Author: buildbot
Date: Mon Mar 3 20:10:38 2014
New Revision: 899900
Log:
Staging update by buildbot for vcl
Modified:
websites/staging/vcl/trunk/content/ (props changed)
websites/staging/vcl/trunk/content/docs/ldapauth.html
Propchange: websites/staging/vcl/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Mar 3 20:10:38 2014
@@ -1 +1 @@
-1573719
+1573726
Modified: websites/staging/vcl/trunk/content/docs/ldapauth.html
==============================================================================
--- websites/staging/vcl/trunk/content/docs/ldapauth.html (original)
+++ websites/staging/vcl/trunk/content/docs/ldapauth.html Mon Mar 3 20:10:38
2014
@@ -81,6 +81,7 @@
<li><a href="#adding-ldap-authentication-to-the-web-code">Adding LDAP
Authentication to the Web Code</a></li>
<li><a href="#mirroring-ldap-user-groups">Mirroring LDAP User Groups</a><ul>
<li><a href="#some-things-to-be-aware-of-with-mirrored-groups">Some things to
be aware of with mirrored groups</a></li>
+<li><a href="#debugging-ldap-configuration">Debugging LDAP
Configuration</a></li>
</ul>
</li>
</ul>
@@ -235,9 +236,9 @@ expressions in the <strong>for</strong>
example names of user groups. You'll need to modify these to match the OU
structure
of your LDAP system.</p>
<p>These are the three example rules in VCL 2.3:</p>
-<div class="codehilite"><pre><span class="o">^</span><span
class="n">CN</span><span class="o">=</span><span class="p">(</span><span
class="o">.+</span><span class="p">),</span><span class="n">OU</span><span
class="o">=</span><span class="n">CourseRolls</span><span
class="p">,</span><span class="n">DC</span><span class="o">=</span><span
class="n">example1</span><span class="p">,</span><span class="n">DC</span><span
class="o">=</span><span class="n">com</span>
-<span class="o">^</span><span class="n">CN</span><span class="o">=</span><span
class="p">(</span><span class="n">Students_Enrolled</span><span
class="p">),</span><span class="n">OU</span><span class="o">=</span><span
class="n">Students</span><span class="p">,</span><span class="n">DC</span><span
class="o">=</span><span class="n">example1</span><span class="p">,</span><span
class="n">DC</span><span class="o">=</span><span class="n">com</span><span
class="nv">$</span>
-<span class="err">^</span><span class="nv">CN</span><span
class="o">=</span><span class="p">(</span><span class="n">Staff</span><span
class="p">),</span><span class="n">OU</span><span class="o">=</span><span
class="n">IT</span><span class="p">,</span><span class="n">DC</span><span
class="o">=</span><span class="n">example1</span><span class="p">,</span><span
class="n">DC</span><span class="o">=</span><span class="n">com</span><span
class="nv">$</span>
+<div class="codehilite"><pre>^<span class="n">CN</span><span
class="p">=(.</span><span class="o">+</span><span class="p">),</span><span
class="n">OU</span><span class="p">=</span><span
class="n">CourseRolls</span><span class="p">,</span><span
class="n">DC</span><span class="p">=</span><span class="n">example1</span><span
class="p">,</span><span class="n">DC</span><span class="p">=</span><span
class="n">com</span>
+^<span class="n">CN</span><span class="p">=(</span><span
class="n">Students_Enrolled</span><span class="p">),</span><span
class="n">OU</span><span class="p">=</span><span class="n">Students</span><span
class="p">,</span><span class="n">DC</span><span class="p">=</span><span
class="n">example1</span><span class="p">,</span><span class="n">DC</span><span
class="p">=</span><span class="n">com</span>$
+^<span class="n">CN</span><span class="p">=(</span><span
class="n">Staff</span><span class="p">),</span><span class="n">OU</span><span
class="p">=</span><span class="n">IT</span><span class="p">,</span><span
class="n">DC</span><span class="p">=</span><span class="n">example1</span><span
class="p">,</span><span class="n">DC</span><span class="p">=</span><span
class="n">com</span>$
</pre></div>
@@ -250,49 +251,49 @@ Toward the end of the function is a <str
Change the <strong>EXAMPLE1</strong> entry to the affiliation you created for
your site. Then,
change the name of the function called for that affiliation to your new name
for the
<strong>updateEXAMPLE1Groups</strong> function. Here is an example of that
part of the function:</p>
-<div class="codehilite"><pre><span class="n">switch</span><span
class="p">(</span><span class="n">getAffiliationName</span><span
