - Tony Greig

pasamio
Joomla! Ace
Joomla! Ace
Posts: 1318
Joined: Thu Aug 18, 2005 9:27 am
Location: San Jose, CA, USA
Contact:

Re: LDAP Group Mapping

Post by pasamio » Thu Jun 18, 2009 6:01 am

Great to hear you managed to get it sorted at the same time I read you were trying to solve it (I like those threads). Good luck with stuff into the future :)
Sam Moffatt
Updater, Installer and Authentication Systems
JoomlaCode Backend Systems
Pie.

User avatar
uriah_hittite
Joomla! Apprentice
Joomla! Apprentice
Posts: 36
Joined: Tue Sep 16, 2008 12:11 pm
Location: Australia

Re: LDAP Group Mapping

Post by uriah_hittite » Fri Jun 19, 2009 1:01 am

Thanks Sam. Thank you so much for all the hard work you have done with JAuthTools etc. Your plugins have been a huge help for me.

You deserve a lot of recognition.
"What a magnificent shot!
........ No, he's out." - Tony Greig

andy88
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Tue Aug 11, 2009 2:38 pm

Re: LDAP Group Mapping

Post by andy88 » Thu Aug 13, 2009 8:28 am

Hi Sam,

great work on the tools, however, another question.

I asume the mapping in joomla happens after the user is created and is first set to registered. I want a user menu on my site which visibility is set according to the group (I have my own groups specified in Joomla with different rights, with the help of noixACL). Now the mapping works, however when I log in for the first time it displays the User Menus for the Registered User Type, and when I check the User Manager screen at the same time it does says the appropriate group for the newly created user. So I have to log-out and log-in again.

Do you have any idea on how to fix this? Or maybe I way to work around this?

Perhaps a message when a user logs in for the first time saying "User succesfully created, please log in again".

If this doesn't make sense I have another topic in which I explain this problem, but I'm afraid it might get overlooked:
http://forum.joomla.org/viewtopic.php?f=470&t=429757

pasamio
Joomla! Ace
Joomla! Ace
Posts: 1318
Joined: Thu Aug 18, 2005 9:27 am
Location: San Jose, CA, USA
Contact:

Re: LDAP Group Mapping

Post by pasamio » Thu Aug 13, 2009 12:32 pm

Hi Andy,

It is strange that the permissions aren't being set properly within the session initialisation. Your idea in the other post is mostly accurate but switch 4 and 5 around and I think what is happening is that the session isn't properly being updated but the database is set. I'd have to have a hunt through the code. I know there is some magic where the code fakes the group ID to update the account in case the user wouldn't ordinarily be able to update themselves but it might not be after that properly switching the user account across and resetting the permissions in the session which is why the login/logout appears to resolve the situation.

Just looking through there appears to be a slight bug in the way it resets the group ID's, so I'll need to do some testing and ship a fix for it when I get some time (ha!). Will add a review of it to my long list.
Sam Moffatt
Updater, Installer and Authentication Systems
JoomlaCode Backend Systems
Pie.

andy88
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Tue Aug 11, 2009 2:38 pm

Re: LDAP Group Mapping

Post by andy88 » Thu Aug 13, 2009 1:30 pm

Thanks for the quick response, and also for all the support given so far to other users which helped me as well.

I think I understand what you're saying (after reading a couple of times over :)
Do you have an idea where I should be looking to try and fix the bug myself, and take some work off your hands at the same time?

pasamio
Joomla! Ace
Joomla! Ace
Posts: 1318
Joined: Thu Aug 18, 2005 9:27 am
Location: San Jose, CA, USA
Contact:

Re: LDAP Group Mapping

Post by pasamio » Thu Aug 13, 2009 1:52 pm

Have a look through the libraries/jauthtools/usersource.php file, there are a few lines that relate to setting/getting the gid of the user object - there is a get that should be a set in one of the chunks but that shouldn't be causing the issue you're seeing. I think your issue is relating to the session's aid and gid being out of sync because they get set before the user logs in but I'd have to work through to check that is indeed the case because the user source system plugin triggers very early in the Joomla! execution. An alternative might be to grab the adv ldap module and have it run the user source plugins and see if this makes a difference. It would effectively run the same code but in a slightly different order.
Sam Moffatt
Updater, Installer and Authentication Systems
JoomlaCode Backend Systems
Pie.

