RE: Cannot get LDAP grouping to work
Thanks for all the advice and help. I was able to get it working. After adding
the logging, I was wondering why I wasn't getting any information to the
screen. I forgot about the (user.lastupdated is < 24) and reset the time for
my useraccount and upon login it listed two ldap_bind errors. I had to put my
the full dn for the "masterlogin" field in the conf.php to get it to properly
bind. Just the cn would not work. Afterwards, everything started to work
fine!
Thanks for your hard work!
- Gerhard
-Original Message-
From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
Sent: Wednesday, May 19, 2010 12:47 PM
To: vcl-dev@incubator.apache.org
Subject: Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard,
The first thing I'd suggest is logging in to the database and checking for the
existence of the groups in the usergroup table. If the groups are there, it
may be that they have a different affiliation than the user you are using to
check for them. In that case, set View User Groups to "from all affiliations"
under User Preferences->General Preferences.
If the are not there, here's what I'd do. In updateODUGroups, add
print "affiliationid of user id: {$user['affiliationid']}\n";
before the "for" loop, add {}'s to the "if" statement in the "for" loop; then
add
print "new group to add: {$match[1]}\n";
after array_push is called; finally, add
print "user group ids:\n";
printArray($newusergroups);
after
$newusergroups = array_unique($newusergroups);
The last thing you'll need to do is to make sure user.lastupdated is > 24
hours old for the user you are testing LDAP with.
Let me know what you find.
Josh
On Wednesday May 19, 2010, Hartl, Gerhard L. wrote:
> I have been checking the privileges page for the groups. I have been
> trying to add var_dumps to the ldapauth.php, but I'm not getting anything
> to the screen.
>
> - Gerhard
> 757.683.6980 | gha...@odu.edu | occs.odu.edu
>
>
> -Original Message-----
> From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
> Sent: Tuesday, May 18, 2010 3:58 PM
> To: vcl-dev@incubator.apache.org
> Subject: Re: Cannot get LDAP grouping to work
>
> Gerhard,
>
> Where in VCL are you looking to see if the groups have been created?
> Groups created from LDAP sources do not appear on the Manage Groups page
> since their creation/membership is managed via LDAP. You can either look
> directly in the database, or go to the privileges page and click on the
> "Add Group" button to see if they are in the list.
>
> Josh
>
> On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> > I actually started out like that and in my trouble shooting had stripped
> > them off. You are correct as this now produces the following from my
> > test code, but I am still not getting the groups. Any other ideas on
> > where to look or how to debug?
> >
> > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array
> > ( [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin )
> >
> > - Gerhard
> >
> >
> > -Original Message-
> > From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
> > Sent: Tuesday, May 18, 2010 2:57 PM
> > To: vcl-dev@incubator.apache.org
> > Subject: Re: Cannot get LDAP grouping to work
> >
> > Gerhard,
> >
> > You're almost there. You need to put ()'s around the part of the regular
> > expression that you want to be the name of the group in VCL. I would
> > suggest:
> >
> > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> > if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/',
> > $data[0]['ismemberof'][$i], $match) ||
> >preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/',
> > $data[0]['ismemberof'][$i], $match))
> >
> > If you look at updateEXAMPLE1Groups in the unmodified code, you'll see
> > some examples that have the ()'s in them.
> >
> > preg_match puts the entire matched string into $match[0] and then any sub
> > matches (items surrounded by ()'s) in $match[1] through $match[n].
> >
> > Josh
> >
> > On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> > > Hello all,
> > >
> > > I have been scratching my head for a few weeks now and still cannot get
> > > vcl ldap groups working. I have following the instruction on the
> > > mailing list regarding setting up the ldap.conf and ldapauth.php and
> > > while the user is proper
Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard,
The first thing I'd suggest is logging in to the database and checking for the
existence of the groups in the usergroup table. If the groups are there, it
may be that they have a different affiliation than the user you are using to
check for them. In that case, set View User Groups to "from all affiliations"
under User Preferences->General Preferences.
If the are not there, here's what I'd do. In updateODUGroups, add
print "affiliationid of user id: {$user['affiliationid']}\n";
before the "for" loop, add {}'s to the "if" statement in the "for" loop; then
add
print "new group to add: {$match[1]}\n";
after array_push is called; finally, add
print "user group ids:\n";
printArray($newusergroups);
after
$newusergroups = array_unique($newusergroups);
The last thing you'll need to do is to make sure user.lastupdated is > 24
hours old for the user you are testing LDAP with.
