Joomla 1.6 Active Directory Group Mapping

Need help with the Administration of your Joomla! 2.5 site? This is the spot for you.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
gshukert
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu May 21, 2009 10:40 pm

Joomla 1.6 Active Directory Group Mapping

Postby gshukert » Sat Mar 05, 2011 12:47 am

I need help mapping my Active Directory Groups with Joomla groups. I was able to configure the Joomla LDAP Authentication no problem and I can login as any user in my AD. However, I can't figure out how to map the groups. I see plenty of tools for 1.5 like JauthTools but do they work in 1.6? Also, I thought this would be native in 1.6. I'm hoping this is simple and a major oversight on my part. Thoughts???

kenners2k
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Mar 17, 2011 10:56 am

Re: Joomla 1.6 Active Directory Group Mapping

Postby kenners2k » Thu Mar 17, 2011 11:00 am

I am in the same situation!

please can someone let us know if JauthTools work on Joomla 1.6 or how to setup group mapping on joomla 1.6.

thankyou in advance

webmunki
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Apr 24, 2009 7:42 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby webmunki » Thu Mar 17, 2011 2:43 pm

I am looking for a solution for this as well. With the LDAP plugin I can authenticate users against a domino server (no kidding) w/o a problem and the users are created in Joomla as simple registered users. Thing is, I'd like to use tie domino groups to joomla user groups so I can control content.

kenners2k
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Mar 17, 2011 10:56 am

Re: Joomla 1.6 Active Directory Group Mapping

Postby kenners2k » Thu Mar 17, 2011 3:20 pm

yes webmunki that is exactly where i am up to. got the built in ldap authentification working perfectly but it only puts new users in the registered group and not the custom AD groups.

Someone please help!

also has anyone got it so it detects the user that it logged onto the PC being used and logs them in automatically to the joomla site?

webmunki
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Apr 24, 2009 7:42 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby webmunki » Thu Mar 17, 2011 3:37 pm

I may have to simply "log in" my Lotus Domino users then manually assign them to joomla groups until a solution for group mapping in 1.6 can be found.

kenners2k
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Mar 17, 2011 10:56 am

Re: Joomla 1.6 Active Directory Group Mapping

Postby kenners2k » Thu Mar 17, 2011 4:14 pm

i simply cant do this as we have over 600 users that are going to be using our intranet site

webmunki
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Fri Apr 24, 2009 7:42 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby webmunki » Thu Mar 17, 2011 7:32 pm

My scenario is not quite as extreme. This instance of joomla will be for external product distributors (only 79 or so). Each distributor distributes varying products so as they authenticate I wanted to only show them the product updates/info that would apply to them.

gshukert
Joomla! Fledgling
Joomla! Fledgling
Posts: 2
Joined: Thu May 21, 2009 10:40 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby gshukert » Mon Mar 21, 2011 4:00 pm

kenners2k - you are asking about Single SignOn? That would have been my next question.

kenners2k
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Thu Mar 17, 2011 10:56 am

Re: Joomla 1.6 Active Directory Group Mapping

Postby kenners2k » Mon Mar 21, 2011 4:05 pm

no we have 600 users with roaming profiles who can logon anywhere on the site

cpmnet
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Mon Mar 21, 2011 11:28 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby cpmnet » Tue Mar 22, 2011 11:24 pm

I am working on this same issue for my work.

What we had to do (so far) is to add extra code to the existing LDAP authentication plugin. The built-in one did not work with our infrastructure, so a new one was written based on it (since the built in is based on JAuthTools, which didn't work for us with 1.0, 1.5, and now 1.6, this wasn't a surprise).

Some of the big issues that we're run into.

LDAP module and library have a big functional issue. There is no way to limit the fields that are returned. So when you do, say, a search with a basedn of ou=groups,etc, it actually pulls back everyone in all groups that are returned. My LDAP admin yelled at me for this one and called joomla 'dumb' (since this plugin needs to be able to handle 30,000-60,000 users, and users may have many groups, this can create a problem very quickly). It is an easy code fix. Right now, this adds in an annoying delay and ends up wasting nearly all of the data returned.

Solution will be to handle the LDAP connection in the plugin. Which I've been lazy about doing. But this part is straight out of the tutorial. I'd prefer something in joomla.client.ldap, it would be cleaner and I could reuse the connection from when I verified the user. I do not want to change anything in the joomla package, if it can be avoided.