class="p">(</span><span class="nv">$affilid</span><span class="p">))</span>
<span class="p">{</span>
+<div class="codehilite"><pre><span class="k">switch</span><span
class="p">(</span><span class="n">getAffiliationName</span><span
class="p">(</span>$<span class="n">affilid</span><span class="p">))</span>
<span class="p">{</span>
<span class="k">case</span> <span class="s">'NCSU'</span><span
class="p">:</span>
- <span class="n">updateNCSUGroups</span><span class="p">(</span><span
class="nv">$user</span><span class="p">);</span>
- <span class="n">break</span><span class="p">;</span>
- <span class="n">default:</span>
- <span class="sr">//</span><span class="n">TODO</span> <span
class="n">possibly</span> <span class="n">add</span> <span class="n">to</span>
<span class="n">a</span> <span class="n">default</span> <span
class="n">group</span>
+ <span class="n">updateNCSUGroups</span><span class="p">(</span>$<span
class="n">user</span><span class="p">);</span>
+ <span class="k">break</span><span class="p">;</span>
+ <span class="n">default</span><span class="p">:</span>
+ <span class="o">//</span><span class="n">TODO</span> <span
class="n">possibly</span> <span class="n">add</span> <span class="n">to</span>
<span class="n">a</span> <span class="n">default</span> <span
class="n">group</span>
<span class="p">}</span>
</pre></div>
<p>Here is an example function using NCSU instead of EXAMPLE1, and using an
Active
Directory LDAP system:</p>
-<div class="codehilite"><pre><span class="n">function</span> <span
class="n">updateNCSUGroups</span><span class="p">(</span><span
class="nv">$user</span><span class="p">)</span> <span class="p">{</span>
- <span class="n">global</span> <span class="nv">$authMechs</span><span
class="p">;</span>
- <span class="nv">$auth</span> <span class="o">=</span> <span
class="nv">$authMechs</span><span class="p">[</span><span class="s">'NCSU
LDAP'</span><span class="p">];</span>
- <span class="nv">$ds</span> <span class="o">=</span> <span
class="n">ldap_connect</span><span class="p">(</span><span
class="s">"ldaps://{$auth['server']}/"</span><span
class="p">);</span>
- <span class="k">if</span><span class="p">(</span><span class="o">!</span>
<span class="nv">$ds</span><span class="p">)</span>
- <span class="k">return</span> <span class="mi">0</span><span
class="p">;</span>
- <span class="n">ldap_set_option</span><span class="p">(</span><span
class="nv">$ds</span><span class="p">,</span> <span
class="n">LDAP_OPT_PROTOCOL_VERSION</span><span class="p">,</span> <span
class="mi">3</span><span class="p">);</span>
- <span class="n">ldap_set_option</span><span class="p">(</span><span
class="nv">$ds</span><span class="p">,</span> <span
class="n">LDAP_OPT_REFERRALS</span><span class="p">,</span> <span
class="mi">0</span><span class="p">);</span>
-
- <span class="nv">$res</span> <span class="o">=</span> <span
class="n">ldap_bind</span><span class="p">(</span><span
class="nv">$ds</span><span class="p">,</span> <span
class="nv">$auth</span><span class="p">[</span><span
class="s">'masterlogin'</span><span class="p">],</span>
- <span class="nv">$auth</span><span
class="p">[</span><span class="s">'masterpwd'</span><span
class="p">]);</span>
- <span class="k">if</span><span class="p">(</span><span class="o">!</span>
<span class="nv">$res</span><span class="p">)</span>
- <span class="k">return</span> <span class="mi">0</span><span
class="p">;</span>
-
- <span class="nv">$search</span> <span class="o">=</span> <span
class="n">ldap_search</span><span class="p">(</span><span
class="nv">$ds</span><span class="p">,</span>
- <span class="nv">$auth</span><span
class="p">[</span><span class="s">'binddn'</span><span
class="p">],</span>
- <span
class="s">"{$auth['unityid']}={$user['unityid']}"</span><span
class="p">,</span>
- <span class="n">array</span><span
class="p">(</span><span class="s">'memberof'</span><span
class="p">),</span> <span class="mi">0</span><span class="p">,</span> <span
class="mi">10</span><span class="p">,</span> <span class="mi">15</span><span
class="p">);</span>
- <span class="k">if</span><span class="p">(</span><span class="o">!</span>
<span class="nv">$search</span><span class="p">)</span>
- <span class="k">return</span> <span class="mi">0</span><span
class="p">;</span>
-
- <span class="nv">$data</span> <span class="o">=</span> <span
