Hi Josh,
Thanks for this troubleshooting tip. Getting some interesting output here,
so I'll probably need some help writing a regex to make this work --
assuming it's even possible. Would I just be able to match on the strings
'admin', 'employee', and 'staff'?
NB the "memberof" attribute in this particular LDAP deployment is
'pdsrole'. The DN given here isn't helpfrom from a VCL perspective since
everyone in the institution is a member of 'ou=People'.
(begin output)
Array
(
[count] => 1
[0] => Array
(
[pdsrole] => Array
(
[count] => 3
[0] => admin
[1] => employee
[2] => staff
)
[0] => pdsrole
[count] => 1
[dn] => uid=290933460177932,ou=People,o=institution.edu,o=cp
)
)
(end output)
On Thu, Feb 20, 2014 at 9:04 AM, Josh Thompson <[email protected]>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mike,
>
> The first thing I'd do is to put
>
> printArray($data);
>
> right after
>
> $data = ldap_get_entries($ds, $search);
>
> then go to User Lookup and look up a user that should have some group
> memberships with the force checkbox selected. That will show you exactly
> what
> is being returned by the ldap query.
>
> One guess related to things I've seen is that the "CN" is being returned in
> lower case. You can add "i" to the end of the regular expression to ignore
> case:
>
> if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/i',
>
> If you want to join #asfvcl on freenode, I can help over IM.
>
> Josh
>
> On Wednesday, February 19, 2014 7:50:27 PM Mike Haudenschild wrote:
> > This particular LDAP installation maintains group membership info in a
> > field called "pdsrole." The groups exist as CNs in the OU
> "accessgroups."
> > I'm trying to get VCL to provision the groups as per the docs (
> > http://vcl.apache.org/docs/ldapauth.html#mirroring-ldap-user-groups) but
> > haven't had any luck. I've been staring at this for awhile and I'm sure
> > I'm missing something obvious at this point. Any help would be
> appreciated.
> >
> > I don't know if this matters in the context of finding groups, but I had
> to
> > enable "lookupuserbeforeauth" in conf.php to get LDAP logins working.
> >
> > (The "o=institution.edu,o=cp" is strange but actually is correct.)
> >
> > The function from authmethods:
> >
> > function updatewcldapGroups($user) {
> > global $authMechs;
> > $auth = $authMechs['wcldap'];
> > $ds = ldap_connect("ldap://{$auth['server']}/");
> > if(! $ds)
> > return 0;
> > ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
> > ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
> >
> > $res = ldap_bind($ds, $auth['masterlogin'],
> > $auth['masterpwd']);
> > if(! $res)
> > return 0;
> >
> > $search = ldap_search($ds,
> > $auth['binddn'],
> > "{$auth['unityid']}={$user['unityid']}",
> > array('pdsrole'), 0, 10, 15);
> > if(! $search)
> > return 0;
> >
> > $data = ldap_get_entries($ds, $search);
> > $newusergroups = array();
> > if(! array_key_exists('pdsrole', $data[0]))
> > return;
> > for($i = 0; $i < $data[0]['pdsrole']['count']; $i++) {
> >
> > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/',
> > $data[0]['pdsrole'][$i], $match))
> > array_push($newusergroups,
> > getUserGroupID($match[1], $user['affiliationid']));
> > }
> > $newusergroups = array_unique($newusergroups);
> > updateGroups($newusergroups, $user["id"]);
> > }
> > ?>
> >
> > Thanks very much,
> > Mike
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found at pgp.mit.edu
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAlMGC3EACgkQV/LQcNdtPQMcYQCeIEKrOXtg01rr+EhhrL2Amovh
> K7gAn1EVWJL4SY6SH5Zku7NLEw0nJmQV
> =Bm+r
> -----END PGP SIGNATURE-----
>
>