User functions exist to get all Joomla groups a user is in -- by ID. There is no built in way I've found to map a name to a Joomla group ID. There is a function to get a user ID by username, and to add or remove a userID from a group ID. If you want your LDAP to be the authority though, you need to compare the list of groups they are in to the list of groups your LDAP says they can be in, then check groups LDAP says they can be in against groups that exist. Then add or remove as appropriate.

In short, there is no plugin to handle this yet that I could find. Most of the progress has been made by digging through Joomla's own admin code, especially the administrator/components/com_users stuff. It should be doable in a reasonable amount of time. Someone recently turned me on to a plugin that lets you show different info in an article to different groups. Combine the two and you really have something neat to play with.

Tonygetz
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Jan 18, 2011 5:12 am

Re: Joomla 1.6 Active Directory Group Mapping

Postby Tonygetz » Fri Jul 01, 2011 1:37 am

Hi Guys,

I'd like to join this discussion. This is also an important task for me that I need to resolve in the next few weeks.

@cpmnet have you made any further progress?

Someone recently turned me on to a plugin that lets you show different info in an article to different groups. Combine the two and you really have something neat to play with.


Can you let us know what plugin(s) you are referring to?

I found these guys http://www.ioplex.com/plexcel.html however their Joomla! 1.5 plugin is not compatible with 1.6 and they said they rely on 3rd parties to keep their plugins up to date (i.e. they are not going to write a new plugin for 1.6 - but someone else can).

Looking forward to finding a solution :)

Best regards.

cpmnet
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Mon Mar 21, 2011 11:28 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby cpmnet » Fri Jul 01, 2011 4:13 am

I forget what plugin that was in reference to at the moment. Sorry about that.

I did indeed find a solution. But it is not what I would call production ready. Since I was paid to do this work on someone else's time, I also can't just post the code. Not that it would actually work since we use an external SSO system that required creation of a system and an auth plugin.

Being a holiday weekend, I don't really have a ton of time to write a reply, so here is what I sent to someone else a few weeks ago on this same topic.

I did indeed come up with a solution that works. It doesn't work great,
and has only been tested on whatever LDAP software we use at work (which is
not ActiveDirectory). It is not currently being used beyond a testing
environment.

Since we use a single-sign on and want to force a login when the user first
hits the site, the built in system plugin was not enough. So a new system
and authentication plugin were written -- well they were upgraded from the
1.5 version.

The logic isn't that hard. The problem is that the built in joomla
functions are either undocumented or missing. For example, the
ldap->search() function will just return all fields. For groups, depending
on configuration, each group can return a few hundred or even a few
thousand results, depending on how large your organization is. Then adding
a user to a group isn't obvious either. joomla.user.helper was the obvious
choice, but that gave me a bunch of permission errors, so it couldn't be
used.

So here is what I did --

Get the user ID. $myUserID = getUserId('theusername');
Get some distinct name (maybe the username?) then run the ldap query on
that -- you'll need to set up your own filter (uniquename=the username) and
your group base DN. The php manual should be able to help you through this
-- http://php.net/manual/en/ldap.examples-basic.php.

Then I did a query on the DB to get a list of all group names. My code is
at work right now so I don't have exactly how that is done. But if you
look in the code behind the user admin screen, a lot of it is there.

After this, you have to compare the names. Using the LDAP as the master
list, compare the groups in the DB and build a list of group IDs the user
should have. The names don't mean much outside of the UI.

Then, get a list of groups the user has according to joomla.
$groupsUserHasInDB = getGroupsByUser($myUserID, false) ;

Then, compare the groups user has in db to what LDAP says they should have,
remove or add appropriately. Be careful of group ids under 12 since those
are built in and you don't want to accidentally delete your own admin
access while writing it.

The tricky part is actually adjusting the group membership. I had problems
with the built in functions, so I just did a db query on the table. I
forget the name, something like jos_group_map. There are two fields,
userid, groupid. Insert or delete as appropriate.

As to writing a new plugin, if the current one works for you, I would just
modify it. I was surprised at first that no one had contributed code.
Hope that gets you started.


If I had few weeks or something, I could probably come up with a much better solution. Just haven't had the time.