class="n">ldap_get_entries</span><span class="p">(</span><span
class="nv">$ds</span><span class="p">,</span> <span
class="nv">$search</span><span class="p">);</span>
- <span class="nv">$newusergroups</span> <span class="o">=</span> <span
class="n">array</span><span class="p">();</span>
- <span class="k">if</span><span class="p">(</span><span class="o">!</span>
<span class="n">array_key_exists</span><span class="p">(</span><span
class="s">'memberof'</span><span class="p">,</span> <span
class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span
class="p">]))</span>
+<div class="codehilite"><pre><span class="k">function</span><span class="w">
</span><span class="nf">updateNCSUGroups</span><span
class="p">(</span>$user<span class="p">)</span><span class="w"> </span><span
class="p">{</span>
+ <span class="k">global</span> $<span class="n">authMechs</span><span
class="p">;</span>
+ $<span class="n">auth</span> <span class="p">=</span> $<span
class="n">authMechs</span><span class="p">[</span><span class="s">'NCSU
LDAP'</span><span class="p">];</span>
+ $<span class="n">ds</span> <span class="p">=</span> <span
class="n">ldap_connect</span><span class="p">(</span>"<span
class="n">ldaps</span><span class="p">:</span><span class="o">//</span><span
class="p">{</span>$<span class="n">auth</span><span class="p">[</span><span
class="s">'server'</span><span class="p">]}</span><span
class="o">/</span>"<span class="p">);</span>
+ <span class="k">if</span><span class="p">(</span>! $<span
class="n">ds</span><span class="p">)</span>
+ <span class="k">return</span> 0<span class="p">;</span>
+ <span class="n">ldap_set_option</span><span class="p">(</span>$<span
class="n">ds</span><span class="p">,</span> <span
class="n">LDAP_OPT_PROTOCOL_VERSION</span><span class="p">,</span> 3<span
class="p">);</span>
+ <span class="n">ldap_set_option</span><span class="p">(</span>$<span
class="n">ds</span><span class="p">,</span> <span
class="n">LDAP_OPT_REFERRALS</span><span class="p">,</span> 0<span
class="p">);</span>
+
+ $<span class="n">res</span> <span class="p">=</span> <span
class="n">ldap_bind</span><span class="p">(</span>$<span
class="n">ds</span><span class="p">,</span> $<span class="n">auth</span><span
class="p">[</span><span class="s">'masterlogin'</span><span
class="p">],</span>
+ $<span class="n">auth</span><span class="p">[</span><span
class="s">'masterpwd'</span><span class="p">]);</span>
+ <span class="k">if</span><span class="p">(</span>! $<span
class="n">res</span><span class="p">)</span>
+ <span class="k">return</span> 0<span class="p">;</span>
+
+ $<span class="n">search</span> <span class="p">=</span> <span
class="n">ldap_search</span><span class="p">(</span>$<span
class="n">ds</span><span class="p">,</span>
+ $<span class="n">auth</span><span
class="p">[</span><span class="s">'binddn'</span><span
class="p">],</span>
+ "<span class="p">{</span>$<span
class="n">auth</span><span class="p">[</span><span
class="s">'unityid'</span><span class="p">]}={</span>$<span
class="n">user</span><span class="p">[</span><span
class="s">'unityid'</span><span class="p">]}</span>"<span
class="p">,</span>
+ <span class="n">array</span><span
class="p">(</span><span class="s">'memberof'</span><span
class="p">),</span> 0<span class="p">,</span> 10<span class="p">,</span>
15<span class="p">);</span>
+ <span class="k">if</span><span class="p">(</span>! $<span
class="n">search</span><span class="p">)</span>
+ <span class="k">return</span> 0<span class="p">;</span>
+
+ $<span class="n">data</span> <span class="p">=</span> <span
class="n">ldap_get_entries</span><span class="p">(</span>$<span
class="n">ds</span><span class="p">,</span> $<span class="n">search</span><span
class="p">);</span>
+ $<span class="n">newusergroups</span> <span class="p">=</span> <span
class="n">array</span><span class="p">();</span>
+ <span class="k">if</span><span class="p">(</span>! <span
class="n">array_key_exists</span><span class="p">(</span><span
class="s">'memberof'</span><span class="p">,</span> $<span
class="n">data</span><span class="p">[</span>0<span class="p">]))</span>
<span class="k">return</span><span class="p">;</span>
- <span class="k">for</span><span class="p">(</span><span
class="nv">$i</span> <span class="o">=</span> <span class="mi">0</span><span
class="p">;</span> <span class="nv">$i</span> <span class="o"><</span> <span
