[horde] Horde 4 and Active Directory Problems? (worked with H3)

[Harald Hutter]

Hi,

I know Horde 4 isn't stable yet. However, we are in the process of deciding 
which groupware we should use at our institute. As we are missing some 
features we need in the latest version of Horde Webmail Groupware Edition 
(Horde 3), we decided to try out H4 to get a clue whether we start with H3 or 
wait for H4 (or have to use Exchange, preferring to avoid this option). 
We need ActiveSync and support for resources, starting with H3 we will have to
upgrade to H4 as soon as possible.  

We tested H3 with Active Directory and it worked:
* Authentication works
* Users are listed in the admin interface
*Groups are available although they are not visible in the admin GUI, 
if clicking on Groups (I didn't care about that as I found an old post to a 
horde list describing the same issue)

Using H4 only parts of the Active Directory integration work
(latest git pull was on July 13th):
* Authentication works
* Users are not visible in the admin interface, fixed(?), see below [1]
* Groups are not available, (help needed) see below [2]

[1]: Clicking on Users in the admin GUI (logged in as an administrator to 
horde), we get only an empty list (icons are visible but no username is 
shown).
I tracked this problem down in the code and it seems to be the following line
in function listUsers in framework/Auth/lib/Horde/Auth/Ldap.php
$uid = Horde_String::lower($this->_params['uid']);

This was easy to fix:
diff Ldap.php.org Ldap.php
404a405
> 
410c411,412
<             $uid = Horde_String::lower($this->_params['uid']);
---
>             //$uid = Horde_String::lower($this->_params['uid']);
>             $uid = $this->_params['uid'];

I assume the problem is, that a Ldap query is not case sensitive.
However, the result returned from our Windows 2008 Active Directory server
has the attribute sAMAccountName. By only converting the parameter uid
(which holds sAMAccountName) to lowercase, but not the returned result too, 
the line "$userlist[] = $val[$uid][0];" will fail. If conversion to lowercase 
is needed for other (real) ldap implementations, ensuring to convert the 
returned attributes too, will be necessary for AD to work.

[2] Clicking on Groups (logged in as administrator) returns the following 
error:
A fatal error has occurred
Could not reach the LDAP server
[line 556 of .../horde/framework/Group/lib/Horde/Group/Ldap.php]

Path in the last line was abbreviated by me. Looking in Ldap.php
it seems that _connect in listGroups succeeds (also verified with tcpdump and
changing the code to write custom debug messages to the log; setting Log Level 
to DEBUG didn't reveal more useful information).

I also verified that the parameters are correct and the ldap handle is still 
the same as returned by _connect with the following lines inserted before
the line "$search = @ldap_search($this->_ds, $this->_params['basedn'], 
$this->_filter, array($this->_params['gid']));"

$entry = sprintf('basedn %s filter %s gid %s ds %s', $this->_params['basedn'], 
$this->_filter, $this->_params['gid'], $this->_ds);
Horde::logMessage($entry, 'NOTICE');

All the variables written to the log are looking fine. So I think the
problem is the line $search = @ldap_search...

Can anybody point me to the file containing the function ldap_search?
Google was of no help (maybe I did it wrong?). Should I find it in the 
documentation at dev.horde.org? Has anyone a clue what might be wrong here?

In case I configured something wrong here are obfuscated excerpts of my 
conf.php:

$conf['ldap']['hostspec'] = 'ad1.subdomain.ihs.ac.at ad2.subdomain.ihs.ac.at';
$conf['ldap']['searchdn'] = 'aduser';
$conf['ldap']['searchpw'] = 'pw';
$conf['ldap']['basedn'] = 'ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
$conf['ldap']['version'] = 3;
$conf['ldap']['writeas'] = 'search';
$conf['ldap']['tls'] = false;
$conf['ldap']['useldap'] = true;
$conf['auth']['params']['hostspec'] = 'ad1.subdomain.ihs.ac.at 
ad2.subdomain.ihs.ac.at';
$conf['auth']['params']['searchdn'] = 'aduser';
$conf['auth']['params']['searchpw'] = 'pw';
$conf['auth']['params']['basedn'] 
= 'ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
$conf['auth']['params']['version'] = 3;
$conf['auth']['params']['writeas'] = 'search';
$conf['auth']['params']['tls'] = false;
$conf['auth']['params']['scope'] = 'sub';
$conf['auth']['params']['ad'] = true;
$conf['auth']['params']['uid'] = 'sAMAccountName';
$conf['auth']['params']['encryption'] = 'ssha';
$conf['auth']['params']['newuser_objectclass'] = 
array('shadowAccount', 'inetOrgPerson');
$conf['auth']['params']['filter'] = '(&(objectclass=user)(!
(objectclass=computer)))';
$conf['auth']['params']['password_expiration'] = 'no';
$conf['auth']['params']['driverconfig'] = 'custom';
$conf['auth']['driver'] = 'ldap';
$conf['group']['params']['hostspec'] = 'ad1.subdomain.ihs.ac.at 
ad2.subdomain.ihs.ac.at';
$conf['group']['params']['searchdn'] = 'aduser';
$conf['group']['params']['searchpw'] = 'pw';
$conf['group']['params']['basedn'] 
= 'ou=Groups,ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
$conf['group']['params']['version'] = 3;
$conf['group']['params']['writeas'] = 'search';
$conf['group']['params']['tls'] = false;
$conf['group']['params']['gid'] = 'cn';
$conf['group']['params']['memberuid'] = 'memberUid';
$conf['group']['params']['attrisdn'] = false;
$conf['group']['params']['newgroup_objectclass'] = 
array('posixGroup', 'hordeGroup');
$conf['group']['params']['filter'] = '(&(objectclass=group)
(objectclass=top))';
$conf['group']['params']['filter_type'] = 'free';
$conf['group']['params']['driverconfig'] = 'custom';
$conf['group']['driver'] = 'ldap';
$conf['group']['cache'] = false;

 Thanks for any assistance in advance,
best
Harald