RE: Cannot get LDAP grouping to work
Thanks for all the advice and help. I was able to get it working. After adding the logging, I was wondering why I wasn't getting any information to the screen. I forgot about the (user.lastupdated is < 24) and reset the time for my useraccount and upon login it listed two ldap_bind errors. I had to put my the full dn for the "masterlogin" field in the conf.php to get it to properly bind. Just the cn would not work. Afterwards, everything started to work fine! Thanks for your hard work! - Gerhard -Original Message- From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] Sent: Wednesday, May 19, 2010 12:47 PM To: vcl-dev@incubator.apache.org Subject: Re: Cannot get LDAP grouping to work -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerhard, The first thing I'd suggest is logging in to the database and checking for the existence of the groups in the usergroup table. If the groups are there, it may be that they have a different affiliation than the user you are using to check for them. In that case, set View User Groups to "from all affiliations" under User Preferences->General Preferences. If the are not there, here's what I'd do. In updateODUGroups, add print "affiliationid of user id: {$user['affiliationid']}\n"; before the "for" loop, add {}'s to the "if" statement in the "for" loop; then add print "new group to add: {$match[1]}\n"; after array_push is called; finally, add print "user group ids:\n"; printArray($newusergroups); after $newusergroups = array_unique($newusergroups); The last thing you'll need to do is to make sure user.lastupdated is > 24 hours old for the user you are testing LDAP with. Let me know what you find. Josh On Wednesday May 19, 2010, Hartl, Gerhard L. wrote: > I have been checking the privileges page for the groups. I have been > trying to add var_dumps to the ldapauth.php, but I'm not getting anything > to the screen. > > - Gerhard > 757.683.6980 | gha...@odu.edu | occs.odu.edu > > > -Original Message----- > From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] > Sent: Tuesday, May 18, 2010 3:58 PM > To: vcl-dev@incubator.apache.org > Subject: Re: Cannot get LDAP grouping to work > > Gerhard, > > Where in VCL are you looking to see if the groups have been created? > Groups created from LDAP sources do not appear on the Manage Groups page > since their creation/membership is managed via LDAP. You can either look > directly in the database, or go to the privileges page and click on the > "Add Group" button to see if they are in the list. > > Josh > > On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > > I actually started out like that and in my trouble shooting had stripped > > them off. You are correct as this now produces the following from my > > test code, but I am still not getting the groups. Any other ideas on > > where to look or how to debug? > > > > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array > > ( [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin ) > > > > - Gerhard > > > > > > -Original Message- > > From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] > > Sent: Tuesday, May 18, 2010 2:57 PM > > To: vcl-dev@incubator.apache.org > > Subject: Re: Cannot get LDAP grouping to work > > > > Gerhard, > > > > You're almost there. You need to put ()'s around the part of the regular > > expression that you want to be the name of the group in VCL. I would > > suggest: > > > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > > if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/', > > $data[0]['ismemberof'][$i], $match) || > >preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/', > > $data[0]['ismemberof'][$i], $match)) > > > > If you look at updateEXAMPLE1Groups in the unmodified code, you'll see > > some examples that have the ()'s in them. > > > > preg_match puts the entire matched string into $match[0] and then any sub > > matches (items surrounded by ()'s) in $match[1] through $match[n]. > > > > Josh > > > > On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > > > Hello all, > > > > > > I have been scratching my head for a few weeks now and still cannot get > > > vcl ldap groups working. I have following the instruction on the > > > mailing list regarding setting up the ldap.conf and ldapauth.php and > > > while the user is proper
Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerhard, The first thing I'd suggest is logging in to the database and checking for the existence of the groups in the usergroup table. If the groups are there, it may be that they have a different affiliation than the user you are using to check for them. In that case, set View User Groups to "from all affiliations" under User Preferences->General Preferences. If the are not there, here's what I'd do. In updateODUGroups, add print "affiliationid of user id: {$user['affiliationid']}\n"; before the "for" loop, add {}'s to the "if" statement in the "for" loop; then add print "new group to add: {$match[1]}\n"; after array_push is called; finally, add print "user group ids:\n"; printArray($newusergroups); after $newusergroups = array_unique($newusergroups); The last thing you'll need to do is to make sure user.lastupdated is > 24 hours old for the user you are testing LDAP with. Let me know what you find. Josh On Wednesday May 19, 2010, Hartl, Gerhard L. wrote: > I have been checking the privileges page for the groups. I have been > trying to add var_dumps to the ldapauth.php, but I'm not getting anything > to the screen. > > - Gerhard > 757.683.6980 | gha...