Hi Josh,
Thanks -- hilariously, the VCL zeitgeist was at work, and as you noted I
discovered that updateGroups was deleting the previous groups and started
building a single function this morning. The following ldapauth.php
function is tested and works (may not be the most elegant, however). Just
having skimmed what you wrote, it looks very similar structurally. I've
retained my comments and some of the intermediate printArray's I used for
troubleshooting. Also NB for anyone who might see this thread in the
future, this particular LDAP deployment is NOT using LDAPS, so you'd want
to replace all instances of 'ldap://' with 'ldaps://'.
function updatewcldapGroups($user) {
global $authMechs;
$auth = $authMechs['Campus Username'];
$ds = ldap_connect("ldap://{$auth['server']}/");
if(! $ds)
return 0;
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$res = ldap_bind($ds, $auth['masterlogin'],
$auth['masterpwd']);
if(! $res)
return 0;
// mth - relocated creating the newusergroups array
$newusergroups = array();
// BEGIN LDAP GROUPS - PDSROLE
$search = ldap_search($ds,
$auth['binddn'],
"{$auth['unityid']}={$user['unityid']}",
array('pdsrole'), 0, 10, 15);
if(! $search)
return 0;
$data = ldap_get_entries($ds, $search);
// mth - troubleshooting - print ldap results
// printArray($data);
if(! array_key_exists('pdsrole', $data[0]))
return;
for($i = 0; $i < $data[0]['pdsrole']['count']; $i++) {
if(preg_match('/^(admin|employee|staff|faculty|student)$/',
$data[0]['p$
array_push($newusergroups,
getUserGroupID($match[1], $user['affiliationid']));
}
// BEGIN LDAP GORUPS - ACADEMICMAJOR
$search_major = ldap_search($ds,
$auth['binddn'],
"{$auth['unityid']}={$user['unityid']}",
array('pdsacademicmajor'), 0, 10, 15);
// if(! $search)
// return 0;
$data_major = ldap_get_entries($ds, $search_major);
// mth - troubleshooting - print ldap results for majors
// printArray($data_major);
if(array_key_exists('pdsacademicmajor', $data_major[0])) {
for($j = 0; $j <
$data_major[0]['pdsacademicmajor']['count']; $j++) {
if(preg_match('/^(cn=(.+),ou=Major,o=institution.edu)$/',
$data_major[0]['pdsacademicmajor'][$j], $
array_push($newusergroups,
getUserGroupID($match[1], $user['affiliationid']));
}
}
$newusergroups = array_unique($newusergroups);
// mth - troubleshooting - print array of VCL groups to be passed to
updategroups function
// printArray($newusergroups);
updateGroups($newusergroups, $user["id"]);
}
On Mon, Mar 3, 2014 at 10:36 AM, Josh Thompson <[email protected]>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mike,
>
> Sorry, I gave you bad advice. I forgot that the updateGroups function
> called
> at the end of the functions you are working with deletes all of the user's
> group memberships (of LDAP based groups). So, instead of having 2
> functions,
> just combine the contents of the 2 functions into a single function.
> You'll
> need to make sure you only set $newusergroups to an empty array once and
> that
> you only call updateGroups once. So, something like the following
> (untested)
> code:
>
>
> function updateEXAMPLE1Groups($user) {
> global $authMechs;
>
> $auth = $authMechs['EXAMPLE1 LDAP'];
> $ds = ldap_connect("ldaps://{$auth['server']}/");
> if(! $ds)
> return 0;
> ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
> ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
>
> $res = ldap_bind($ds, $auth['masterlogin'],
> $auth['masterpwd']);
> if(! $res)
> return 0;
>
> $search = ldap_search($ds,
> $auth['binddn'],
> "{$auth['unityid']}={$user['unityid']}",
> array('memberof'), 0, 10, 15);
>
> $newusergroups = array();
>
> if($search) {
>
> $data = ldap_get_entries($ds, $search);
> if(! array_key_exists('memberof', $data[0]))
> return;
> for($i = 0; $i < $data[0]['memberof']['count']; $i++) {
> if(preg_match('/^CN=(.+),OU=CourseRolls,DC=example1,DC=com/',
> $data[0]['memberof'][$i], $match) ||
>
> preg_match('/^CN=(Students_Enrolled),OU=Students,DC=example1,DC=com$/',
> $data[0]['memberof'][$i], $match) ||
