[horde] Horde 4 and Active Directory Problems? (worked with H3)

[Jan Schneider]

Zitat von Harald Hutter <hutter at ihs.ac.at>:

> Hi,
>
> I know Horde 4 isn't stable yet. However, we are in the process of deciding
> which groupware we should use at our institute. As we are missing some
> features we need in the latest version of Horde Webmail Groupware Edition
> (Horde 3), we decided to try out H4 to get a clue whether we start with H3 or
> wait for H4 (or have to use Exchange, preferring to avoid this option).
> We need ActiveSync and support for resources, starting with H3 we  
> will have to
> upgrade to H4 as soon as possible.
>
> We tested H3 with Active Directory and it worked:
> * Authentication works
> * Users are listed in the admin interface
> *Groups are available although they are not visible in the admin GUI,
> if clicking on Groups (I didn't care about that as I found an old post to a
> horde list describing the same issue)
>
> Using H4 only parts of the Active Directory integration work
> (latest git pull was on July 13th):
> * Authentication works
> * Users are not visible in the admin interface, fixed(?), see below [1]
> * Groups are not available, (help needed) see below [2]
>
> [1]: Clicking on Users in the admin GUI (logged in as an administrator to
> horde), we get only an empty list (icons are visible but no username is
> shown).
> I tracked this problem down in the code and it seems to be the following line
> in function listUsers in framework/Auth/lib/Horde/Auth/Ldap.php
> $uid = Horde_String::lower($this->_params['uid']);
>
> This was easy to fix:
> diff Ldap.php.org Ldap.php
> 404a405
>>
> 410c411,412
> <             $uid = Horde_String::lower($this->_params['uid']);
> ---
>>             //$uid = Horde_String::lower($this->_params['uid']);
>>             $uid = $this->_params['uid'];
>
> I assume the problem is, that a Ldap query is not case sensitive.
> However, the result returned from our Windows 2008 Active Directory server
> has the attribute sAMAccountName. By only converting the parameter uid
> (which holds sAMAccountName) to lowercase, but not the returned result too,
> the line "$userlist[] = $val[$uid][0];" will fail. If conversion to lowercase
> is needed for other (real) ldap implementations, ensuring to convert the
> returned attributes too, will be necessary for AD to work.
>
> [2] Clicking on Groups (logged in as administrator) returns the following
> error:
> A fatal error has occurred
> Could not reach the LDAP server
> [line 556 of .../horde/framework/Group/lib/Horde/Group/Ldap.php]
>
> Path in the last line was abbreviated by me. Looking in Ldap.php
> it seems that _connect in listGroups succeeds (also verified with tcpdump and
> changing the code to write custom debug messages to the log; setting  
> Log Level
> to DEBUG didn't reveal more useful information).
>
> I also verified that the parameters are correct and the ldap handle is still
> the same as returned by _connect with the following lines inserted before
> the line "$search = @ldap_search($this->_ds, $this->_params['basedn'],
> $this->_filter, array($this->_params['gid']));"
>
> $entry = sprintf('basedn %s filter %s gid %s ds %s',  
> $this->_params['basedn'],
> $this->_filter, $this->_params['gid'], $this->_ds);
> Horde::logMessage($entry, 'NOTICE');
>
> All the variables written to the log are looking fine. So I think the
> problem is the line $search = @ldap_search...
>
> Can anybody point me to the file containing the function ldap_search?
> Google was of no help (maybe I did it wrong?). Should I find it in the
> documentation at dev.horde.org? Has anyone a clue what might be wrong here?
>
> In case I configured something wrong here are obfuscated excerpts of my
> conf.php:
>
> $conf['ldap']['hostspec'] = 'ad1.subdomain.ihs.ac.at  
> ad2.subdomain.ihs.ac.at';
> $conf['ldap']['searchdn'] = 'aduser';
> $conf['ldap']['searchpw'] = 'pw';
> $conf['ldap']['basedn'] = 'ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
> $conf['ldap']['version'] = 3;
> $conf['ldap']['writeas'] = 'search';
> $conf['ldap']['tls'] = false;
> $conf['ldap']['useldap'] = true;
> $conf['auth']['params']['hostspec'] = 'ad1.subdomain.ihs.ac.at
> ad2.subdomain.ihs.ac.at';
> $conf['auth']['params']['searchdn'] = 'aduser';
> $conf['auth']['params']['searchpw'] = 'pw';
> $conf['auth']['params']['basedn']
> = 'ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
> $conf['auth']['params']['version'] = 3;
> $conf['auth']['params']['writeas'] = 'search';
> $conf['auth']['params']['tls'] = false;
> $conf['auth']['params']['scope'] = 'sub';
> $conf['auth']['params']['ad'] = true;
> $conf['auth']['params']['uid'] = 'sAMAccountName';
> $conf['auth']['params']['encryption'] = 'ssha';
> $conf['auth']['params']['newuser_objectclass'] =
> array('shadowAccount', 'inetOrgPerson');
> $conf['auth']['params']['filter'] = '(&(objectclass=user)(!
> (objectclass=computer)))';
> $conf['auth']['params']['password_expiration'] = 'no';
> $conf['auth']['params']['driverconfig'] = 'custom';
> $conf['auth']['driver'] = 'ldap';
> $conf['group']['params']['hostspec'] = 'ad1.subdomain.ihs.ac.at
> ad2.subdomain.ihs.ac.at';
> $conf['group']['params']['searchdn'] = 'aduser';
> $conf['group']['params']['searchpw'] = 'pw';
> $conf['group']['params']['basedn']
> = 'ou=Groups,ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
> $conf['group']['params']['version'] = 3;
> $conf['group']['params']['writeas'] = 'search';
> $conf['group']['params']['tls'] = false;
> $conf['group']['params']['gid'] = 'cn';
> $conf['group']['params']['memberuid'] = 'memberUid';
> $conf['group']['params']['attrisdn'] = false;
> $conf['group']['params']['newgroup_objectclass'] =
> array('posixGroup', 'hordeGroup');
> $conf['group']['params']['filter'] = '(&(objectclass=group)
> (objectclass=top))';
> $conf['group']['params']['filter_type'] = 'free';
> $conf['group']['params']['driverconfig'] = 'custom';
> $conf['group']['driver'] = 'ldap';
> $conf['group']['cache'] = false;
>
>  Thanks for any assistance in advance,
> best
> Harald
> --
> Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>


Please create a ticket on http://bugs.horde.org/.

Jan.

-- 
Do you need professional PHP or Horde consulting?
http://horde.org/consulting/