@odu.edu | occs.odu.edu > > > -Original Message- > From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] > Sent: Tuesday, May 18, 2010 3:58 PM > To: vcl-dev@incubator.apache.org > Subject: Re: Cannot get LDAP grouping to work > > Gerhard, > > Where in VCL are you looking to see if the groups have been created? > Groups created from LDAP sources do not appear on the Manage Groups page > since their creation/membership is managed via LDAP. You can either look > directly in the database, or go to the privileges page and click on the > "Add Group" button to see if they are in the list. > > Josh > > On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > > I actually started out like that and in my trouble shooting had stripped > > them off. You are correct as this now produces the following from my > > test code, but I am still not getting the groups. Any other ideas on > > where to look or how to debug? > > > > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array > > ( [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin ) > > > > - Gerhard > > > > > > -Original Message- > > From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] > > Sent: Tuesday, May 18, 2010 2:57 PM > > To: vcl-dev@incubator.apache.org > > Subject: Re: Cannot get LDAP grouping to work > > > > Gerhard, > > > > You're almost there. You need to put ()'s around the part of the regular > > expression that you want to be the name of the group in VCL. I would > > suggest: > > > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > > if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/', > > $data[0]['ismemberof'][$i], $match) || > >preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/', > > $data[0]['ismemberof'][$i], $match)) > > > > If you look at updateEXAMPLE1Groups in the unmodified code, you'll see > > some examples that have the ()'s in them. > > > > preg_match puts the entire matched string into $match[0] and then any sub > > matches (items surrounded by ()'s) in $match[1] through $match[n]. > > > > Josh > > > > On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > > > Hello all, > > > > > > I have been scratching my head for a few weeks now and still cannot get > > > vcl ldap groups working. I have following the instruction on the > > > mailing list regarding setting up the ldap.conf and ldapauth.php and > > > while the user is properly authenticated, the groups do not follow. We > > > are using OpenDS and the attribute that lists groups that a user is > > > apart of is "ismemberof". I have pulled out the updateODUGroups > > > function and populated the variables and find that I do get a match. > > > > > > Here is our match statement: > > > > > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > > > if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/', > > > $data[0]['ismemberof'][$i], $match) || > > > preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu
RE: Cannot get LDAP grouping to work
I have been checking the privileges page for the groups. I have been trying to add var_dumps to the ldapauth.php, but I'm not getting anything to the screen. - Gerhard 757.683.6980 | gha...@odu.edu | occs.odu.edu -Original Message- From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] Sent: Tuesday, May 18, 2010 3:58 PM To: vcl-dev@incubator.apache.org Subject: Re: Cannot get LDAP grouping to work -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerhard, Where in VCL are you looking to see if the groups have been created? Groups created from LDAP sources do not appear on the Manage Groups page since their creation/membership is managed via LDAP. You can either look directly in the database, or go to the privileges page and click on the "Add Group" button to see if they are in the list. Josh On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > I actually started out like that and in my trouble shooting had stripped > them off. You are correct as this now produces the following from my test > code, but I am still not getting the groups. Any other ideas on where to > look or how to debug? > > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array ( > [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin ) > > - Gerhard > > > -Original Message- > From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] > Sent: Tuesday, May 18, 2010 2:57 PM > To: vcl-dev@incubator.apache.org > Subject: Re: Cannot get LDAP grouping to work > > Gerhard, > > You're almost there. You need to put ()'s around the part of the regular > expression that you want to be the name of the group in VCL. I would > suggest: > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/', > $data[0]['ismemberof'][$i], $match) || >preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/', > $data[0]['ismemberof'][$i], $match)) > > If you look at updateEXAMPLE1Groups in the unmodified code, you'll see some > examples that have the ()'s in them. > > preg_match puts the entire matched string into $match[0] and then any sub > matches (items surrounded by ()'s) in $match[1] through $match[n]. > > Josh > > On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > > Hello