JMapMyLDAP - LDAP Group Mapping for 1.6 / 1.7

[barnic]

@barnic
I don't understand how your authentication is working if your connect user and password are wrong. Don't forget the connect user needs to be a full DN or like [username]@DOMAIN for AD.

[username]@DOMAIN for AD


With the last left indication you solved my problem!
Entering as a "connect user" [email protected] works perfectly.
I tried whit your debug (1.0.3 and 1.0.4) and I can have all the information available.

Now I look forward to the new release, that can take all the groups for each user, without skipping the first main group.

Thanks again for your valuable work!!!

[taenny]

Just finished configuring the plugin and everything works perfectly with AD + Group Mappings ...

THANKS A LOT for this great plugin!!

Something I stumbled upon (but I might have missed it in the documentation):
I forgot to escape special characters in my groupnames with a "/".
Wrong: ##-mygroup
Correct: /#/#-mygroup

Keep on with the good work!

[ShMaunder]

@taenny
Cool. I will add this to the documentation.

@barnic
This is probably my fault. I haven't escaped special characters before posting for debug results. I've just had an email with exactly the same problem.

[ShMaunder]

OK, LDAP debug version 1.0.5 is now up. This hopefully fixes the escape issue.

Link is http://shmanic.com/tool/jmapmyldap/?id= ... bug-method


@barnic
Sorry for being a pain. But can you test again thanks. I want to make sure that primary groups is the issue here.

[barnic]

ok, tested.
I use debug with many different users.
Primary group never appears.
So, users who are in only one group, are inserted only in "registered".

[ShMaunder]

Cool, OK. Good result that the debug is now working.

I've been investigating the primary group issue; its not easy. Two methods that are most feasible are:

1) Reading in the DN and primaryGroupToken of every group in the tree (cannot filter primaryGroupToken), then comparing against the user's primaryGroupID. Pros: Easy to code and reliable. Cons: This is really really bad in terms of efficiency.

2) Rebuilding the objectSid. Pros: only 1 extra search. Cons: I don't fully understand it: I do have kind of a working prototype but I don't know if this works in every environment and exactly how reliable it is. Also, no idea what happens with cross domain primary groups (or even if that is possible).

If anybody has insight on this, please do post.

I'm not going to be around for a few days - I have some other work that needs completing.

[barnic]

I don't know what is involved in the primary group.
The solution (bypassing the problem) may enter all users in a new group "xyz" and set it for all as primary..........
This can be good for me that I manage an intranet with a single domain and with less than 100 users

[veljabg]

Development version 2 sounds great, particularly:

• Front end component + module for password changes

Also, is there a "Donation" link for those extra excited by your plugin? Your topic has gone from 1-page-slow-going to 3-page-fast-explosion, I guess that people are very happy to use it.

[agiles2303]

@ShMaunder

I emailed you with a request before, and I figured it may be more beneficial to post it on these forums.

In the JMapMyLDAP Authentication Plugin

1. Under Mapping Attributes - Instead of using one attribute to hold the full name, I would like to be able to combine two attributes. Each separately holding first name and last name. Our AD holds the full name attribute as (Last Name, First Name), which isn't appealing when viewing employee names on the frontent.
2. Under Mapping Attributes - Get AD user attributes General Tab->"Office" "Telephone", Organization Tab->"Job Title" so that they can be mapped to JomSocial attribute fields.

In the JMapMyLDAP User Plugin

1. Under Group Mapping - Instead of pointing to an AD group, I want to map a user to a Joomla Group based on the AD User Attribute "Department". This value is returned in the ldapdebug.php file.
2. Check to see if a Joomla group with this "Department" title exists. If not create new Joomla group with that title. If does, add user to this Joomla group if not member.
3. Check to see if a JomSocial group with this "Department" title exists. If not create a new JomSocial group with that title. If does, add user to this JomSocial Group if not member.

I'm not a PHP wizard, but I am comfortable doing coding like this myself. I'm just having trouble understanding exactly how you coded these plugins and where certain variables are located to make these customizations myself.

[ckozler]

@ckozler
If you go to your phpLdapAdmin search, then type into the search filter membersUid=ckozler does it come back with result(s)? Also, did the "Sync Name" work or not? If it didn't then the whole plug-in is broke anyway.