> preg_match('/^CN=(Staff),OU=IT,DC=example1,DC=com$/', $data[0]
> ['memberof'][$i], $match))
> array_push($newusergroups, getUserGroupID($match[1],
> $user['affiliationid']));
> }
> }
>
>
> $search = ldap_search($ds,
> $auth['binddn'],
> "{$auth['unityid']}={$user['unityid']}",
> array('memberof'), 0, 10, 15);
> if(! $search) {
> if(count($newusergroups)) {
> $newusergroups = array_unique($newusergroups);
> updateGroups($newusergroups, $user["id"]);
> }
> return;
> }
>
> $data = ldap_get_entries($ds, $search);
> if(! array_key_exists('memberof', $data[0]))
> return;
> for($i = 0; $i < $data[0]['memberof']['count']; $i++) {
> if(preg_match('/^CN=(.+),OU=CourseRolls,DC=example1,DC=com/',
> $data[0]
> ['memberof'][$i], $match) ||
>
> preg_match('/^CN=(Students_Enrolled),OU=Students,DC=example1,DC=com$/',
> $data[0]['memberof'][$i], $match) ||
> preg_match('/^CN=(Staff),OU=IT,DC=example1,DC=com$/', $data[0]
> ['memberof'][$i], $match))
> array_push($newusergroups, getUserGroupID($match[1],
> $user['affiliationid']));
> }
>
> $newusergroups = array_unique($newusergroups);
> updateGroups($newusergroups, $user["id"]);
> }
>
>
>
> Josh
>
> On Friday, February 28, 2014 11:51:22 AM Mike Haudenschild wrote:
> > Hi Josh,
> >
> > I've duplicated the function, and changed the switch to:
> >
> > switch(getAffiliationName($affilid)) {
> > case 'wcldap':
> > updatewcldapGroups($user);
> > updatewcldapGroupsMajors($user);
> > break;
> >
> > However, the user is only getting added to the group created by the
> second
> > function (GroupsMajors). If I comment out the second call, the user's
> > properly added to the group created by the first function (Groups). I'm
> > guessing my syntax here is bad, or that there's a global being used that
> > gets blown away when the second function runs.
> >
> > Thanks,
> > Mike
> >
> > On Wed, Feb 26, 2014 at 3:44 PM, Josh Thompson
> <[email protected]>wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Mike,
> > >
> > > Duplicating the function to pull info about the student's academic
> major
> > > is
> > > probably the simplest way to do things.
> > >
> > > Josh
> > >
> > > On Wednesday, February 26, 2014 3:00:01 PM Mike Haudenschild wrote:
> > > > Bingo. Thank you!
> > > >
> > > > There's a second LDAP attribute that specifies a student's academic
> > >
> > > major.
> > >
> > > > Ultimately that will probably prove as useful as the
> > >
> > > faculty/staff/student
> > >
> > > > info I'm getting from 'pdsRole'. Could I duplicate the
> updateLDAPGroups
> > > > function and run the same code against that second attribute? Or is
> > > > that
> > > > too clumsy an approach?
> > > >
> > > > Regards,
> > > > Mike
> > > >
> > > > On Wed, Feb 26, 2014 at 12:44 PM, Josh Thompson
> > >
> > > <[email protected]>wrote:
> > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > Hash: SHA1
> > > > >
> > > > > Mike,
> > > > >
> > > > > That's interesting that it does not give the full DN for items in
> > >
> > > pdsrole.
> > >
> > > > > Yes, you should be able to just match 'admin', 'employee', and
> > >
> > > 'staff'. I
> > >
> > > > > think
> > > > >
> > > > > preg_match('/^(admin|employee|staff)$/', $data[0]['pdsrole'][$i],
> > >
> > > $match)
> > >
> > > > > will do it.
> > > > >
> > > > > Josh
> > > > >
> > > > > On Wednesday, February 26, 2014 12:22:43 PM Mike Haudenschild
> wrote:
> > > > > > Hi Josh,
> > > > > >
> > > > > > Thanks for this troubleshooting tip. Getting some interesting
> > > > > > output
> > > > >
> > > > > here,
> > > > >
> > > > > > so I'll probably need some help writing a regex to make this
> work --
> > > > > > assuming it's even possible. Would I just be able to match on
> the
> > > > >
> > > > > strings
> > > > >
> > > > > > 'admin', 'employee', and 'staff'?
> > > > > >
> > > > > > NB the "memberof" attribute in this particular LDAP deployment is
> > > > > > 'pdsrole'. The DN given here isn't helpfrom from a VCL
> perspective
> > > > > > since
> > > > > > everyone in the institution is a member of 'ou=People'.
