That worked; thanks again, Josh. Mike
On Wed, Feb 26, 2014 at 3:46 PM, Josh Thompson <[email protected]>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mike, > > I don't remember in which version it was introduced, but you can go to > Privileges->Additional User Permissions and grant "Manage Federated User > Groups" to be able to see the LDAP based groups under Manage Groups. You > will > not be able to edit the membership of the groups since that part is managed > from LDAP. > > Josh > > On Wednesday, February 26, 2014 3:03:07 PM Mike Haudenschild wrote: > > (Apologies for the second email.) Also, is it still true that "Manage > > Groups" only displays VCL-local groups? I *do* see the LDAP groups > > populating when I "add group" from the privilege tree, but I just want to > > make sure I'm not missing something. > > > > Thanks again, > > Mike > > > > On Wed, Feb 26, 2014 at 3:00 PM, Mike Haudenschild > <[email protected]>wrote: > > > Bingo. Thank you! > > > > > > There's a second LDAP attribute that specifies a student's academic > major. > > > > > > Ultimately that will probably prove as useful as the > > > faculty/staff/student > > > > > > info I'm getting from 'pdsRole'. Could I duplicate the > updateLDAPGroups > > > function and run the same code against that second attribute? Or is > that > > > too clumsy an approach? > > > > > > Regards, > > > Mike > > > > > > On Wed, Feb 26, 2014 at 12:44 PM, Josh Thompson > <[email protected]>wrote: > > >> -----BEGIN PGP SIGNED MESSAGE----- > > >> Hash: SHA1 > > >> > > >> Mike, > > >> > > >> That's interesting that it does not give the full DN for items in > > >> pdsrole. > > >> Yes, you should be able to just match 'admin', 'employee', and > 'staff'. > > >> I > > >> think > > >> > > >> preg_match('/^(admin|employee|staff)$/', $data[0]['pdsrole'][$i], > $match) > > >> > > >> will do it. > > >> > > >> Josh > > >> > > >> On Wednesday, February 26, 2014 12:22:43 PM Mike Haudenschild wrote: > > >> > Hi Josh, > > >> > > > >> > Thanks for this troubleshooting tip. Getting some interesting > output > > >> > > >> here, > > >> > > >> > so I'll probably need some help writing a regex to make this work -- > > >> > assuming it's even possible. Would I just be able to match on the > > >> > > >> strings > > >> > > >> > 'admin', 'employee', and 'staff'? > > >> > > > >> > NB the "memberof" attribute in this particular LDAP deployment is > > >> > 'pdsrole'. The DN given here isn't helpfrom from a VCL perspective > > >> > > >> since > > >> > > >> > everyone in the institution is a member of 'ou=People'. > > >> > > > >> > (begin output) > > >> > > > >> > Array > > >> > ( > > >> > > > >> > [count] => 1 > > >> > [0] => Array > > >> > > > >> > ( > > >> > > > >> > [pdsrole] => Array > > >> > > > >> > ( > > >> > > > >> > [count] => 3 > > >> > [0] => admin > > >> > [1] => employee > > >> > [2] => staff > > >> > > > >> > ) > > >> > > > >> > [0] => pdsrole > > >> > [count] => 1 > > >> > [dn] => uid=290933460177932,ou=People,o=institution.edu > > >> > > >> ,o=cp > > >> > > >> > ) > > >> > > > >> > ) > > >> > > > >> > (end output) > > >> > > > >> > On Thu, Feb 20, 2014 at 9:04 AM, Josh Thompson > > >> > > >> <[email protected]>wrote: > > >> > > -----BEGIN PGP SIGNED MESSAGE----- > > >> > > Hash: SHA1 > > >> > > > > >> > > Mike, > > >> > > > > >> > > The first thing I'd do is to put > > >> > > > > >> > > printArray($data); > > >> > > > > >> > > right after > > >> > > > > >> > > $data = ldap_get_entries($ds, $search); > > >> > > > > >> > > then go to User Lookup and look up a user that should have some > group > > >> > > memberships with the force checkbox selected. That will show you > > >> > > >> exactly > > >> > > >> > > what > > >> > > is being returned by the ldap query. > > >> > > > > >> > > One guess related to things I've seen is that the "CN" is being > > >> > > >> returned > > >> > > >> > > in > > >> > > lower case. You can add "i" to the end of the regular expression > to > > >> > > ignore > > >> > > case: > > >> > > > > >> > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu > ,o=cp/i', > > >> > > > > >> > > If you want to join #asfvcl on freenode, I can help over IM. > > >> > > > > >> > > Josh > > >> > > > > >> > > On Wednesday, February 19, 2014 7:50:27 PM Mike Haudenschild > wrote: > > >> > > > This particular LDAP installation maintains group membership > info > > >> > > >> in