andy88
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Tue Aug 11, 2009 2:38 pm

Re: LDAP Group Mapping

Post by andy88 » Thu Aug 13, 2009 3:14 pm

Code: Select all

if($user = $this->discoverUser($username)) {
			$my =& JFactory::getUser(); // get who we are now
			$oldgid = $my->get('gid');
			$my->set('gid', 25); 		// and fake things to by pass security
			$result = $user->save(); 	// save us, now the db is up
			if(!$result) {
				JError::raiseNotice(1, 'User creation failed: '. $user->getError());
			}
			[b]$my->set('gid', $oldgid);[/b]	// set back to old value 
			[b]//return $result;[/b]
			break;
		}
this is: C:\xampp\htdocs\Intranet\libraries\jauthtools\usersource.php" in the method "function doUserCreation($username)"

the 1st bold text is what you were talking about I think, I have changed this to 'set'
the 2nd bold is wat I commented out, and everything still works. So i'm thinking "if($user = $this->discoverUser($username)) " returns false, and thus the user is getting his gid set somewhere else?

You're also talking about 'aid' and out of sync with the session, but I haven't found anything like that yet. This might all be a bit out of my league though, I'm pretty new to Joomla and PHP, but not to OO so I thought I'd give it a shot. I wish there was some kind of Debug-tool to see the page getting generated and the DB Access.

Also some side information, my server is running Windows 2003 and my LDAP users come from AD.

pasamio
Joomla! Ace
Joomla! Ace
Posts: 1318
Joined: Thu Aug 18, 2005 9:27 am
Location: San Jose, CA, USA
Contact:

Re: LDAP Group Mapping

Post by pasamio » Fri Aug 14, 2009 8:25 am

I wrote an entire post out and then decided to change my mind.

Ok, so the library should be modified to a set instead of a get, that's cool and you've got that.

What I think you we need to do is in the sync plugin grab the user object [$user =& JFactory::getUser()] and then reload them [$user->load($user->get('id'))] as well as doing a quick once over by setting the AID (access ID, either 0, 1 or 2) and the group name. That will update the user object in the context and you will then need to update the session as well. You can grab the code to do that (both the session and the AID stuff) out of the /plugins/user/joomla.php file and you should be able with some modification put it into the synchronisation plugin and everything might work then.
Sam Moffatt
Updater, Installer and Authentication Systems
JoomlaCode Backend Systems
Pie.

sneadm
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Tue May 05, 2009 12:48 pm

Re: LDAP Group Mapping

Post by sneadm » Sat Aug 15, 2009 6:24 pm

I think I have done what you had in mind Sam. I've added the following code to usersource.php following line 109.

Code: Select all

				// UPDATE SESSION ARRAY
				$instance = $my;

				// Get an ACL object
				$acl =& JFactory::getACL();

				// Get the newly updated user group from the ACL
				if ($instance->get('tmp_user') == 1) {
					$grp = new JObject;
					// This should be configurable at some point
					$grp->set('name', 'Registered');
				} else {
					$grp = $acl->getAroGroup($instance->get('id'));
				}

				// Update the aid to 2 for Authors, Editors, Publishers and Super Administrators into the special access group
				if ($acl->is_group_child_of($grp->name, 'Registered')      ||
					$acl->is_group_child_of($grp->name, 'Public Backend'))    {
					$instance->set('aid', 2);
				}
				//Set the usertype and gid based on the ACL group name
				$instance->set('usertype', $grp->name);
				$instance->set('gid', $grp->id);

				// Register the needed session variables
				$session =& JFactory::getSession();
				$session->set('user', $instance);
							
I'm pretty new to coding in Joomla so I don't know if I've done something that's not kosher but it seems to be working on my site. If I change a group membership in Active Directory, the first time the user signs on, they have the new privileges. I also tested signing on for the first time as a user with publisher privileges and they took the first time.