Tonygetz
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Tue Jan 18, 2011 5:12 am

Re: Joomla 1.6 Active Directory Group Mapping

Postby Tonygetz » Fri Jul 01, 2011 4:33 am

Thanks for writing back so quickly.

I'm looking to integrate into Active Directory, do you think this will pose additional issues or should it be easier?

We can chat about it more next week if more convenient.

I'm also seeking someone who can help me with the technical implementation of this so any recommendations (yourself included) would be appreciated.

Kind regards.

VegardAa
Joomla! Intern
Joomla! Intern
Posts: 89
Joined: Wed Oct 28, 2009 12:14 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby VegardAa » Fri Jul 01, 2011 10:53 am

I'm in the same situation..

We've got over 70 OU's (we've got over 70 portals), each OU has groups in them (manager, admin, superadmin). This works great on 1.5 with LDAP. But with 1.6 or 1.7.. Well, I don't know what to do. I cant migrate to 1.7 before I've figured this out.

Somebody MUST make a plugin for this to work in 1.7. I know we would gladly pay for a solution..

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby ShMaunder » Sat Jul 02, 2011 7:43 pm

I've been trying to achieve this with a plugin i created called JMapMyLDAP (link in signature). It is in very early alpha stages and hasn't had much testing. I've just completed the installation and configuration guide for it. It is a free package, and always will be.

Do bare in mind, this is my first Joomla extension - and i'm still getting used to the API.

If you want, go ahead and try it - report back :)

I will submit it to the Joomla extensions directory once i'm satisfied it has been tested enough.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

gwilson_aus
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jun 24, 2011 6:12 am

Re: Joomla 1.6 Active Directory Group Mapping - testing

Postby gwilson_aus » Mon Jul 04, 2011 4:51 am

I've been testing the JmapMyLDAP ldap plugin at http://shmanic.com/tool/jmapmyldap/?id=2
No luck so far. I've used exactly the same ldap settings that are working for Active Directory with the built-in ldap plugin but haven't been able to login successfully yet.
One problem I'm having is that even though I've left the Joomla Auth plugin enabled AND an admin session logged in from a different web browser, once I've enabled the JmapMyLDAP plugin I can no login get it to the Admin back end - even using the Joomla passwords. It also disconnects my other browser's session so I have no option other than to restore the Joomla database from a backup and try again.
I'll check the Apache logs for any ldap errors and keep trying.
Cheers,

Greg.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby ShMaunder » Mon Jul 04, 2011 1:33 pm

Sorry it hasn't worked. My guess is the library hasn't been found and causing it to crash even though i did a class defined. OK, i will test what happens without a library and make any suitable changes. Otherwise, the authentication plugin is exactly the same as the built-in one.

What order is the authentication in as well? I would have thought if the joomla auth plugin comes first then it shouldn't touch the ldap plugin if the authenticating user is a joomla account.

I'm going to be uploading a rewrite of nearly everything later as the code in the current version is hard to follow and not particular nice.

Edit: Can you check that the following file is present joomla\libraries\shmanic\jmapmyldap.php - i'm trying to put in extra handlers to ensure if this file is missing it says the library is missing instead of a php error.

I'm also going to attempt to write this package to work without the extra authentication plugin (this will be optional) - though it will create extra unnecessary extra work for the LDAP server.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

gwilson_aus
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Fri Jun 24, 2011 6:12 am

Re: Joomla 1.6 Active Directory Group Mapping

Postby gwilson_aus » Tue Jul 05, 2011 2:39 am

joomla\libraries\shmanic\jmapmyldap.php exists.

Ordering the auth plugins has helped. Although I still haven't got the Jmapmyldap working at least now I can still login with the Joomla auth.

I'm running Joomla on a MS Windows server 2003 in a WAMPserver environment. Joomla ldap auth is working fine when enabled.