a > > >> > > >> > > > field called "pdsrole." The groups exist as CNs in the OU > > >> > > > > >> > > "accessgroups." > > >> > > > > >> > > > I'm trying to get VCL to provision the groups as per the docs ( > > >> > > > > > >> > > > > http://vcl.apache.org/docs/ldapauth.html#mirroring-ldap-user-groups > > >> > > > ) > > >> > > >> but > > >> > > >> > > > haven't had any luck. I've been staring at this for awhile and > I'm > > >> > > >> sure > > >> > > >> > > > I'm missing something obvious at this point. Any help would be > > >> > > > > >> > > appreciated. > > >> > > > > >> > > > I don't know if this matters in the context of finding groups, > but > > >> > > >> I had > > >> > > >> > > to > > >> > > > > >> > > > enable "lookupuserbeforeauth" in conf.php to get LDAP logins > > >> > > >> working. > > >> > > >> > > > (The "o=institution.edu,o=cp" is strange but actually is > correct.) > > >> > > > > > >> > > > The function from authmethods: > > >> > > > > > >> > > > function updatewcldapGroups($user) { > > >> > > > > > >> > > > global $authMechs; > > >> > > > $auth = $authMechs['wcldap']; > > >> > > > $ds = ldap_connect("ldap://{$auth['server']}/"); > > >> > > > if(! $ds) > > >> > > > > > >> > > > return 0; > > >> > > > > > >> > > > ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); > > >> > > > ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); > > >> > > > > > >> > > > $res = ldap_bind($ds, $auth['masterlogin'], > > >> > > > > > >> > > > $auth['masterpwd']); > > >> > > > > > >> > > > if(! $res) > > >> > > > > > >> > > > return 0; > > >> > > > > > >> > > > $search = ldap_search($ds, > > >> > > > > > >> > > > $auth['binddn'], > > >> > > >> "{$auth['unityid']}={$user['unityid']}", > > >> > > >> > > > array('pdsrole'), 0, 10, 15); > > >> > > > > > >> > > > if(! $search) > > >> > > > > > >> > > > return 0; > > >> > > > > > >> > > > $data = ldap_get_entries($ds, $search); > > >> > > > $newusergroups = array(); > > >> > > > if(! array_key_exists('pdsrole', $data[0])) > > >> > > > > > >> > > > return; > > >> > > > > > >> > > > for($i = 0; $i < $data[0]['pdsrole']['count']; $i++) { > > >> > > > > > >> > > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu > ,o=cp/', > > >> > > > $data[0]['pdsrole'][$i], $match)) > > >> > > > > > >> > > > array_push($newusergroups, > > >> > > > > > >> > > > getUserGroupID($match[1], $user['affiliationid'])); > > >> > > > > > >> > > > } > > >> > > > $newusergroups = array_unique($newusergroups); > > >> > > > updateGroups($newusergroups, $user["id"]); > > >> > > > > > >> > > > } > > >> > > > ?> > > >> > > > > > >> > > > Thanks very much, > > >> > > > Mike > > >> > > > > >> > > - -- > > >> > > - ------------------------------- > > >> > > Josh Thompson > > >> > > VCL Developer > > >> > > North Carolina State University > > >> > > > > >> > > my GPG/PGP key can be found at pgp.mit.edu > > >> > > > > >> > > All electronic mail messages in connection with State business > which > > >> > > are sent to or received by this account are subject to the NC > Public > > >> > > Records Law and may be disclosed to third parties. > > >> > > -----BEGIN PGP SIGNATURE----- > > >> > > Version: GnuPG v2.0.22 (GNU/Linux) > > >> > > > > >> > > iEYEARECAAYFAlMGC3EACgkQV/LQcNdtPQMcYQCeIEKrOXtg01rr+EhhrL2Amovh > > >> > > K7gAn1EVWJL4SY6SH5Zku7NLEw0nJmQV > > >> > > =Bm+r > > >> > > -----END PGP SIGNATURE----- > > >> > > >> - -- > > >> - ------------------------------- > > >> Josh Thompson > > >> VCL Developer > > >> North Carolina State University > > >> > > >> my GPG/PGP key can be found at pgp.mit.edu > > >> > > >> All electronic mail messages in connection with State business which > > >> are sent to or received by this account are subject to the NC Public > > >> Records Law and may be disclosed to third parties. > > >> -----BEGIN PGP SIGNATURE----- > > >> Version: GnuPG v2.0.22 (GNU/Linux) > > >> > > >> iEYEARECAAYFAlMOKBUACgkQV/LQcNdtPQM5KACeMiwmih5KhOdE+T23DjZHp5FJ > > >> PWMAmgO69qC640lFM99FhmHnyAHCxZLx > > >> =2cld > > >> -----END PGP SIGNATURE----- > - -- > - ------------------------------- > Josh Thompson > VCL Developer > North Carolina State University > > my GPG/PGP key can be found at pgp.mit.edu > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iEYEARECAAYFAlMOUqwACgkQV/LQcNdtPQP30wCfazPP8frvHGnkp4QXPmyLPDqe > CwwAn2IUo/GJRM3ePx9wbw60TjKr8bE7 > =UYp1 > -----END PGP SIGNATURE----- > >