Hope this helps.
Mark

slysly911
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Aug 20, 2009 8:58 am

Re: LDAP Group Mapping

Post by slysly911 » Thu Aug 20, 2009 9:18 am

Hi,
I'm trying to use the LDAP group mapping but it didn't work...
The LDAP authentication works fine but there is no mapping with my LDAP group and the users are created in the Registered Joomla Group.

I follow Sam's Jauth Tools install guide but when i'm trying to test with the usersourcechecker, i have the following message:
"PHP Warning: Missing argument 2 for plgUserSourceLDAP::plgUserSourceLDAP(), called in E:\RSI_BN\administrator\components\com_jdiagnostic\diagnostics\usersourcechecker\usersourcechecker.php on line 47 and defined in E:\RSI_BN\plugins\usersource\ldap.php on line 40 PHP Notice: Undefined variable: params in E:\RSI_BN\plugins\usersource\ldap.php on line 41"

I'm a brand new user in joomla and php so did anybody have an idea to fix it?

(sorry for my english...)

sneadm
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Tue May 05, 2009 12:48 pm

Re: LDAP Group Mapping

Post by sneadm » Thu Aug 20, 2009 11:49 am

I changed line 47 of usersourcechecker.php from

Code: Select all

				$plugin = new $className ($this);
to

Code: Select all

				$plugin = new $className ($this, (array)$plugin);
And that solved the problem. If I recall though, I was still getting a valid result returned. I would suggest reading this doc on the wiki http://sammoffatt.com.au/jauthtools/JAu ... 5_and_MSAD and try installing one of the LDAP browsers. This will let you see exactly what the memberOf attribute has in it so you can match it.

slysly911
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Aug 20, 2009 8:58 am

Re: LDAP Group Mapping

Post by slysly911 » Thu Aug 20, 2009 1:05 pm

sneadm wrote:I changed line 47 of usersourcechecker.php from

Code: Select all

 $plugin = new $className ($this);
to

Code: Select all

 $plugin = new $className ($this, (array)$plugin);
And that solved the problem. If I recall though, I was still getting a valid result returned. I would suggest reading this doc on the wiki http://sammoffatt.com.au/jauthtools/JAu ... 5_and_MSAD and try installing one of the LDAP browsers. This will let you see exactly what the memberOf attribute has in it so you can match it.
I change that line and the message goes away but there is no result. The page is still the same (no result section) so i can't find what's the problem for the mapping.
For the memberOf attribute the mapping seems to be well defined.

sneadm
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Tue May 05, 2009 12:48 pm

Re: LDAP Group Mapping

Post by sneadm » Thu Aug 20, 2009 4:39 pm

Have you used an LDAP browser to see exactly what is in the memberOf attrib for your user? Remember, it is completely case sensitive.

slysly911
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Thu Aug 20, 2009 8:58 am

Re: LDAP Group Mapping

Post by slysly911 » Fri Aug 21, 2009 6:42 am

Hi
yes i used JXplorer LDAP Browser to see what i have as memberOf for my user. My user is a member of 7 groups and the one i've created for joomla is "CN=_UGSL10_AdminIntra,OU=Groupes Fonctionnels,OU=10-Basse-Normandie,OU=Caisses RSI,DC=ilc,DC=eic,DC=intra".
In the "User Source - LDAP" plugin i put "CN=_UGSL10_AdminIntra,OU=Groupes Fonctionnels,OU=10-Basse-Normandie,OU=Caisses RSI,DC=ilc,DC=eic,DC=intra;25;Super Administrator;999" for Group Map (as defined here: http://sammoffatt.com.au/jauthtools/JAu ... 5_and_MSAD).
When i logged in with my user (for the first time), the user is created in the Joomla base as a Registered User and it stays as Registered, it never becomes a Super Administrator (i logged in then logged out 4 or 5 times).

