LDAP auditor and admin groups not working for OpenLDAP
Hit there.
I got an issue with the ldap auth on my local piler installation.
First i had to change some lines in auth.php to match our objectclass since it always seemed to filter for objectclass=user . Now our users can login with their ldap credentials and everyone is seeing their own mails.
I assigned some users to specific ldap groups for admins and auditors and assigned the DN specifically to:
$config["LDAP_AUDITOR_MEMBER_DN"]="cn=piler_auditor,ou=groups,dc=example,dc=de"; $config['LDAP_ADMIN_MEMBER_DN'] = 'cn=piler_admin,ou=groups,dc=example,dc=de';
I analysed our mail log and i see no querys going the way to identifie if a user is part of that specific group.
Kind Regards
Drees
Comments (10)
-
repo owner -
repo owner -
assigned issue to
-
assigned issue to
-
reporter The given user is part of the defined ldap group for LDAP_AUDITOR_MEMBER_DN .
In auth.php i changed that the ldap query does not search for a specific objectClass .
Original:
*$query = $ldap->query($ldap_base_dn, "(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))", array());*
Changed:
*$query = $ldap->query($ldap_base_dn, "(&(objectClass=*)($ldap_mail_attr=$username_prefix$username))", array());*
Original:
*$query = $ldap->query($ldap_base_dn, "(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=$username_prefix$username)" . ")(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=" . $a['dn'] . ")))", array());*
Changed:
*$query = $ldap->query($ldap_base_dn, "(|(&(objectClass=*)($ldap_mail_attr=$username_prefix$username))(&(objectClass=*)($ldap_distributionlist_attr=$username_prefix$username)" . ")(&(objectClass=*)($ldap_distributionlist_attr=" . $a['dn'] . ")))", array());*
Changing the $ldap_account_objectclass variable to * was all i did (I know i could have done so in config-site.php aswell but opted to try both ways. Both yielded the same result)
After these changes users could log in using their LDAP accounts. Before he always wanted to auth for the objectclass "User" which we for our ldap do not use.
Cheers
Drees
-
repo owner Well, that's definitely a solution, however you can fix $ldap_account_objectclass by setting $config['LDAP_ACCOUNT_OBJECTCLASS'] in config-site.php. Btw. you didn't confirm that the cases sensitivity is not a problem in your case.
-
reporter Yeah i know i tried to change it manually since i opted to tryed to change some other variables aswell.
$config['LDAP_AUDITOR_MEMBER_DN']='cn=piler_auditor,ou=groups,dc=example,dc=de';*
This is the config i use for the auditor auth.
$config['ENABLE_LDAP_AUTH'] = 1;
$config['LDAP_HOST'] = 'ldap://example';
$config['LDAP_HELPER_DN'] = 'cn=example,dc=example,dc=de';
$config['LDAP_HELPER_PASSWORD'] = 'XXXXXXXXX';
$config['LDAP_MAIL_ATTR'] = "mail";
$config['LDAP_AUDITOR_MEMBER_DN'] = 'cn=piler_auditor,ou=groups,dc=example,dc=de';
$config['LDAP_ADMIN_MEMBER_DN'] = 'cn=piler_admin,ou=groups,dc=example,dc=de';
$config['LDAP_BASE_DN'] = "dc=example,dc=de";
This is my complete config for the ldap auth.
-
repo owner OK. Please clarify if the given user has 'cn=piler_auditor,ou=groups,dc=brille24,dc=de' (with lower case) in the user's group membership attributes.
-
reporter - edited description
-
reporter We found the solution we had to change the DISTRIBUTIONLIST_ATTR to match a different attribute and auth our users with a uid instead of mail. Sorry that i wasted your time and ty for your help.
-
reporter - changed status to resolved
-
repo owner Not sure if you are on the mailing list. If no, then I'd like you to checkout this email: http://www.mail-archive.com/piler-user@list.acts.hu/msg01212.html Basically it's about obtaining GOBD certification for piler, and I need some helping hands to prepare for a crowdfunding project.
- Log in to comment
What did you change in auth.php exactly? Also check if the given user is part of LDAP_AUDITOR_MEMBER_DN. Note that it's case sensitive.