Yes, searching for memberUid=ckozler returns all of the groups I am apart of- this is progress?

Can you better suggest a configuration method now?

[sittal]

First off: This plugin is perfect for what I need and am really excited for the potential this has opened up.

Back story: Had the webmaster for the place that I work quit unexpectedly. The system we have now is a cluster...mess. All of that will be resolved with this plugin

I am using 1.0.4 LDAP. I imported the zip into Joomla 1.7.3 and everything seemed to go well.

I configured the authentication plugin correctly and verified it with the LDAP Debug page and got all my user information correctly.



(had to edit website :P)

I know the mapping info is correct because I copied/pasted from the LDAP PHP Debug page (from the memberOf section).

I save it, enable it, and try to log in with that same username and password that I logged into the LDAP Debug page with and Joomla gave this error:

"User does not exist
You do not have access to the administrator section of this site."

Any ideas on how to fix this?


edit: I forgot to mention that 8 is the default super user group

[ShMaunder]

Sorry that I've not been around as of late. University course and driving lessons are currently taking up my life.

I will be more free after Wednesday next week. I will then get a move on with a first alpha of version 2 which is already pretty much ready to go.

I will quickly take a stab at the help requests above:

@veljabg
The password change plug-in should come about soon. Alpha 1 of version 2 won't have this as I'm trying to figure out the best implementation for most LDAP platforms. Currently for version 2, I have a basic config component, group mapping plug-in and profile plug-in. As for donation links - there are none

@agiles2303
Oh yes, I remember. I thought I wrote you a reply to the best place you could "hack" it in version 1. OK, maybe not. If you could wait a bit longer, than most of these request should be easier in version 2.

@ckozler
Did you manage to get it working? I'm trying to skim over this thread very quickly to remember exactly what was going on and what I was trying to do, but am failing at the moment.

@sittal
This could be a bug. I remember discovering something very weird when logging on to the backend when it was either a new user or if a specific group is promoted. This is why the manual user batch sync will come about in version 2. Please try:
-Try to login into the frontend first, then try the backend. Does it work as intended?
-If you disable the user plugin then can you then successfully login?


Hope this kinda helps some people

[sittal]

I can log into the front end with the plugin enabled AND disabled.

With the plugin enabled I:

Logged into the front end successfully and then tried to log into the admin section and got this error:

You do not have access to the administrator section of this site.
You do not have access to the administrator section of this site.

With the plugin disabled, I logged into the front end successfull and when I tried to log into the admin section:
Username and password do not match or you do not have an account yet.

[ShMaunder]

You should be able to use the same credentials on both front and back ends without authentication errors. I will need to test J! 1.7.3 in case a change in regards to authentication have been made. Taking a look at the changelog doesn't suggest any such changes. I have no spare time until some deadlines have passed on Wednesday to look into this.

Assuming for the moment that 1.7.3 hasn't broken anything. Is your "User - Joomla!" plug-in still enabled with auto-create switched on? Are the authentication and user plug-ins access levels set to 'Public'? Is the "User - Joomla!" ordered last (not that it should affect authentication)? Are your LDAP based users being stored in Joomla's User Manager?

Edit: also, try to only include your group initially in the group mapping like CN=lala:8 - this also shouldn't affect anything if you've copy and pasted from the ldapdebug

[sittal]

I appreciate your help, take your time :P

Assuming for the moment that 1.7.3 hasn't broken anything. Is your "User - Joomla!" plug-in still enabled with auto-create switched on?

Yes



Are the authentication and user plug-ins access levels set to 'Public'? Is the "User - Joomla!" ordered last (not that it should affect authentication)?

Yes



Are your LDAP based users being stored in Joomla's User Manager?

No, on a dedicated AD machine many many miles away.

[ShMaunder]

OK, it looks like you're being logged on with Joomla's guest. This happens when auto registration is either not allowed or is failing. Guest is not allowed to log on to the backend at all. After you've logged into Joomla through LDAP, a new Joomla user for that user should appear in Joomla's user manager.

This could be a range of problems. Firstly, can you enable system debugging in the global config then try to login again.

[sittal]

After some more testing: When you log into the front end, it creates a user in the registered group (id = 2). However in the group mapping (screenshot above) it is supposed to be group 8. I tested this by having someone log into the admin section and someone else log into the front end section of the site. Only the people that logged into the front end (successfully) were able to have created accounts. But they are still only in the 'registered' group.