class="nv">$data</span><span class="p">[</span><span class="mi">0</span><span
class="p">][</span><span class="s">'memberof'</span><span
class="p">][</span><span class="s">'count'</span><span
class="p">];</span> <span class="nv">$i</span><span class="o">++</span><span
class="p">)</span> <span class="p">{</span>
- <span class="k">if</span><span class="p">(</span><span
class="n">preg_match</span><span class="p">(</span><span
class="s">'/^CN=(.+),OU=VCLGroups,DC=ad,DC=ncsu,DC=edu/'</span><span
class="p">,</span> <span class="nv">$data</span><span class="p">[</span><span
class="mi">0</span><span class="p">][</span><span
class="s">'memberof'</span><span class="p">][</span><span
class="nv">$i</span><span class="p">],</span> <span
class="nv">$match</span><span class="p">))</span>
- <span class="n">array_push</span><span class="p">(</span><span
class="nv">$newusergroups</span><span class="p">,</span> <span
class="n">getUserGroupID</span><span class="p">(</span><span
class="nv">$match</span><span class="p">[</span><span class="mi">1</span><span
class="p">],</span> <span class="nv">$user</span><span class="p">[</span><span
class="s">'affiliationid'</span><span class="p">]));</span>
+ <span class="k">for</span><span class="p">(</span>$<span
class="nb">i</span> <span class="p">=</span> 0<span class="p">;</span> $<span
class="nb">i</span> <span class="o"><</span> $<span
class="n">data</span><span class="p">[</span>0<span class="p">][</span><span
class="s">'memberof'</span><span class="p">][</span><span
class="s">'count'</span><span class="p">];</span> $<span
class="nb">i</span><span class="o">++</span><span class="p">)</span> <span
class="p">{</span>
+ <span class="k">if</span><span class="p">(</span><span
class="n">preg_match</span><span class="p">(</span><span
class="s">'/^CN=(.+),OU=VCLGroups,DC=ad,DC=ncsu,DC=edu/'</span><span
class="p">,</span> $<span class="n">data</span><span class="p">[</span>0<span
class="p">][</span><span class="s">'memberof'</span><span
class="p">][</span>$<span class="nb">i</span><span class="p">],</span> $<span
class="n">match</span><span class="p">))</span>
+ <span class="n">array_push</span><span class="p">(</span>$<span
class="n">newusergroups</span><span class="p">,</span> <span
class="n">getUserGroupID</span><span class="p">(</span>$<span
class="n">match</span><span class="p">[</span>1<span class="p">],</span> $<span
class="n">user</span><span class="p">[</span><span
class="s">'affiliationid'</span><span class="p">]));</span>
<span class="p">}</span>
- <span class="nv">$newusergroups</span> <span class="o">=</span> <span
class="n">array_unique</span><span class="p">(</span><span
class="nv">$newusergroups</span><span class="p">);</span>
- <span class="n">updateGroups</span><span class="p">(</span><span
class="nv">$newusergroups</span><span class="p">,</span> <span
class="nv">$user</span><span class="p">[</span><span
class="s">"id"</span><span class="p">]);</span>
+ $<span class="n">newusergroups</span> <span class="p">=</span> <span
class="n">array_unique</span><span class="p">(</span>$<span
class="n">newusergroups</span><span class="p">);</span>
+ <span class="n">updateGroups</span><span class="p">(</span>$<span
class="n">newusergroups</span><span class="p">,</span> $<span
class="n">user</span><span class="p">[</span>"<span
class="n">id</span>"<span class="p">]);</span>
<span class="p">}</span>
</pre></div>
@@ -311,6 +312,15 @@ caches a user's LDAP information for up
yourself to a group on your LDAP server, you will have to wait for up to 24
hours
before VCL looks up your LDAP information again. Alternatively, you can
force a lookup on the <strong>User Lookup</strong> page.</p>
+<h3 id="debugging-ldap-configuration">Debugging LDAP Configuration</h3>
+<p>If you run in to problems getting an LDAP configuration to work,
+you can download a <a href="/docs/generic.php.txt" title="LDAP Debug
Script">link text</a> and save it as generic.php (remove .txt
+from the name) somewhere you can access it on you web server. There
+are 5 variables at the top of the script that need to be set
+according to your site's configuration. There is a comment in the
+file explaining what each variable needs to be set to. Once you get
+the script to show you search results, you should have a good idea
+what you need to set the variables to in conf.php.</p>
</div>
<div id="footer">