> > > > > >
> > > > > > (begin output)
> > > > > >
> > > > > > Array
> > > > > > (
> > > > > >
> > > > > > [count] => 1
> > > > > > [0] => Array
> > > > > >
> > > > > > (
> > > > > >
> > > > > > [pdsrole] => Array
> > > > > >
> > > > > > (
> > > > > >
> > > > > > [count] => 3
> > > > > > [0] => admin
> > > > > > [1] => employee
> > > > > > [2] => staff
> > > > > >
> > > > > > )
> > > > > >
> > > > > > [0] => pdsrole
> > > > > > [count] => 1
> > > > > > [dn] => uid=290933460177932,ou=People,o=
> institution.edu
> > >
> > > ,o=cp
> > >
> > > > > > )
> > > > > >
> > > > > > )
> > > > > >
> > > > > > (end output)
> > > > > >
> > > > > > On Thu, Feb 20, 2014 at 9:04 AM, Josh Thompson
> > > > >
> > > > > <[email protected]>wrote:
> > > > > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > > > > Hash: SHA1
> > > > > > >
> > > > > > > Mike,
> > > > > > >
> > > > > > > The first thing I'd do is to put
> > > > > > >
> > > > > > > printArray($data);
> > > > > > >
> > > > > > > right after
> > > > > > >
> > > > > > > $data = ldap_get_entries($ds, $search);
> > > > > > >
> > > > > > > then go to User Lookup and look up a user that should have some
> > >
> > > group
> > >
> > > > > > > memberships with the force checkbox selected. That will show
> you
> > > > >
> > > > > exactly
> > > > >
> > > > > > > what
> > > > > > > is being returned by the ldap query.
> > > > > > >
> > > > > > > One guess related to things I've seen is that the "CN" is being
> > > > >
> > > > > returned
> > > > >
> > > > > > > in
> > > > > > > lower case. You can add "i" to the end of the regular
> expression
> > >
> > > to
> > >
> > > > > > > ignore
> > > > > > > case:
> > > > > > >
> > > > > > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu
> > >
> > > ,o=cp/i',
> > >
> > > > > > > If you want to join #asfvcl on freenode, I can help over IM.
> > > > > > >
> > > > > > > Josh
> > > > > > >
> > > > > > > On Wednesday, February 19, 2014 7:50:27 PM Mike Haudenschild
> wrote:
> > > > > > > > This particular LDAP installation maintains group membership
> > >
> > > info in
> > >
> > > > > a
> > > > >
> > > > > > > > field called "pdsrole." The groups exist as CNs in the OU
> > > > > > >
> > > > > > > "accessgroups."
> > > > > > >
> > > > > > > > I'm trying to get VCL to provision the groups as per the
> docs (
> > >
> > > http://vcl.apache.org/docs/ldapauth.html#mirroring-ldap-user-groups)
> > >
> > > > > but
> > > > >
> > > > > > > > haven't had any luck. I've been staring at this for awhile
> and
> > >
> > > I'm
> > >
> > > > > sure
> > > > >
> > > > > > > > I'm missing something obvious at this point. Any help would
> be
> > > > > > >
> > > > > > > appreciated.
> > > > > > >
> > > > > > > > I don't know if this matters in the context of finding
> groups,
> > >
> > > but I
> > >
> > > > > had
> > > > >
> > > > > > > to
> > > > > > >
> > > > > > > > enable "lookupuserbeforeauth" in conf.php to get LDAP logins
> > > > > > > > working.
> > > > > > > >
> > > > > > > > (The "o=institution.edu,o=cp" is strange but actually is
> > >
> > > correct.)