[ShMaunder]

I will test the backend registration in a minute - this might of be the bug i was describing earlier.

Can you try more than one LDAP group initially and see if anything is mapped. Also try more than one Joomla group as well. Maybe something like:

CN=somegroup : 4,8
CN=somegroup1 : 4,8

If none of the above are mapped than it is defo a problem with the plug-in rather than it being a Joomla problem.

I will get on with testing 1.7.3 and will report any bugs I find here.

[sittal]

Logging in from back in = does not work. (edit for clarification - does not create user at all)

Logging in from front end = works, sort of.

It gave the front end user both roles I assigned in the mapping list AS WELL AS 'registered' which is what it defaulted to in the first place.

[ShMaunder]

Backend doesn't register users - confirmed. All first time logins must be done on frontend. I kind of knew it didn't work but forgot to list it under as a known bug. I will see if there is any fixes though if I remember, Joomla misses a few steps out in the backend authentication.

1.7.3 doesn't appear to have caused any further problem from previous releases.

OK, so it works fine on the front end now ?

[sittal]

Backend doesn't register users - confirmed.

Oh!


Well then I think this is all we can do then. I'll keep and eye on this thread if that gets resolved by you or Joomla!

Thanks again.

[ShMaunder]

OK, I have a few spare hours today. If I find a way to resolve it then I'll get this patch out tonight and the other few I have in the bug tracker into V1.0.5

[sittal]

It's not a big deal to me. I still have to get HR to approve the template and my graphic designer to get everything around, take your time and enjoy the holidays.

edit: I see you are from the UK, pretend it's a holiday!

[ShMaunder]

^^ I got my driving theory test tomorrow morning, so no holidays for me

I've got a fix. It involves adding another two more options to auto registration so we have:
Inherited - No (if no other plug-in/routine has set registration, set it to no)
Inherited - Yes (default - if no other plug-in/routine has set registration, set it to yes)
Override - No (set it to no)
Override - Yes (set it to yes)

Currently, the yes means "Inherited - Yes". If you want to be able to register on backend then use "Override - Yes". Joomla has a hard set value earlier in the authentication so that it doesn't register on the backend therefore, the need to override.

I will have to bring this across to version 2 even though it doesn't use a dedicated user plug-in.

I will add to bug tracker, test other bug tracker items then release a new version hopefully tonight.

[sittal]

Sounds very good! Thanks for your hard work.

[ShMaunder]

I'm away for less than an hour and all the J! sites have changed style. Very nice J! except those font sizes

Anyway, version 1.0.5 released with some SSO improvements and fixed back-end registration. If i don't get any problem reports from people within a week about this version, I will bump up the auto updater version as well so everyone will get updated.

I won't be around now until at least Wednesday

Edit: oh and to add, I will add my method of detecting primary AD groups to ldapdebug for people to test later this week. This will probably be for version 2+ only due to its 'hackiness'.

[sittal]

I'm glad you mentioned the font sizes, lol. I was pressing ctrl+0 to make the text normal size

I can confirm that 'Override - Yes' works.

This is 110% what I need. Thanks man! If this app goes commercial, we'll purchase a license.

[ShMaunder]

This is 110% what I need. Thanks man! If this app goes commercial, we'll purchase a license.

No problems The main framework will never go commercial (this also includes mapping, profile, password plug-ins and admin component from V2). The only future plug-ins that *may* be commercial is any version 2 plug-ins that are specific to other commercial extensions.

[forkman]

Thanks for this amazing set of plugins! I have only one problem with it on our intranet site using AD authentication. It seems every user which is logging in to joomla site have to have rights to login to domain controller (host configured in plugin settings) too (userWorkstations attribute). Our domain admin can't grant access to all users to domain controller. So I would like to ask if there is any possibility to make this amazing plugin working in my case.
Thanks in advance.

[trgriffith]

I've been working on this for 2 days....I'm at my wits end.

Internal DCs and I've got one NAT'ed to a public IP with (for now) all ports open. My website is hosted externally and I need it to connect to LDAP to verify and create new users that we stored in LDAP on a Win2003 AD server.

This is what I'm getting with the below settings. i've tried changing it to the internal IP with no luck.