sneadm
Joomla! Intern
Joomla! Intern
Posts: 77
Joined: Tue May 05, 2009 12:48 pm

Re: LDAP Group Mapping

Post by sneadm » Fri Aug 21, 2009 11:23 am

that looks correct. Assuming all your other parameters are set as outlined in the wiki article, all I can suggest is to insert this code into various places in the usersource module and see what's happening. (Replace $myvar with the variable you want to see)

Code: Select all

jimport('joomla.utilities.utility');  
echo JUtility::dump($myvar);  
It may be an issue with the loop through the groups. You might also try another group in the list and see if that works.

andy88
Joomla! Apprentice
Joomla! Apprentice
Posts: 8
Joined: Tue Aug 11, 2009 2:38 pm

Re: LDAP Group Mapping

Post by andy88 » Mon Sep 07, 2009 7:45 am

@Sneadm, Sam:

the "out-of-sync" bug works perfectly, thanks a lot!

jmaurin
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Thu May 22, 2008 10:38 pm

Re: LDAP Group Mapping

Post by jmaurin » Tue Sep 15, 2009 2:33 pm

Hi!

I need some help, can't get groupMap work :|

In the usersource\ldap.php, this line:

Code: Select all

		$userdetails = $ldap->simple_search(str_replace("[search]", $user->username, $this->params->getValue('search_string')));
Returns a null array. In the search function of client\ldap.php, i've put some debug information to querys....

Code: Select all

		foreach ($filters as $search_filter)
		{
			$search_result = ldap_search($resource, $dn, $search_filter);
			//$info = @ldap_get_entries($ds, $search_result);
			echo "<br><br><br>DN: $dn<br>Filtro: $search_filter";
			echo "<br>Resultados: ".ldap_count_entries($resource, $search_result);
			echo "<br>$resource";
			if ($search_result && ($count = ldap_count_entries($resource, $search_result)) > 0)

And got this:

Code: Select all

DN: DC=hepdc,DC=hcrp,DC=fmrp,DC=usp,DC=br
Filtro: (userPrincipalName=jmceara@hepdc.hcrp.fmrp.usp.br)
Resultados: 1
Resource id #19


DN: DC=hepdc,DC=hcrp,DC=fmrp,DC=usp,DC=br
Filtro: (userPrincipalName=jmceara@hepdc.hcrp.fmrp.usp.br)
Resultados:
Resource id #24
Looks liekthe first query is working fine (maybe for auth user?), but the second (wich is for update user/get user map) i can't get a valid result, but no error...

The search filters are fine (CASE is ok), as you can see the first query works fine....the problem is with the second. Any idea of what's wrong?

Tks!

jmaurin
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Thu May 22, 2008 10:38 pm

Re: LDAP Group Mapping

Post by jmaurin » Tue Sep 15, 2009 4:55 pm

Solved :D

I think this is a BUG. In usersource\ldap.php, function "doUserSync" try to connect to LDAP server but don't pass any parameter (no username/password). IF your server allow anonymous bind, system should use "anonnymous_bind" instead of "bind", right?
Since my system doesn't allow anonymous bin, i've changed some functions to send username and password to LDAP connection.

file advldap.php
Change:

Code: Select all

$sync->doUserSynchronization($credentials['username']);
to

Code: Select all

$sync->doUserSynchronization($credentials['username'],$credentials['password']);
file usersource.php, function doUserSynchronization
Change:

Code: Select all

if($user = $plugin->doUserSync($username)) {
to

Code: Select all

if($user = $plugin->doUserSync($username,$pwd)) {
file usersource\ldap.php, function &DoUsersync
change:

Code: Select all

function &doUserSync($username) {
to

Code: Select all

function &doUserSync($username,$pwd=null) {
and change (inside the same function)

Code: Select all

if (!$ldap->bind()) {
to

Code: Select all

if (!$ldap->bind($username,$pwd)) {
And everything works fine now! :)

pasamio
Joomla! Ace
Joomla! Ace
Posts: 1318
Joined: Thu Aug 18, 2005 9:27 am
Location: San Jose, CA, USA
Contact:

