(Apologies for the second email.) Also, is it still true that "Manage Groups" only displays VCL-local groups? I *do* see the LDAP groups populating when I "add group" from the privilege tree, but I just want to make sure I'm not missing something.
Thanks again, Mike On Wed, Feb 26, 2014 at 3:00 PM, Mike Haudenschild <[email protected]>wrote: > Bingo. Thank you! > > There's a second LDAP attribute that specifies a student's academic major. > Ultimately that will probably prove as useful as the faculty/staff/student > info I'm getting from 'pdsRole'. Could I duplicate the updateLDAPGroups > function and run the same code against that second attribute? Or is that > too clumsy an approach? > > Regards, > Mike > > > On Wed, Feb 26, 2014 at 12:44 PM, Josh Thompson <[email protected]>wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Mike, >> >> That's interesting that it does not give the full DN for items in pdsrole. >> Yes, you should be able to just match 'admin', 'employee', and 'staff'. I >> think >> >> preg_match('/^(admin|employee|staff)$/', $data[0]['pdsrole'][$i], $match) >> >> will do it. >> >> Josh >> >> On Wednesday, February 26, 2014 12:22:43 PM Mike Haudenschild wrote: >> > Hi Josh, >> > >> > Thanks for this troubleshooting tip. Getting some interesting output >> here, >> > so I'll probably need some help writing a regex to make this work -- >> > assuming it's even possible. Would I just be able to match on the >> strings >> > 'admin', 'employee', and 'staff'? >> > >> > NB the "memberof" attribute in this particular LDAP deployment is >> > 'pdsrole'. The DN given here isn't helpfrom from a VCL perspective >> since >> > everyone in the institution is a member of 'ou=People'. >> > >> > (begin output) >> > >> > Array >> > ( >> > [count] => 1 >> > [0] => Array >> > ( >> > [pdsrole] => Array >> > ( >> > [count] => 3 >> > [0] => admin >> > [1] => employee >> > [2] => staff >> > ) >> > >> > [0] => pdsrole >> > [count] => 1 >> > [dn] => uid=290933460177932,ou=People,o=institution.edu >> ,o=cp >> > ) >> > >> > ) >> > >> > (end output) >> > >> > On Thu, Feb 20, 2014 at 9:04 AM, Josh Thompson >> <[email protected]>wrote: >> > > -----BEGIN PGP SIGNED MESSAGE----- >> > > Hash: SHA1 >> > > >> > > Mike, >> > > >> > > The first thing I'd do is to put >> > > >> > > printArray($data); >> > > >> > > right after >> > > >> > > $data = ldap_get_entries($ds, $search); >> > > >> > > then go to User Lookup and look up a user that should have some group >> > > memberships with the force checkbox selected. That will show you >> exactly >> > > what >> > > is being returned by the ldap query. >> > > >> > > One guess related to things I've seen is that the "CN" is being >> returned >> > > in >> > > lower case. You can add "i" to the end of the regular expression to >> > > ignore >> > > case: >> > > >> > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/i', >> > > >> > > If you want to join #asfvcl on freenode, I can help over IM. >> > > >> > > Josh >> > > >> > > On Wednesday, February 19, 2014 7:50:27 PM Mike Haudenschild wrote: >> > > > This particular LDAP installation maintains group membership info >> in a >> > > > field called "pdsrole." The groups exist as CNs in the OU >> > > >> > > "accessgroups." >> > > >> > > > I'm trying to get VCL to provision the groups as per the docs ( >> > > > >> > > > http://vcl.apache.org/docs/ldapauth.html#mirroring-ldap-user-groups) >> but >> > > > haven't had any luck. I've been staring at this for awhile and I'm >> sure >> > > > I'm missing something obvious at this point. Any help would be >> > > >> > > appreciated. >> > > >> > > > I don't know if this matters in the context of finding groups, but >> I had >> > > >> > > to >> > > >> > > > enable "lookupuserbeforeauth" in conf.php to get LDAP logins >> working. >> > > > >> > > > (The "o=institution.edu,o=cp" is strange but actually is correct.) >> > > > >> > > > The function from authmethods: >> > > > >> > > > function updatewcldapGroups($user) { >> > > > >> > > > global $authMechs; >> > > > $auth = $authMechs['wcldap']; >> > > > $ds = ldap_connect("ldap://{$auth['server']}/"); >> > > > if(! $ds) >> > > > >> > > > return 0; >> > > > >> > > > ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); >> > > > ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); >> > > > >> > > > $res = ldap_bind($ds, $auth['masterlogin'], >> > > > >> > > > $auth['masterpwd']); >> > > > >> > > > if(! $res) >> > > > >> > > > return 0; >> > > > >> > > > $search = ldap_search($ds, >> > > > >> > > > $auth['binddn'], >> > > > >> "{$auth['unityid']}={$user['unityid']}", >> > > > array('pdsrole'), 0, 10, 15); >> > > > >> > > > if(! $search) >> > > > >> > > > return 0; >> > > > >> > > > $data = ldap_get_entries($ds, $search); >> > > > $newusergroups = array(); >> > > > if(! array_key_exists('pdsrole', $data[0])) >> > > > >> > > > return; >> > > > >> > > > for($i = 0; $i < $data[0]['pdsrole']['count']; $i++) { >> > > > >> > > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/', >> > > > $data[0]['pdsrole'][$i], $match)) >> > > > >> > > > array_push($newusergroups, >> > > > >> > > > getUserGroupID($match[1], $user['affiliationid'])); >> > > > >> > > > } >> > > > $newusergroups = array_unique($newusergroups); >> > > > updateGroups($newusergroups, $user["id"]); >> > > > >> > > > } >> > > > ?> >> > > > >> > > > Thanks very much, >> > > > Mike >> > > >> > > - -- >> > > - ------------------------------- >> > > Josh Thompson >> > > VCL Developer >> > > North Carolina State University >> > > >> > > my GPG/PGP key can be found at pgp.mit.edu >> > > >> > > All electronic mail messages in connection with State business which >> > > are sent to or received by this account are subject to the NC Public >> > > Records Law and may be disclosed to third parties. >> > > -----BEGIN PGP SIGNATURE----- >> > > Version: GnuPG v2.0.22 (GNU/Linux) >> > > >> > > iEYEARECAAYFAlMGC3EACgkQV/LQcNdtPQMcYQCeIEKrOXtg01rr+EhhrL2Amovh >> > > K7gAn1EVWJL4SY6SH5Zku7NLEw0nJmQV >> > > =Bm+r >> > > -----END PGP SIGNATURE----- >> - -- >> - ------------------------------- >> Josh Thompson >> VCL Developer >> North Carolina State University >> >> my GPG/PGP key can be found at pgp.mit.edu >> >> All electronic mail messages in connection with State business which >> are sent to or received by this account are subject to the NC Public >> Records Law and may be disclosed to third parties. >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.22 (GNU/Linux) >> >> iEYEARECAAYFAlMOKBUACgkQV/LQcNdtPQM5KACeMiwmih5KhOdE+T23DjZHp5FJ >> PWMAmgO69qC640lFM99FhmHnyAHCxZLx >> =2cld >> -----END PGP SIGNATURE----- >> >> >
