[horde] Horde 4 and Active Directory Problems? (worked with H3)
Harald Hutter
hutter at ihs.ac.at
Tue Aug 24 17:11:47 UTC 2010
On Monday 26 July 2010, Jan Schneider wrote:
> Zitat von Harald Hutter <hutter at ihs.ac.at>:
> > We tested H3 with Active Directory and it worked:
> > * Authentication works
> > * Users are listed in the admin interface
> > *Groups are available although they are not visible in the admin GUI,
> > if clicking on Groups (I didn't care about that as I found an old post to
> > a horde list describing the same issue)
> >
> > Using H4 only parts of the Active Directory integration work
> > (latest git pull was on July 13th):
> > * Authentication works
> > * Users are not visible in the admin interface, fixed(?), see below [1]
> > * Groups are not available, (help needed) see below [2]
> >
> > [1]: Clicking on Users in the admin GUI (logged in as an administrator to
> > horde), we get only an empty list (icons are visible but no username is
> > shown).
> > I tracked this problem down in the code and it seems to be the following
> > line in function listUsers in framework/Auth/lib/Horde/Auth/Ldap.php
> > $uid = Horde_String::lower($this->_params['uid']);
> >
> > This was easy to fix:
> > diff Ldap.php.org Ldap.php
> > 404a405
> >
> > 410c411,412
> > < $uid = Horde_String::lower($this->_params['uid']);
> > ---
> >
> >> //$uid = Horde_String::lower($this->_params['uid']);
> >> $uid = $this->_params['uid'];
> >
> > I assume the problem is, that a Ldap query is not case sensitive.
> > However, the result returned from our Windows 2008 Active Directory
> > server has the attribute sAMAccountName. By only converting the parameter
> > uid (which holds sAMAccountName) to lowercase, but not the returned
> > result too, the line "$userlist[] = $val[$uid][0];" will fail. If
> > conversion to lowercase is needed for other (real) ldap implementations,
> > ensuring to convert the returned attributes too, will be necessary for AD
> > to work.
> >
> > [2] Clicking on Groups (logged in as administrator) returns the following
> > error:
> > A fatal error has occurred
> > Could not reach the LDAP server
> > [line 556 of .../horde/framework/Group/lib/Horde/Group/Ldap.php]
> >
> > Path in the last line was abbreviated by me. Looking in Ldap.php
> > it seems that _connect in listGroups succeeds (also verified with tcpdump
> > and changing the code to write custom debug messages to the log; setting
> > Log Level
> > to DEBUG didn't reveal more useful information).
> >
> > I also verified that the parameters are correct and the ldap handle is
> > still the same as returned by _connect with the following lines inserted
> > before the line "$search = @ldap_search($this->_ds,
> > $this->_params['basedn'], $this->_filter, array($this->_params['gid']));"
> >
> > $entry = sprintf('basedn %s filter %s gid %s ds %s',
> > $this->_params['basedn'],
> > $this->_filter, $this->_params['gid'], $this->_ds);
> > Horde::logMessage($entry, 'NOTICE');
> >
> > All the variables written to the log are looking fine. So I think the
> > problem is the line $search = @ldap_search...
> >
> > Can anybody point me to the file containing the function ldap_search?
> > Google was of no help (maybe I did it wrong?). Should I find it in the
> > documentation at dev.horde.org? Has anyone a clue what might be wrong
> > here?
> >
> > In case I configured something wrong here are obfuscated excerpts of my
> > conf.php:
> >
> > $conf['ldap']['hostspec'] = 'ad1.subdomain.ihs.ac.at
> > ad2.subdomain.ihs.ac.at';
> > $conf['ldap']['searchdn'] = 'aduser';
> > $conf['ldap']['searchpw'] = 'pw';
> > $conf['ldap']['basedn'] = 'ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
> > $conf['ldap']['version'] = 3;
> > $conf['ldap']['writeas'] = 'search';
> > $conf['ldap']['tls'] = false;
> > $conf['ldap']['useldap'] = true;
> > $conf['auth']['params']['hostspec'] = 'ad1.subdomain.ihs.ac.at
> > ad2.subdomain.ihs.ac.at';
> > $conf['auth']['params']['searchdn'] = 'aduser';
> > $conf['auth']['params']['searchpw'] = 'pw';
> > $conf['auth']['params']['basedn']
> > = 'ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
> > $conf['auth']['params']['version'] = 3;
> > $conf['auth']['params']['writeas'] = 'search';
> > $conf['auth']['params']['tls'] = false;
> > $conf['auth']['params']['scope'] = 'sub';
> > $conf['auth']['params']['ad'] = true;
> > $conf['auth']['params']['uid'] = 'sAMAccountName';
> > $conf['auth']['params']['encryption'] = 'ssha';
> > $conf['auth']['params']['newuser_objectclass'] =
> > array('shadowAccount', 'inetOrgPerson');
> > $conf['auth']['params']['filter'] = '(&(objectclass=user)(!
> > (objectclass=computer)))';
> > $conf['auth']['params']['password_expiration'] = 'no';
> > $conf['auth']['params']['driverconfig'] = 'custom';
> > $conf['auth']['driver'] = 'ldap';
> > $conf['group']['params']['hostspec'] = 'ad1.subdomain.ihs.ac.at
> > ad2.subdomain.ihs.ac.at';
> > $conf['group']['params']['searchdn'] = 'aduser';
> > $conf['group']['params']['searchpw'] = 'pw';
> > $conf['group']['params']['basedn']
> > = 'ou=Groups,ou=prodou,dc=subdomain,dc=ihs,dc=ac,dc=at';
> > $conf['group']['params']['version'] = 3;
> > $conf['group']['params']['writeas'] = 'search';
> > $conf['group']['params']['tls'] = false;
> > $conf['group']['params']['gid'] = 'cn';
> > $conf['group']['params']['memberuid'] = 'memberUid';
> > $conf['group']['params']['attrisdn'] = false;
> > $conf['group']['params']['newgroup_objectclass'] =
> > array('posixGroup', 'hordeGroup');
> > $conf['group']['params']['filter'] = '(&(objectclass=group)
> > (objectclass=top))';
> > $conf['group']['params']['filter_type'] = 'free';
> > $conf['group']['params']['driverconfig'] = 'custom';
> > $conf['group']['driver'] = 'ldap';
> > $conf['group']['cache'] = false;
> >
> > Thanks for any assistance in advance,
> > best
> > Harald
> > --
> > Horde mailing list - Join the hunt: http://horde.org/bounties/#horde
> > Frequently Asked Questions: http://horde.org/faq/
> > To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
> Please create a ticket on http://bugs.horde.org/.
>
> Jan.
>
> --
> Do you need professional PHP or Horde consulting?
> http://horde.org/consulting/
I was on vacation ... However, I pulled the latest code today and
verified my workaround for Problem 1 (empty userlist) still works.
I created a ticket for this, for your reference the number is: #9196
I'm still working on the other problem (group listing). With the latest git
code I'm getting a lot of error lines like
implode(): Invalid arguments passed
in /srv/www/htdocs/git/horde/framework/Group/lib/Horde/Group/Ldap.php on line
518, referer: http://someserver.ihs.ac.at/horde/admin/groups.php
in my apache logs.
Anyone else seeing them?
However, as there are still the old (H3) config parameters used in the git
code, at least this is a bug. So I decided to create a ticket for this part
of the problem (#9197).
best
Harald
More information about the horde
mailing list