Re: LDAP Group Mapping

Post by pasamio » Tue Sep 15, 2009 11:15 pm

@jmaurin: I'm not quite sure what you're doing but instead of hacking the code I suggest filling in the connect username and password as it appears you're using Active Directory. The connect username and passsword are used to bind to the service. At that point you should probably switch to the search and bind method as well if you haven't already.
Sam Moffatt
Updater, Installer and Authentication Systems
JoomlaCode Backend Systems
Pie.

fmarvel
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Oct 19, 2009 4:17 pm

Re: LDAP Group Mapping

Post by fmarvel » Mon Nov 02, 2009 8:36 pm

dgbrad,

I have windows 2003 running IIS 6.
I have installed com_advancedtools.tgz, and the core packages: helper, sso, usersource; and plgSSOHTTP.tgz; plgUserSourceLDAP, AND plgSystemSSO.

I usersource-LDAP plug in, I have mapped:
CN=JoomlaAdmin,CN=users,DC=vista,DC=ese,DC=com;25;Super Administrator;20
CN=JoomlaPublisher,CN=users,DC=vista,DC=ese,DC=com;21;Publisher;20
CN=JoomlaFrontEnd,CN=users,DC=vista,DC=ese,DC=com;29;Public Frontend;20

I run JDiagnostic and run usersourcechecker and it report my login as super user.

I run SSO Checker and it report me found:
Plugin plgssohttp found user marvel

I think everything is doing fine. But how do I use it?
It still ask me to log in. How do I tell joomla system to use HTTP sso user that it authenticates successfully when I run SSO checker?

Or does anyone have a screenshot of how it looks like when joomla works on an intranet site with windows 2003 MSAD to give me a hint of how to do? Thank you.

fmarvel
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Oct 19, 2009 4:17 pm

Re: LDAP Group Mapping

Post by fmarvel » Mon Nov 02, 2009 11:40 pm

I figured something out, but something else is up.

This refers to the previous post addressing to dgbrad.
What happens is that somehow joomla log in module keeps showing that username/password form every time I open the home page. I believed I have everything set up correct and tested with usersourcechecker. The ldap group map are showing results in usersourcechecker; but why do I have to login. So, I decided to try some test. I went into administrator, using admin, and login.
As I know, admin still use joomla authentication, and that is the only way to get into administrator site. So, I went in and disable the login module, and see if it shows if I am in or not. Well, nothing happens. I still don't know if this SSO is working or not. So, I went back in admin website again and make the license document not accessible to public but registered. I then went back to the public front end site and click on Joomla license document link. Here it asks me to login, with that ubiquitous login form. I log in and it says you are a private area. I clicked around a few times and finally sees the license document. I then close IE and open it again. And tried to open the license document, and voila, it's shows the document right away. No more log in necessary. I guess finally it is actually working.

Happy, but then...

Administrator site is not working any more. I click on the administrator link, it takes me right to the control panel, at first, awesome, since I am a super admin, when I see the control panel page, it was wonderful. But when I click on any of the link, such as plug in manager, it asks me to log in. I use my login and it won't let me. User admin now does not work anymore, and that is the bad part.

The question is, (1) why would it shows the front page for me since I am a Super admin. But I cannot access the rest of the link?

And (2), why user admin cannot log in anymore?

Can anyone shed some light on this please? Thx much.

Ochosias
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Nov 19, 2009 12:20 pm

Re: LDAP Group Mapping

Post by Ochosias » Thu Nov 19, 2009 12:46 pm

Hi everybody,

I am working on an intranet, and I am using OpenLDAP installed on Debian, and all my users are in LDAP, but not in Joomla!. The connection is working fine, when I log for the first time on my intranet, the user is created in Joomla, and if I delete it in Joomla, it's deleted from LDAP too. So for this point, everything is going well.