I'm currently getting the following errors from the jmapmyldap plugin:

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\plugins\authentication\jmapmyldap\jmapmyldap.php on line 157

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\libraries\shmanic\jmapmyldap.php on line 33

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\libraries\shmanic\jmapmyldap.php on line 53

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\libraries\shmanic\jmapmyldap.php on line 86

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\libraries\shmanic\jmapmyldap.php on line 136

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\libraries\shmanic\jmapmyldap.php on line 198

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\libraries\shmanic\jmapmyldap.php on line 301

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\libraries\shmanic\jmapmyldap.php on line 304

Deprecated: Call-time pass-by-reference has been deprecated in C:\wamp\www3\libraries\shmanic\jmapmyldap.php on line 318

I can provide screenshots with detailsed troubleshooiting info if they'd help.

cheers,

Greg.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby ShMaunder » Tue Jul 05, 2011 2:56 am

Oh wow haha. I haven't turned on E_ALL and didn't realise that the way i've be doing pass-by-reference is now deprecated. Note: deprecated items shouldn't be halting the execution unless you've setup php.ini like that?

Well, at the moment there has been a mega rewrite of nearly everything. cpmnet's posts above made me realise that there are some problems with the current built in LDAP - so i've overridden its search() to allow only specific fields to be returned on a search.

OK, i'm going to stop what i'm doing for time being, remove debug code - and wrap it up into a temporary package. This new package will only require the setup of the plugin 'User - JMapMyLDAP' whilst you can use the native Joomla LDAP authentication plugin. Give me a little while then i'll reply back with some instructions.

<self snip - old stuff>
Last edited by ShMaunder on Tue Jul 05, 2011 11:30 pm, edited 1 time in total.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby ShMaunder » Tue Jul 05, 2011 11:19 pm

Just got version 0.17 out of the door and onto the website http://shmanic.com/tool/jmapmyldap/?id=2 - though this currently doesn't have any documentation. Been working pretty hard at this for the past few days and is the first time i'm feeling confident about it. I do remind people that this is alpha stuff, and not ready for production use. Biggest changes in this version include:
    Group recursion with forward and reverse lookups
    Works well with the inbuilt LDAP plugin, therefore, i've removed my authentication plugin from the downloads
    Group recursion uses an extended improved LDAP search method to restrict fields (see cpmnet's posts above)

As there isn't any documentation then i'll run through a few steps here:
1. Download and install http://shmanic.com/tool/jmapmyldap/file.php?name=pkg_jmapmyldap.zip. Anybody upgrading will lose their group mappings - so be sure to copy and paste them out before proceeding. Also do be sure to disable any previous JMapMyLDAP authentication plugins.

2. Enable and configure the inbuilt Joomla 'Authentication - LDAP' plugin. Make sure you test it before proceeding. Lots of help can be found configuring this plugin on the internet and over at the guide on the site.

3. Enable and set order to last the 'User - JMapMyLDAP' plugin.

4. Configure the 'User - JMapMyLDAP' plugin with something like this:

Basic Settings
Leave everything in here as default.
Authentication type: LDAP.
Authentication plugin: ldap.

Group Mapping
Use Group Mapping - Yes
Allow Additions - Yes
Allow Removals - Yes & Default Managed
MemberOf Attribute: memberOf (i think its the same across the board for systems that support it?)
Recursion Type: try Disabled at first. Then if that works, set it to Forward Lookup - this will enable group nesting to be detected.
Recursion Search: i have only figured out ones that work for AD. Forward lookup use: &(distinguishedName=[search]). Reverse lookup use: &(objectClass=group)(member=[search]).
Group Mapping List: well i've covered this in last post and its also on the guide on the site.

Edit: just seen i've been told off for URL's in signature. Hope this doesn't get flagged for self promotion :s
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

User avatar
kenmcd
Joomla! Champion
Joomla! Champion
Posts: 5672
Joined: Thu Aug 18, 2005 2:09 am
Location: California
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby kenmcd » Wed Jul 06, 2011 1:33 am

ShMaunder wrote:Edit: just seen i've been told off for URL's in signature. Hope this doesn't get flagged for self promotion :s


It is OK to put links in your signature just as long as the actual link is visible.
The forum is bombarded daily with keyword link spammers (50-60 per day).
This includes signature link spammers who post useless posts just for the keyword links in their signature.
So there are a few rules regarding signatures designed to discourage the spammers.

Just follow the guidelines and signature links are allowed.
For example you could put this in your signature and it would be acceptable:

JMapMyLDAP extensions - Joomla LDAP Group Mapping
http://shmanic.com/tool/jmapmyldap/

As long as the link is visible, not an affiliate link, and not commercial spam, it is OK.
Up to four lines and two links and you are within the guidelines.

