Thank you Josh for the assistance. I am now able to authenticate using Windows AD.
The last item I would like guidance on is the User Groups, so I can assign images. I have done a user lookup while logged in as local Admin, as well as log in with the relevant AD user successfully. However, the AD group does not show up in VCL user groups. The AD user is already assigned to the vclusers group in AD. At this time, I plan to use one group (*vclusers*) for everyone and gradually separate them. Please assist on this. Regards, Luckmore Chirongo On Wed, Sep 23, 2020 at 9:46 PM Josh Thompson <josh_thomp...@ncsu.edu> wrote: > Hi Luckmore, > > After tracing through the code a bit, it looks like your authentication > must > work correctly, and then the problem is encountered after it redirects you > back to the site after setting an authentication cookie. It looks like > the > user set in the authentication cookie must be "labt...@domain.ac.bw". > However, the code is expceting the part after the '@' to be a VCL > affiliation > name, rather than a domain name. I'm not sure if it is documented > anywhere or > not, but affiliation names cannot contain '.' characters. Is the > affiliation.name in your database set to 'domain.ac.bw' for id 6? If so, > try > changing it to something without any '.' characters in it. > > Let us know if that fixes the problem. > > Josh > > On Tuesday, September 22, 2020 12:50:13 PM EDT L Chirongo wrote: > > Hi Josh, > > > > I enabled logging and below is the part from /var/log/messages when I was > > attempting to do the domain login in VCL: > > > > Sep 22 17:43:09 mgt systemd-logind: New session 4 of user root. > > Sep 22 17:43:10 mgt dbus[764]: [system] Activating service > > name='org.freedesktop.problems' (using servicehelper) > > Sep 22 17:43:10 mgt dbus[764]: [system] Successfully activated service > > 'org.freedesktop.problems' > > Sep 22 17:45:24 mgt httpd: ERROR(1): Failed to get user info from > database. > > userid was labt...@domain.ac.bw#012Mode was > > main#012#012#012Backtrace:#012=-=-=-=-=-=-=-=-=-=-=-=#012Call#:1 => > > index.php:initGlobals() (line#:60)#012#012Backtrace with > > Arguments:#012=-=-=-=-=-=-=-=-=-=-=-=#012Call#:1 => > index.php:initGlobals() > > (line#:60)#012Arguments(none):#012----------------------- > > Sep 22 17:47:25 mgt httpd: PHP Fatal error: Call to undefined function > > getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234 > > > > I noticed *generic.php* successfully binds and the user variable contains > > only the userid with no suffix. Is there a way to remove the domain > suffix > > from the userid being sent in VCL? > > > > I tried to remove the suffix by changing conf.php to read *userid => > "%s",* > > but the suffix is still being sent as seen in /var/log/messages > > > > Regards, > > Luckmore Chirongo > > > > On Tue, Sep 22, 2020 at 3:45 PM L Chirongo <luckychiro...@gmail.com> > wrote: > > > Hi Josh, > > > > > > Thanks for your response. > > > > > > Yes, I have an affiliation with ID 6 in the affiliation table. I will > go > > > ahead and enable the logging as you advised. > > > > > > Regards, > > > Luckmore Chirongo > > > > > > On Tue, 22 Sep 2020, 15:06 Josh Thompson, <josh_thomp...@ncsu.edu> > wrote: > > >> Hi Luckmore, > > >> > > >> Welcome to the VCL community! Thanks for your interest in using VCL. > > >> > > >> It sounds like your LDAP configuration is mostly correct. You have > > >> affiliationid set to 6 for your "BU LDAP" entry. Do you have an > entry in > > >> your > > >> affiliation table with and id of 6? I'd recommend enabling php error > > >> logging > > >> so that you can see what error is being hit a little more clearly. > I'd > > >> recommend modifying /etc/php.ini and configuring it to log to syslog. > > >> You'll > > >> also need to ensure log_errors is set to On. > > >> > > >> log_errors = On > > >> error_log = syslog > > >> > > >> You can also configure it to log to a file, but getting the > permissions > > >> correct for that to work can be tricky. The file has to be owned by > the > > >> same > > >> user that httpd runs as. > > >> > > >> After modifying php.ini, you'll need to restart httpd. Once you have > > >> logging > > >> enabled, try logging in with LDAP again and see if you see more > > >> information > > >> about the error in /var/log/messages. > > >> > > >> Let us know how it goes. > > >> > > >> Josh > > >> > > >> On Monday, September 21, 2020 4:47:23 PM EDT L Chirongo wrote: > > >> > Hello, > > >> > > > >> > I have set up LDAPS on my Active directory to authenticate VCL > using a > > >> > self-signed wildcard certificate. Running *generic.php* is > successful, > > >> > giving a *Binding successful* message. > > >> > > > >> > Also, running *openssl s_client -showcerts -CAfile > > >> > /etc/pki/tls/certs/ca-bundle.crt -connect ad1.domain.ac.bw:636 > > >> > <http://ad1.domain.ac.bw:636>* gives a *“Verify return code: 0 > (ok)”* > > >> > message. > > >> > > > >> > However when I try to authenticate using LDAP in VCL I get Error: An > > >> > > >> error > > >> > > >> > has occurred. If this problem persists, please email... > > >> > > > >> > Attached are configured parts of my generic.php, conf.php and > > >> > > >> ldapauth.php > > >> > > >> > files. > > >> > > > >> > Thanks in advance for assistance. > > >> > > > >> > Regards, > > >> > Luckmore Chirongo > > >> > > >> -- > > >> ------------------------------- > > >> Josh Thompson > > >> Systems Programmer > > >> Virtual Computing Lab (VCL) > > >> North Carolina State University > > >> > > >> josh_thomp...@ncsu.edu > > >> 919-515-5323 > > >> > > >> my GPG/PGP key can be found on pool.sks-keyservers.net > > >> > > >> All electronic mail messages in connection with State business which > > >> are sent to or received by this account are subject to the NC Public > > >> Records Law and may be disclosed to third parties. > -- > ------------------------------- > Josh Thompson > Systems Programmer > Virtual Computing Lab (VCL) > North Carolina State University > > josh_thomp...@ncsu.edu > 919-515-5323 > > my GPG/PGP key can be found on pool.sks-keyservers.net > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties.