My problem is about the group of this user, I can't define different groups, all users have the default group "Public Front-end" and I can't modiify it. I would like to define some Registered users and some Author. The same for all the informations about the user, I can't change the name, or the mail, or any informations. (Looks like it can't update LDAP, when I try to change the informations in the back-end, I got this error: LDAP Modify failed: Object class violation)

I already installed Advanced LDAP, JAuthTools Synchronization Plugin, User Source - LDAP, and User - LDAP. Do I have everything with that, or do I need SSO or SSI plugins ? I don't really understand what they do.

I was trying also to change the user source configuration, I tried almost everything, so or I don't try the right solution, or the problem is not here. This the configuration I use in the user source plugin:
Map User Blocked = loginDisabled
Map User Groups = gidNumber
Map Group Members = memberUid
Group Map = cn=profs,ou=groupes,dc=esirem,dc=fr;19;Author;30
Use reverse group membership Yes
Authenticate Group Search No
Use recursive group membership No
Use iconv No

I also put Demote Users to Yes in JAuthTools Synchronization Plugin.

If you see any problems, or if you have any suggestions, please help me, I'm working on this for two weeks.

Regards,

pasamio
Joomla! Ace
Joomla! Ace
Posts: 1318
Joined: Thu Aug 18, 2005 9:27 am
Location: San Jose, CA, USA
Contact:

Re: LDAP Group Mapping

Post by pasamio » Fri Nov 27, 2009 2:32 am

@fmarvel: The session munging was historically an issue with multiple SSO hits on the same time when session replacement mode is enabled. Can you dump a full copy of your params for the System SSO plugin (grab the id from the right hand side of the plugin manager and use the param dumper in jdiagnostic to get a copy of it) so that I can have a quick look at what you've got. It sounds like something is detecting your session and munging it. There should be an option to disable the plugin from operating in the admin area so presuming you've enabled this then you've got something else happening. Doesn't look like you've got the sync plugin installed which is the only other thing that could possible munge the session for you (by sync'ing you into something else). It is also possible that you're some how triggering a but however if its disabled in the backend and you're seeing that in the back end I can't see why that should be causing that problem.

@Ochosias: The default group for people is set by the global configuration. If you grab the Advanced LDAP plugin you can run it through the user source system and get it to pick up some more stuff and behave a bit better. The work on the User - LDAP plugin at the moment is only aimed at meeting the basic needs, I'm trying to find some time to make it a bit better and more robust. Have you put in the Joomla! schema def's from the wiki into your LDAP directory?
Sam Moffatt
Updater, Installer and Authentication Systems
JoomlaCode Backend Systems
Pie.

Desperad0
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Dec 01, 2009 12:00 am

Re: LDAP Group Mapping

Post by Desperad0 » Tue Dec 01, 2009 12:10 am

Hi!

I've got a similar problem as Ochosias.
I can't get the group mapping working.
It looks like:

Code: Select all

cn=users,cn=groups,dc=ldap,dc=company,dc=com;18;Registered;10
cn=team,cn=groups,dc=company,dc=com;21;Publisher;50
cn=supervisor,cn=groups,dc=cmopany,dc=com;24;Administrator;90
cn=admin,cn=groups,dc=ldap,dc=company,dc=com;25;Super Administrator;100
But, everytime I look for usersourcechecker, I get:

Code: Select all

plgusersourceldap
Username:	user1
Name:	Fullname
Email:	user1@company.com
User Type:	Public Frontend (Group: 29)
Blocked:	No
Errors:	
And my usersource settings are:

Code: Select all

Map User Blocked 	
loginDisabled

Map User Groups 	
gidNumber

Map Group Members 	
memberUid

Group Map 	
cn=users,cn=groups,dc=ldap,dc=company,dc=com;18;Registered;10
cn=team,cn=groups,dc=company,dc=com;21;Publisher;50
cn=supervisor,cn=groups,dc=cmopany,dc=com;24;Administrator;90
cn=admin,cn=groups,dc=ldap,dc=company,dc=com;25;Super Administrator;100

Use reverse group membership 	Yes

Authenticate Group Search 	No

Use recursive group membership 	No

Use iconv 	No Yes
Original Encoding (e.g. ISO8859-1) 	
Target Encoding (e.g. your database) 	
We use an OpenLDAP server, where the groupmembers are hold inside the groups under the memberUid Flag.