So please do not be discouraged, and keep on posting support for your plug-in.
And links on where to find it.
.
██ LibreTraining

cpmnet
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Mon Mar 21, 2011 11:28 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby cpmnet » Wed Jul 06, 2011 2:09 am

Wow that looks really nice ShMaunder (I don't have joomla running on my home computer, nor ldap, just browsing through the code at the moment).

I like the way you handle group mapping. To be honest, I never thought about doing it like that.

The default for php (at least the windows version) is to search everything. My LDAP admin told me that even though I specified a baseDN, it still searched everything and I might as well just forget the baseDN.

So, from your website
Map all staff to the staff group:

CN=Staff Group,OU=Staff,OU=School,DC=ACME,DC=LOCAL:30

Map all students to the students group:

CN=Stu Group,OU=Students,OU=School,DC=ACME,DC=LOCAL:20

May not be necessary. And depending on the size of your organization, you can just search for the CN with a (CN=Stu Group) or (CN=Staff Group) [assuming that CN is a field and depending on how it is indexed, etc] and a base of DC=LOCAL. This should find the same thing as the examples (although would also find a Stu Group in different OU's), but I would double check that your ldap works the same as mine. I know almost nothing about Active Directory.

Personally, I also didn't work on recursive groups because I was afraid of the load on the ldap and time that would take. As it is, I had to raise the php max execution time to handle this w/o doing nested groups. I was also looking into mapping arbitrary fields to joomla groups as well (such as roles, which come back as a part of the user object and do not require a second query).

At work, we also use an external SSO system, so a new system plugin was created to fire off a login when you first hit the site (vs when logging in via a form). This also lets us have admins auto logged in when they first browse to the site. Just thinking out loud a bit. It might be easier (well for me) in the long term to work with someone to get a plugin we can bring in than to try to maintain our own.

Read through your comments in the code, I agree, print_r() is so valuable. I'm actually kind of glad that I'm not the only one who had trouble looking through the documentation for the various built-in functions.

Tonygetz wrote:I'm looking to integrate into Active Directory, do you think this will pose additional issues or should it be easier?

<snip>

I'm also seeking someone who can help me with the technical implementation of this so any recommendations (yourself included) would be appreciated.

AD should be about the same as anything else. Maybe a little easier since the field names are the same everywhere. Also, look at ShMaunder's plugin. It is better than mine right now, especially with how the groups mappings are handled (I went lazy and just did a string compare). I got tasked with getting something to work quickly to prove it could work. Nobody has used it enough to find bugs or asked me to fix anything yet. But I'm hoping to share what I found with people to help come up w/ something better (especially since I don't have a ton of free time right now).

BGaugler
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Mon Jun 20, 2011 1:33 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby BGaugler » Wed Jul 06, 2011 7:26 pm

I have installed your plugin in an attempt to authenticate using Active Directory IDs and Groups.

In an ideal Joomla world, I guess I envisioned using the configured group mappings (from the plugin) as the sole link for integration. Someone would enter their AD id which would then return their AD groups and link to Joomla Groups using the mapping to determine validation and which groups/roles this person belongs to. (Thereby bypassing a need to have and maintain any Joomla IDs at all). Is this not allowable in Joomla?

I noticed in the code/comments for the plugin, "at the moment this plugin will not work for new Joomla users" which I am interpreting in my instance as Active Directory IDs that do not correlate to existing Joomla IDs. What was the future intention here? Is it possible to bypass the need for Joomla IDs to match (ex, AD IDs) or were you intending the plugin to one day, insert new Joomla IDs into Joomla database on the fly? And I guess, then map to Joomla groups to Joomla IDs the same way, using the group mapping. (I think that's basically how JAuthTools worked in 1.5)

This all leads me to believe there is a reason why we can't simply do what I envisioned and use the configured mapping to lookup AD groups by AD id, and map to Joomla group, and well, that's it- authenticated for this defined and mapped group role. Or perhaps there's another reason altogether?

Thank you all...