all, > > > > I have been scratching my head for a few weeks now and still cannot get > > vcl ldap groups working. I have following the instruction on the mailing > > list regarding setting up the ldap.conf and ldapauth.php and while the > > user is properly authenticated, the groups do not follow. We are using > > OpenDS and the attribute that lists groups that a user is apart of is > > "ismemberof". I have pulled out the updateODUGroups function and > > populated the variables and find that I do get a match. > > > > Here is our match statement: > > > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > > if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/', > > $data[0]['ismemberof'][$i], $match) || > > preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/', > > $data[0]['ismemberof'][$i], $match)) > > > > This is what $match gets populated with: > > > > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] => > > cn=vcladmin,ou=group,ou=vcl,o=odu ) > > > > Is there a better way to debug this? I am not sure where it is breaking. > > > > Gerhard Hartl > > Old Dominion University | ODU > - -- - --- Josh Thompson Systems Programmer Advanced Computing | VCL Developer North Carolina State University josh_thomp...@ncsu.edu 919-515-5323 my GPG/PGP key can be found at pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAkvy8V0ACgkQV/LQcNdtPQOaowCfU8shflOBcSP6KDLLk/O2AnEz 9HsAn29UJeGUDsxBO62sXqXnuowNoiS5 =b1kw -END PGP SIGNATURE-
Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerhard, Where in VCL are you looking to see if the groups have been created? Groups created from LDAP sources do not appear on the Manage Groups page since their creation/membership is managed via LDAP. You can either look directly in the database, or go to the privileges page and click on the "Add Group" button to see if they are in the list. Josh On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > I actually started out like that and in my trouble shooting had stripped > them off. You are correct as this now produces the following from my test > code, but I am still not getting the groups. Any other ideas on where to > look or how to debug? > > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array ( > [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin ) > > - Gerhard > > > -Original Message- > From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] > Sent: Tuesday, May 18, 2010 2:57 PM > To: vcl-dev@incubator.apache.org > Subject: Re: Cannot get LDAP grouping to work > > Gerhard, > > You're almost there. You need to put ()'s around the part of the regular > expression that you want to be the name of the group in VCL. I would > suggest: > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/', > $data[0]['ismemberof'][$i], $match) || >preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/', > $data[0]['ismemberof'][$i], $match)) > > If you look at updateEXAMPLE1Groups in the unmodified code, you'll see some > examples that have the ()'s in them. > > preg_match puts the entire matched string into $match[0] and then any sub > matches (items surrounded by ()'s) in $match[1] through $match[n]. > > Josh > > On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > > Hello all, > > > > I have been scratching my head for a few weeks now and still cannot get > > vcl ldap groups working. I have following the instruction on the mailing > > list regarding setting up the ldap.conf and ldapauth.php and while the > > user is properly authenticated, the groups do not follow. We are using > > OpenDS and the attribute that lists groups that a user is apart of is > > "ismemberof". I have pulled out the updateODUGroups function and > > populated the variables and find that I do get a match. > > > > Here is our match statement: > > > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > > if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/', > > $data[0]['ismemberof'][$i], $match) || > > preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/', > > $data[0]['ismemberof'][$i], $match)) > > > > This is what $match gets populated with: > > > > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] => > > cn=vcladmin,ou=group,ou=vcl,o=odu ) > > > > Is there a better way to debug this? I am not sure where it is breaking. > > > > Gerhard Hartl > > Old Dominion University | ODU > - -- - --- Josh Thompson Systems Programmer Advanced Computing | VCL Developer North Carolina State University josh_thomp...@ncsu.edu 919-515-5323 my GPG/PGP key can be found at pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAkvy8V0ACgkQV/LQcNdtPQOaowCfU8shflOBcSP6KDLLk/O2AnEz 9HsAn29UJeGUDsxBO62sXqXnuowNoiS5 =b1kw -END PGP SIGNATURE-
RE: Cannot get LDAP grouping to work