Let me know what you find.
Josh
On Wednesday May 19, 2010, Hartl, Gerhard L. wrote:
> I have been checking the privileges page for the groups. I have been
> trying to add var_dumps to the ldapauth.php, but I'm not getting anything
> to the screen.
>
> - Gerhard
> 757.683.6980 | gha...@odu.edu | occs.odu.edu
>
>
> -Original Message-
> From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
> Sent: Tuesday, May 18, 2010 3:58 PM
> To: vcl-dev@incubator.apache.org
> Subject: Re: Cannot get LDAP grouping to work
>
> Gerhard,
>
> Where in VCL are you looking to see if the groups have been created?
> Groups created from LDAP sources do not appear on the Manage Groups page
> since their creation/membership is managed via LDAP. You can either look
> directly in the database, or go to the privileges page and click on the
> "Add Group" button to see if they are in the list.
>
> Josh
>
> On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> > I actually started out like that and in my trouble shooting had stripped
> > them off. You are correct as this now produces the following from my
> > test code, but I am still not getting the groups. Any other ideas on
> > where to look or how to debug?
> >
> > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array
> > ( [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin )
> >
> > - Gerhard
> >
> >
> > -Original Message-
> > From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
> > Sent: Tuesday, May 18, 2010 2:57 PM
> > To: vcl-dev@incubator.apache.org
> > Subject: Re: Cannot get LDAP grouping to work
> >
> > Gerhard,
> >
> > You're almost there. You need to put ()'s around the part of the regular
> > expression that you want to be the name of the group in VCL. I would
> > suggest:
> >
> > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> > if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/',
> > $data[0]['ismemberof'][$i], $match) ||
> >preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/',
> > $data[0]['ismemberof'][$i], $match))
> >
> > If you look at updateEXAMPLE1Groups in the unmodified code, you'll see
> > some examples that have the ()'s in them.
> >
> > preg_match puts the entire matched string into $match[0] and then any sub
> > matches (items surrounded by ()'s) in $match[1] through $match[n].
> >
> > Josh
> >
> > On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> > > Hello all,
> > >
> > > I have been scratching my head for a few weeks now and still cannot get
> > > vcl ldap groups working. I have following the instruction on the
> > > mailing list regarding setting up the ldap.conf and ldapauth.php and
> > > while the user is properly authenticated, the groups do not follow. We
> > > are using OpenDS and the attribute that lists groups that a user is
> > > apart of is "ismemberof". I have pulled out the updateODUGroups
> > > function and populated the variables and find that I do get a match.
> > >
> > > Here is our match statement:
> > >
> > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> > > if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/',
> > > $data[0]['ismemberof'][$i], $match) ||
> > > preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu
RE: Cannot get LDAP grouping to work
I have been checking the privileges page for the groups. I have been trying to
add var_dumps to the ldapauth.php, but I'm not getting anything to the screen.
- Gerhard
757.683.6980 | gha...@odu.edu | occs.odu.edu
-Original Message-
From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
Sent: Tuesday, May 18, 2010 3:58 PM
To: vcl-dev@incubator.apache.org
Subject: Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard,
Where in VCL are you looking to see if the groups have been created? Groups
created from LDAP sources do not appear on the Manage Groups page since their
creation/membership is managed via LDAP. You can either look directly in the
database, or go to the privileges page and click on the "Add Group" button to
see if they are in the list.
Josh
On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> I actually started out like that and in my trouble shooting had stripped
> them off. You are correct as this now produces the following from my test
> code, but I am still not getting the groups. Any other ideas on where to
> look or how to debug?
>
> Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array (
> [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin )
>
> - Gerhard
>
>
> -Original Message-
> From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
> Sent: Tuesday, May 18, 2010 2:57 PM
> To: vcl-dev@incubator.apache.org
> Subject: Re: Cannot get LDAP grouping to work
>
> Gerhard,
>
> You're almost there. You need to put ()'s around the part of the regular
> expression that you want to be the name of the group in VCL. I would
> suggest:
>
> for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/',
> $data[0]['ismemberof'][$i], $match) ||
>preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/',
> $data[0]['ismemberof'][$i], $match))
>
> If you look at updateEXAMPLE1Groups in the unmodified code, you'll see some
> examples that have the ()'s in them.
>
> preg_match puts the entire matched string into $match[0] and then any sub
> matches (items surrounded by ()'s) in $match[1] through $match[n].