Can somebody see a fault in the configuration? Or has an hint for debugging the group mapping?

Thanks :)

Desperad0

sx_codank
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Nov 20, 2009 7:51 pm

Re: LDAP Group Mapping

Post by sx_codank » Wed Dec 02, 2009 3:09 am

So i got the basic LDAP auth to work. Now I'm trying to map my AD groups to joomla groups.

I installed plgUserSourceLDAP. tried to test it in JDiagnostic. at first i was getting user not found and now it doesnt return any results.

I install JAuthTools Synchronization Plugin but when i enable it, my website disappears.

I've been reading all theses threads but im still not clarified what i need to have to get the group mapping to work.

fmarvel
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Mon Oct 19, 2009 4:17 pm

Re: LDAP Group Mapping

Post by fmarvel » Wed Dec 02, 2009 5:50 am

pasamio wrote:@fmarvel: The session munging was historically an issue with multiple SSO hits on the same time when session replacement mode is enabled. Can you dump a full copy of your params for the System SSO plugin (grab the id from the right hand side of the plugin manager and use the param dumper in jdiagnostic to get a copy of it) ?
Pasamio: I cannot go anywhere inside the administration site. On the front end I can go anywhere. It shows me that I log in. When I clicked on administrator under resource menu, it takes me to the administrator site, it shows me all the menus, obviously it logs me in as an administrator http://www.finalmarvel.com/canhnam/imag ... emp/p3.png. But from there if I try to go anywhere, like, plug-in manager, etc., it will prompt me to log in. I type in my log in it won't take it. I typed in admin (which used to work), it doesn't take it.

However, I manage to find something here. That is the cache.
I try to look thru the code and found that there is an object of type JCache, that get created every time a document is requested. JCache object takes an argument called options. Options is an array, in which, there is an element called caching. I notice that when I browse around about any document that is opened to public, after logging in, the value of options['caching'] is 1, and it shows the page with no problem. But when I hit a page that requires log in, this value becomes 1, and it shows a log out page (See link http://www.finalmarvel.com/canhnam/imag ... emp/p1.png) I think this happen to the administrator site also. The home page must have the caching=1, and it shows ok. But when it's 0, it shows the login page. My interpretation is that, somehow, the cache does not store the login information correctly. I still have to go thru the code to understand it. If you know anything about this, please help me to understand a little more. Below is the dump of the options array that JCache uses.

JCache::store... _options: Array
(
[defaultgroup] => mod_mainmenu
[cachebase] => C:\Inetpub\wwwroot\blog\cache
[lifetime] => 900
[language] => en-GB
[storage] => file
[caching] => 0
)

sx_codank
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Nov 20, 2009 7:51 pm

Re: LDAP Group Mapping

Post by sx_codank » Wed Dec 02, 2009 4:32 pm

I got the group mapping to work but i still can't login as super administrator

when i turn on JAuthTools Synchronization Plugin, my website still disappears.

Let me know if my knowing my settings will help.

sx_codank
Joomla! Apprentice
Joomla! Apprentice
Posts: 12
Joined: Fri Nov 20, 2009 7:51 pm

Re: LDAP Group Mapping

Post by sx_codank » Wed Dec 02, 2009 5:32 pm

I figure out i was missing the usersource.php library but still cant login as super admin

--------------
This is what i have

Authentication - LDAP : disabled
Authentication - Advanced LDAP : enabled
-- Enable User Source Sync : yes
System - JAuthTools Synchronization Plugin : enabled
-- Demote Users : yes
User Source - LDAP : enabled

JDiagonistic confirms both Authentication - LDAP and User Source - LDAP is working.
When I use Jdiagonistic-User Source Checker and check "Attempt Autocreation", user is created in the appropriate group. However when the user login through joomla, they are created as "Register". Why?


Locked

Return to “Extensions for Joomla! 1.5”