> > >
> > > > > > > > The function from authmethods:
> > > > > > > >
> > > > > > > > function updatewcldapGroups($user) {
> > > > > > > >
> > > > > > > > global $authMechs;
> > > > > > > > $auth = $authMechs['wcldap'];
> > > > > > > > $ds = ldap_connect("ldap://{$auth['server']}/");
> > > > > > > > if(! $ds)
> > > > > > > >
> > > > > > > > return 0;
> > > > > > > >
> > > > > > > > ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
> > > > > > > > ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
> > > > > > > >
> > > > > > > > $res = ldap_bind($ds, $auth['masterlogin'],
> > > > > > > >
> > > > > > > > $auth['masterpwd']);
> > > > > > > >
> > > > > > > > if(! $res)
> > > > > > > >
> > > > > > > > return 0;
> > > > > > > >
> > > > > > > > $search = ldap_search($ds,
> > > > > > > >
> > > > > > > > $auth['binddn'],
> > > > >
> > > > > "{$auth['unityid']}={$user['unityid']}",
> > > > >
> > > > > > > > array('pdsrole'), 0, 10, 15);
> > > > > > > >
> > > > > > > > if(! $search)
> > > > > > > >
> > > > > > > > return 0;
> > > > > > > >
> > > > > > > > $data = ldap_get_entries($ds, $search);
> > > > > > > > $newusergroups = array();
> > > > > > > > if(! array_key_exists('pdsrole', $data[0]))
> > > > > > > >
> > > > > > > > return;
> > > > > > > >
> > > > > > > > for($i = 0; $i < $data[0]['pdsrole']['count']; $i++)
> {
> > > > > > > >
> > > > > > > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu
> > >
> > > ,o=cp/',
> > >
> > > > > > > > $data[0]['pdsrole'][$i], $match))
> > > > > > > >
> > > > > > > > array_push($newusergroups,
> > > > > > > >
> > > > > > > > getUserGroupID($match[1], $user['affiliationid']));
> > > > > > > >
> > > > > > > > }
> > > > > > > > $newusergroups = array_unique($newusergroups);
> > > > > > > > updateGroups($newusergroups, $user["id"]);
> > > > > > > >
> > > > > > > > }
> > > > > > > > ?>
> > > > > > > >
> > > > > > > > Thanks very much,
> > > > > > > > Mike
> > > > > > >
> > > > > > > - --
> > > > > > > - -------------------------------
> > > > > > > Josh Thompson
> > > > > > > VCL Developer
> > > > > > > North Carolina State University
> > > > > > >
> > > > > > > my GPG/PGP key can be found at pgp.mit.edu
> > > > > > >
> > > > > > > All electronic mail messages in connection with State business
> > >
> > > which
> > >
> > > > > > > are sent to or received by this account are subject to the NC
> > >
> > > Public
> > >
> > > > > > > Records Law and may be disclosed to third parties.
> > > > > > > -----BEGIN PGP SIGNATURE-----
> > > > > > > Version: GnuPG v2.0.22 (GNU/Linux)
> > > > > > >
> > > > > > >
> iEYEARECAAYFAlMGC3EACgkQV/LQcNdtPQMcYQCeIEKrOXtg01rr+EhhrL2Amovh
> > > > > > > K7gAn1EVWJL4SY6SH5Zku7NLEw0nJmQV
> > > > > > > =Bm+r
> > > > > > > -----END PGP SIGNATURE-----
> > > > >
> > > > > - --
> > > > > - -------------------------------
> > > > > Josh Thompson
> > > > > VCL Developer
> > > > > North Carolina State University
> > > > >
> > > > > my GPG/PGP key can be found at pgp.mit.edu
> > > > >
> > > > > All electronic mail messages in connection with State business
> which
> > > > > are sent to or received by this account are subject to the NC
> Public
> > > > > Records Law and may be disclosed to third parties.
> > > > > -----BEGIN PGP SIGNATURE-----
> > > > > Version: GnuPG v2.0.22 (GNU/Linux)
> > > > >
> > > > > iEYEARECAAYFAlMOKBUACgkQV/LQcNdtPQM5KACeMiwmih5KhOdE+T23DjZHp5FJ
> > > > > PWMAmgO69qC640lFM99FhmHnyAHCxZLx
> > > > > =2cld
> > > > > -----END PGP SIGNATURE-----
> > >
> > > - --
> > > - -------------------------------
> > > Josh Thompson
> > > VCL Developer
> > > North Carolina State University
> > >
> > > my GPG/PGP key can be found at pgp.mit.edu
> > >
> > > All electronic mail messages in connection with State business which
> > > are sent to or received by this account are subject to the NC Public
> > > Records Law and may be disclosed to third parties.
> > > -----BEGIN PGP SIGNATURE-----
> > > Version: GnuPG v2.0.22 (GNU/Linux)
> > >
> > > iEYEARECAAYFAlMOUkQACgkQV/LQcNdtPQOZmQCdGQKS7sahPAi91M64KRXNrl0e
> > > SwsAn156vPEsHxvdIw54NtB7qGQ7OTEB
> > > =ixfv
> > > -----END PGP SIGNATURE-----
> - --
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
>
> my GPG/PGP key can be found at pgp.mit.edu
>
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAlMUoXgACgkQV/LQcNdtPQOXswCcCx9SgZ4L9kfsetOx2zd7l9/P
> 7TAAn3/0OONT8dfXFbN+zjBsuboEUchH
> =kyEH
> -----END PGP SIGNATURE-----
>
>