>
> Josh
>
> On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> > Hello all,
> >
> > I have been scratching my head for a few weeks now and still cannot get
> > vcl ldap groups working. I have following the instruction on the mailing
> > list regarding setting up the ldap.conf and ldapauth.php and while the
> > user is properly authenticated, the groups do not follow. We are using
> > OpenDS and the attribute that lists groups that a user is apart of is
> > "ismemberof". I have pulled out the updateODUGroups function and
> > populated the variables and find that I do get a match.
> >
> > Here is our match statement:
> >
> > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> > if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/',
> > $data[0]['ismemberof'][$i], $match) ||
> > preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/',
> > $data[0]['ismemberof'][$i], $match))
> >
> > This is what $match gets populated with:
> >
> > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] =>
> > cn=vcladmin,ou=group,ou=vcl,o=odu )
> >
> > Is there a better way to debug this? I am not sure where it is breaking.
> >
> > Gerhard Hartl
> > Old Dominion University | ODU
>
- --
- ---
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
josh_thomp...@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAkvy8V0ACgkQV/LQcNdtPQOaowCfU8shflOBcSP6KDLLk/O2AnEz
9HsAn29UJeGUDsxBO62sXqXnuowNoiS5
=b1kw
-END PGP SIGNATURE-
Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard,
Where in VCL are you looking to see if the groups have been created? Groups
created from LDAP sources do not appear on the Manage Groups page since their
creation/membership is managed via LDAP. You can either look directly in the
database, or go to the privileges page and click on the "Add Group" button to
see if they are in the list.
Josh
On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> I actually started out like that and in my trouble shooting had stripped
> them off. You are correct as this now produces the following from my test
> code, but I am still not getting the groups. Any other ideas on where to
> look or how to debug?
>
> Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array (
> [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin )
>
> - Gerhard
>
>
> -Original Message-
> From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
> Sent: Tuesday, May 18, 2010 2:57 PM
> To: vcl-dev@incubator.apache.org
> Subject: Re: Cannot get LDAP grouping to work
>
> Gerhard,
>
> You're almost there. You need to put ()'s around the part of the regular
> expression that you want to be the name of the group in VCL. I would
> suggest:
>
> for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/',
> $data[0]['ismemberof'][$i], $match) ||
>preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/',
> $data[0]['ismemberof'][$i], $match))
>
> If you look at updateEXAMPLE1Groups in the unmodified code, you'll see some
> examples that have the ()'s in them.
>
> preg_match puts the entire matched string into $match[0] and then any sub
> matches (items surrounded by ()'s) in $match[1] through $match[n].
>
> Josh
>
> On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> > Hello all,
> >
> > I have been scratching my head for a few weeks now and still cannot get
> > vcl ldap groups working. I have following the instruction on the mailing
> > list regarding setting up the ldap.conf and ldapauth.php and while the
> > user is properly authenticated, the groups do not follow. We are using
> > OpenDS and the attribute that lists groups that a user is apart of is
> > "ismemberof". I have pulled out the updateODUGroups function and
> > populated the variables and find that I do get a match.
> >
> > Here is our match statement:
> >
> > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> > if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/',
> > $data[0]['ismemberof'][$i], $match) ||
> > preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/',
> > $data[0]['ismemberof'][$i], $match))
> >
> > This is what $match gets populated with:
> >
> > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] =>
> > cn=vcladmin,ou=group,ou=vcl,o=odu )
> >
> > Is there a better way to debug this? I am not sure where it is breaking.
> >
> > Gerhard Hartl
> > Old Dominion University | ODU
>
- --
- ---
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
josh_thomp...@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAkvy8V0ACgkQV/LQcNdtPQOaowCfU8shflOBcSP6KDLLk/O2AnEz
9HsAn29UJeGUDsxBO62sXqXnuowNoiS5
=b1kw
-END PGP SIGNATURE-
RE: Cannot get LDAP grouping to work
I actually started out like that and in my trouble shooting had stripped them
off. You are correct as this now produces the following from my test code, but
I am still not getting the groups. Any other ideas on where to look or how to
debug?
Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array ( [0]
=> cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin )
- Gerhard
-Original Message-
From: Josh Thompson [mailto:josh_thomp...@ncsu.edu]
Sent: Tuesday, May 18, 2010 2:57 PM
To: vcl-dev@incubator.apache.org
Subject: Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard,
You're almost there. You need to put ()'s around the part of the regular
expression that you want to be the name of the group in VCL. I would suggest:
for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/',
$data[0]['ismemberof'][$i], $match) ||
preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/',
$data[0]['ismemberof'][$i], $match))
If you look at updateEXAMPLE1Groups in the unmodified code, you'll see some
examples that have the ()'s in them.
preg_match puts the entire matched string into $match[0] and then any sub
matches (items surrounded by ()'s) in $match[1] through $match[n].
Josh
On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> Hello all,
>
> I have been scratching my head for a few weeks now and still cannot get vcl
> ldap groups working. I have following the instruction on the mailing list
> regarding setting up the ldap.conf and ldapauth.php and while the user is
> properly authenticated, the groups do not follow. We are using OpenDS and
> the attribute that lists groups that a user is apart of is "ismemberof".
> I have pulled out the updateODUGroups function and populated the variables
> and find that I do get a match.
>
> Here is our match statement:
>
> for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/',
> $data[0]['ismemberof'][$i], $match) ||
> preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/',
> $data[0]['ismemberof'][$i], $match))
>
> This is what $match gets populated with:
>
> Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] =>
> cn=vcladmin,ou=group,ou=vcl,o=odu )
>
> Is there a better way to debug this? I am not sure where it is breaking.
>
> Gerhard Hartl
> Old Dominion University | ODU
>
- --
- ---
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
josh_thomp...@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAkvy4uoACgkQV/LQcNdtPQON+ACfZvEumECLLDrG5AcwkqeIyXdF
wbsAn3SKsS4/5p2RG7rZlZigAoLGI2it
=X9lN
-END PGP SIGNATURE-
Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gerhard,
You're almost there. You need to put ()'s around the part of the regular
expression that you want to be the name of the group in VCL. I would suggest:
for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/',
$data[0]['ismemberof'][$i], $match) ||
preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/',
$data[0]['ismemberof'][$i], $match))
If you look at updateEXAMPLE1Groups in the unmodified code, you'll see some
examples that have the ()'s in them.
preg_match puts the entire matched string into $match[0] and then any sub
matches (items surrounded by ()'s) in $match[1] through $match[n].
Josh
On Tuesday May 18, 2010, Hartl, Gerhard L. wrote:
> Hello all,
>
> I have been scratching my head for a few weeks now and still cannot get vcl
> ldap groups working. I have following the instruction on the mailing list
> regarding setting up the ldap.conf and ldapauth.php and while the user is
> properly authenticated, the groups do not follow. We are using OpenDS and
> the attribute that lists groups that a user is apart of is "ismemberof".
> I have pulled out the updateODUGroups function and populated the variables
> and find that I do get a match.
>
> Here is our match statement:
>
> for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
> if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/',
> $data[0]['ismemberof'][$i], $match) ||
> preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/',
> $data[0]['ismemberof'][$i], $match))
>
> This is what $match gets populated with:
>
> Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] =>
> cn=vcladmin,ou=group,ou=vcl,o=odu )
>
> Is there a better way to debug this? I am not sure where it is breaking.
>
> Gerhard Hartl
> Old Dominion University | ODU
>
- --
- ---
Josh Thompson
Systems Programmer
Advanced Computing | VCL Developer
North Carolina State University
josh_thomp...@ncsu.edu
919-515-5323
my GPG/PGP key can be found at pgp.mit.edu
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAkvy4uoACgkQV/LQcNdtPQON+ACfZvEumECLLDrG5AcwkqeIyXdF
wbsAn3SKsS4/5p2RG7rZlZigAoLGI2it
=X9lN
-END PGP SIGNATURE-
Cannot get LDAP grouping to work
Hello all,
I have been scratching my head for a few weeks now and still cannot get vcl
ldap groups working. I have following the instruction on the mailing list
regarding setting up the ldap.conf and ldapauth.php and while the user is
properly authenticated, the groups do not follow. We are using OpenDS and the
attribute that lists groups that a user is apart of is "ismemberof". I have
pulled out the
updateODUGroups function and populated the variables and find that I do get a
match.
Here is our match statement:
for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) {
if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/',
$data[0]['ismemberof'][$i], $match) ||
preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/',
$data[0]['ismemberof'][$i], $match))
This is what $match gets populated with:
Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] =>
cn=vcladmin,ou=group,ou=vcl,o=odu )
Is there a better way to debug this? I am not sure where it is breaking.
Gerhard Hartl
Old Dominion University | ODU