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby ShMaunder » Wed Jul 06, 2011 9:35 pm

Hopefully I've understood everyone correctly:

Gotta admit that i'm no expert in LDAP (only ever used AD!) - but i've learnt a lot since starting this project. Currently i'm trying to get this netware installation i have to play ball. It seems that Ubuntu and Windows have spoiled me when it comes to a nice gui that doesn't lockup every 10 seconds :D

@cpmnet: I think at the moment it is merely a string compare at the end of the tunnel (tries to remember). I think i know what your saying though by using only a "cn=student" for example with its base dn intact should be enough information. But i'm unsure how this should be implemented. Like should there be a wildcard character, or should it be split etc etc... I need to look at how some other ldap systems work first - everything i've done so far has been on a Windows Server 2008 AD machine. Starting to feel like this is becoming an active directory plugin only.

I currently have a hacky mess of a plugin for HTTP SSO - needs some serious work. I'm tempted though to use a similar framework to that of JAuthTools for SSO; so it makes it possible to reuse the individual SSO plugins from it.


@BGaugler: I'm a bit confused - what do you mean by "Joomla ID's" (i.e. are we talking about the Joomla User ID or Joomla Group ID)? OK, i've read your first paragraph as you don't want to specify the joomla group id's in the group mapping list (i.e. the group 'cn=students,ou=.....' would automatically map to the joomla group 'students' based on title's rather than group id's - so your group mapping list would just contain ldap group dn's - is that correct?).

What I meant by “at the moment this plugin will not work for new Joomla users” is I have to rely on “User – Joomla” to create the Joomla Users if they do not exist. This is the reasoning behind ordering “User – JMapMyLDAP” last. Only reason its like this is because i've been lazy about the way i've handled JUser in the plugin. Though, as longs as you order it last, new users will be created on the fly without any problems. I've in fact never used JAuthTools - i was confused by which packages i should install (that was a long time ago btw).

If you could reply with some examples (i.e. the parameters you would use), then i'll see what i can do. From the way i've understood your post, i think most things are possible though.


Do we have anybody that has successfully used this plugin yet? There has been a fair amount of downloads from the site with no success from anybody?
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

BGaugler
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Mon Jun 20, 2011 1:33 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby BGaugler » Wed Jul 06, 2011 9:57 pm

I do not have access to my plugin config at the moment, but will send it over tomorrow.

I believe I was talking about Joomla User IDs. I knew this was hard to explain, but I'll give it another shot.

My question,
Pre-reqs:

1) Active Directory complete with defined AD IDs and AD group IDs.
2) Joomla Group IDs that will mapped to the AD group IDs
3) This plugin configured to map the AD Groups to the Joomla Groups.

As you can see, I'm purposefully left out Joomla User IDs from the auth structure. I had thought perhaps the plugin could authenticate users by allowing login with AD IDs. The plugin would take the AD ID, query AD for the list of AD groups associated with this AD ID. Using this collection of AD groups, and the defined mapping, the plugin could translate it into a Joomla group(s). And thereby give your user his permissions without the need for Joomla IDs.

Is that not allowed? Am I missing the auth validation aspect? Or can that be achieved to AD? You describe the other User plugin which essentially creates new user Joomla User IDs on the fly, but are they even needed? It very well might be, I just was wondering if anyone could explain. The purpose of achieving this, would be to eliminate an extra set of IDs (Joomla User IDs) that need to be created and maintained, manually or by a plugin on the fly (if it can be avoided) and just maintain AD Users. THANKS!!

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby ShMaunder » Thu Jul 07, 2011 1:35 am

@BGaugler: I think i see what your getting at. Not sure why exactly you would want to do this though - setting the groups as managed within the plugin would effectively mean you would never have to maintain the "User Manager". Though do go ahead with sending the plugin config, and then it should become clearer to exactly what your after :)


I can confirm that this plugin currently does NOT support NDS/eDirectory (and probably many more types of LDAP servers). I've assumed a lot about LDAP servers due to the way AD works. I will start on getting this fixed + all the bugs that have arisen from my journey of getting NDS authenticating properly. I'll also get the guide/documentation completed soon for the new set of parameters found in the latest version.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

BGaugler
Joomla! Apprentice
Joomla! Apprentice
Posts: 27
Joined: Mon Jun 20, 2011 1:33 pm

Re: Joomla 1.6 Active Directory Group Mapping

Postby BGaugler » Thu Jul 07, 2011 4:21 pm

As I was expecting, I had a misconception about Joomla authentication. It all translates down to Joomla User IDs and the permissions in the end. The idea with New Joomla User IDs will follow have to follow this pattern and I think this is what you were saying:

Login with AD ID. (If it does not exist, User-Joomla plugin creates it on the fly before this plugin is hit) Search AD Groups associated with AD ID (/ new or existing Joomla ID). Translate the associated AD Groups to a collection of Joomla Groups using the mapping configuration. In parallel, gather the list of Joomla Groups this Joomla User ID is currently associated with. Compare the two collections of groups, and sync your Joomla User to all the Joomla Groups to match Active Directory collection (removing or adding as appropriate).