I actually started out like that and in my trouble shooting had stripped them off. You are correct as this now produces the following from my test code, but I am still not getting the groups. Any other ideas on where to look or how to debug? Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu [1] => vclimage ) Array ( [0] => cn=vcladmin,ou=group,ou=vcl,o=odu [1] => vcladmin ) - Gerhard -Original Message- From: Josh Thompson [mailto:josh_thomp...@ncsu.edu] Sent: Tuesday, May 18, 2010 2:57 PM To: vcl-dev@incubator.apache.org Subject: Re: Cannot get LDAP grouping to work -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerhard, You're almost there. You need to put ()'s around the part of the regular expression that you want to be the name of the group in VCL. I would suggest: for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/', $data[0]['ismemberof'][$i], $match) || preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/', $data[0]['ismemberof'][$i], $match)) If you look at updateEXAMPLE1Groups in the unmodified code, you'll see some examples that have the ()'s in them. preg_match puts the entire matched string into $match[0] and then any sub matches (items surrounded by ()'s) in $match[1] through $match[n]. Josh On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > Hello all, > > I have been scratching my head for a few weeks now and still cannot get vcl > ldap groups working. I have following the instruction on the mailing list > regarding setting up the ldap.conf and ldapauth.php and while the user is > properly authenticated, the groups do not follow. We are using OpenDS and > the attribute that lists groups that a user is apart of is "ismemberof". > I have pulled out the updateODUGroups function and populated the variables > and find that I do get a match. > > Here is our match statement: > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/', > $data[0]['ismemberof'][$i], $match) || > preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/', > $data[0]['ismemberof'][$i], $match)) > > This is what $match gets populated with: > > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] => > cn=vcladmin,ou=group,ou=vcl,o=odu ) > > Is there a better way to debug this? I am not sure where it is breaking. > > Gerhard Hartl > Old Dominion University | ODU > - -- - --- Josh Thompson Systems Programmer Advanced Computing | VCL Developer North Carolina State University josh_thomp...@ncsu.edu 919-515-5323 my GPG/PGP key can be found at pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAkvy4uoACgkQV/LQcNdtPQON+ACfZvEumECLLDrG5AcwkqeIyXdF wbsAn3SKsS4/5p2RG7rZlZigAoLGI2it =X9lN -END PGP SIGNATURE-
Re: Cannot get LDAP grouping to work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gerhard, You're almost there. You need to put ()'s around the part of the regular expression that you want to be the name of the group in VCL. I would suggest: for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { if(preg_match('/^cn=(vcladmin),ou=group,ou=vcl,o=odu$/', $data[0]['ismemberof'][$i], $match) || preg_match('/^cn=(vclimage),ou=group,ou=vcl,o=odu$/', $data[0]['ismemberof'][$i], $match)) If you look at updateEXAMPLE1Groups in the unmodified code, you'll see some examples that have the ()'s in them. preg_match puts the entire matched string into $match[0] and then any sub matches (items surrounded by ()'s) in $match[1] through $match[n]. Josh On Tuesday May 18, 2010, Hartl, Gerhard L. wrote: > Hello all, > > I have been scratching my head for a few weeks now and still cannot get vcl > ldap groups working. I have following the instruction on the mailing list > regarding setting up the ldap.conf and ldapauth.php and while the user is > properly authenticated, the groups do not follow. We are using OpenDS and > the attribute that lists groups that a user is apart of is "ismemberof". > I have pulled out the updateODUGroups function and populated the variables > and find that I do get a match. > > Here is our match statement: > > for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { > if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/', > $data[0]['ismemberof'][$i], $match) || > preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/', > $data[0]['ismemberof'][$i], $match)) > > This is what $match gets populated with: > > Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] => > cn=vcladmin,ou=group,ou=vcl,o=odu ) > > Is there a better way to debug this? I am not sure where it is breaking. > > Gerhard Hartl > Old Dominion University | ODU > - -- - --- Josh Thompson Systems Programmer Advanced Computing | VCL Developer North Carolina State University josh_thomp...@ncsu.edu 919-515-5323 my GPG/PGP key can be found at pgp.mit.edu -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAkvy4uoACgkQV/LQcNdtPQON+ACfZvEumECLLDrG5AcwkqeIyXdF wbsAn3SKsS4/5p2RG7rZlZigAoLGI2it =X9lN -END PGP SIGNATURE-
Cannot get LDAP grouping to work
Hello all, I have been scratching my head for a few weeks now and still cannot get vcl ldap groups working. I have following the instruction on the mailing list regarding setting up the ldap.conf and ldapauth.php and while the user is properly authenticated, the groups do not follow. We are using OpenDS and the attribute that lists groups that a user is apart of is "ismemberof". I have pulled out the updateODUGroups function and populated the variables and find that I do get a match. Here is our match statement: for($i = 0; $i < $data[0]['ismemberof']['count']; $i++) { if(preg_match('/^cn=vcladmin,ou=group,ou=vcl,o=odu$/', $data[0]['ismemberof'][$i], $match) || preg_match('/^cn=vclimage,ou=group,ou=vcl,o=odu$/', $data[0]['ismemberof'][$i], $match)) This is what $match gets populated with: Array ( [0] => cn=vclimage,ou=group,ou=vcl,o=odu ) Array ( [0] => cn=vcladmin,ou=group,ou=vcl,o=odu ) Is there a better way to debug this? I am not sure where it is breaking. Gerhard Hartl Old Dominion University | ODU