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby ShMaunder » Fri Jul 08, 2011 10:27 pm

@BGaugler: Yep spot on, couldn't have said it clearer myself.


Bit of a progress update: documentation for new parameters are up. Though realised that i've made a donkey of these new parameters - i've not thought it through. So there will be changes to these in the next version.

Also i found that i have not put any conditions for binding directly as the user. Currently i cannot get it working correctly with the inbuilt joomla LDAP authenticator and multiple User DN's. Probably a misunderstanding somewhere on my part. Due to this, there probably won't be any updates for atleast a couple of days.


Edit 10/07/11: if you want to contact me then please use the PM feature - i do not check the email connected to this forum often :)

Without enabling either the allow additions / allow removals, i do not believe the plugin will do anything in the current version. Also just to make sure its clear, this plugin will only read from your LDAP server (i.e. doesn't modify anything). I need to make the descriptions of these parameters clearer. Also, i'm implementing some of the ideas mentioned above - more to follow soon. One of the major things for the next version is to make the code consistent (i.e. getting rid of the ridiculous linked list implementation for storing the group list parameters). Also, I will put the project onto Joomlacode within the next week or so (so that if you want - you can submit code / help out etc etc).

Edit 14/07/11: i'll be releasing the next version within a day or so - once again, a lot of stuff has been rewritten which makes it non-backward compatible. I've also started taking ldap server efficiency seriously. I'll be appending a alpha 1 tag to this one, then after i've released HTTP SSO (which should be early next week), a beta tag to the entire package. At beta stage i will put it onto both JED and JoomlaCode.
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/

sipalmer
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Fri Jul 15, 2011 10:29 am

Re: Joomla 1.6 Active Directory Group Mapping

Postby sipalmer » Fri Jul 15, 2011 10:33 am

Great - I'm keen to test eDirectory authentication with group mapping.

ShMaunder
Joomla! Explorer
Joomla! Explorer
Posts: 486
Joined: Mon Jul 05, 2010 7:22 pm
Location: UK
Contact:

Re: Joomla 1.6 Active Directory Group Mapping

Postby ShMaunder » Sun Jul 17, 2011 10:59 pm

Hi all,

To the people still interested, i've just got version 0.21 Alpha 1 up on the site with guide. This is the last major change i'll be doing unless there are some big problems with it. I found a minor problem in version 0.20 which was fully tested with both AD and Netware. This version has only been tested with AD though i don't think its made a difference in terms of support.

I've done a changelog which can be found in the downloads section. Summary of this includes:
- NEW: shorten LDAP DNs within the group mapping list (suggestion from forum member cpmnet)
- NEW: sync name and email
- NEW: jlog and jerror is now used to report errors
- NEW: much better (optional) authentication plugin to increase efficiency
- NEW: user plugin is able to create users and no longer has to be ordered last
- CHANGED: better handling of bind direct to user
- BUG: fixed case sensitive comparison of LDAP fields
- BUG: fixed automatically demoting a super user

Once again the entire package including library, authentication and user plugin can be downloaded here http://shmanic.com/tool/jmapmyldap/file.php?name=pkg_jmapmyldap.zip.

This version still supports the inbuilt LDAP authentication plugin (the auth plugin parameter must be changed to ldap to use it), though the JMapMyLDAP authentication plugin is more efficient. Also make sure the authentication is authenticating correctly before enabling the user plugin.

The library files may still be changed to get SSO working - this is the reason for the alpha tag and not beta.

Please report problems, bugs or suggestions here. Much appreciated :)
Shaun Maunder
JMapMyLDAP extensions - Joomla! 2.5/3.1/3.2 LDAP Integration & SSO
http://shmanic.com/tools/jmapmyldap/


Return to “Administration Joomla! 2.5”

Who is online

Users browsing this forum: No registered users and 11 guests