HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Active Directory Issue

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#53018 (In Topic #11546)
Avatar

Fan in action

My Users arent in the default USER

Hi.

I kind of figure that OCP looks in the "Users" organisational Unit in Windows AD..

No unfrtuntly, all my users are in a seperate OU.. (See Pic attached)
Back to the top
 
Posted
Rating:
#53019
Avatar

Fan in action

Back to the top
 
Posted
Rating:
#53021
Avatar

Fan in action

It's a shame really, as EMAILING doesnt work either.. I'm not an IT noob either, and have many mini sites on my server, including an IT Helpdesk which mails fine..
Shame, as this CMS looks pretty funky, and has nearly all the features I'd like to make my staff's lives more interesting and cater for a better working environment..
Back to the top
 
Posted
Rating:
#53022
Avatar

Hi,

You're right, it does. I'm by no means an expert on LDAP/Active Directory – we got the support working on standard installations but it looks like you have a more sophisticated scheme.
If you look in sources/ocf_ldap.php you'll see:
cn=Users appears a lot.
I'd try changing it to:
cn=Bristol,cn=Users,cn=Staff

Hopefully that'll work. I don't know enough about LDAP to say whether you can leave out segments of the address (Client Servers…Training) and have searches still match - I guess you can. I wonder what happens if you change the order.

I'm not sure why we're not referring to them as 'ou' like we do for OpenLDAP, but we had to use 'cn' instead to make it work on Active Directory. If you know the answer I'd be very interested- to be honest I'm not entirely sure of the difference from an addressing point of view.

I'm interested in if the deep paths in your Active Directory tree affect logins, or does Windows search throughout the entire directory, perhaps enforcing a uniqueness constraint across all levels?

I know typically the developers of software answer rather than ask questions, but I could use some enlightenment here  :lol:.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#53023
Avatar

doughall said

It's a shame really, as EMAILING doesnt work either.. I'm not an IT noob either, and have many mini sites on my server, including an IT Helpdesk which mails fine..
Shame, as this CMS looks pretty funky, and has nearly all the features I'd like to make my staff's lives more interesting and cater for a better working environment..

You mean the site can't send any e-mails out at all, or that it can't pull them from A.D? If it's the former, I think there's something in our FAQ about this. Make sure PHP is configured right, or that ocPortal overrides the SMTP configuration itself. Also make sure it's not getting spam filtered due to SPF/Sender-ID.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#53025
Avatar

Fan in action

Oops! My bad! I didn't spell my own SMTP servers name properly! It does work! On most LDAP integrated site I have on my servers, it searches for an attribute in active directory from the root. for example, if my root is DC=c2c,DC=local and the samAccountName=dhall, then it will search recursivly through all the OUs etc untill it finds the account. (I'll post the config in a sec for my helpdesk if you're interested.) The thing is, that on OCPortal, if I type in a valid username, for example "dhall" and the correct password, it comes up "Invalid Password" but if I intentionally mispell the username, "ddhall" is says username not found.. The password is definatly correct, as it's mine.. :)

$Self->{CustomerUser2} = {
Module => 'Kernel::System::CustomerUser::LDAP',
Params => {
Name => 'C2C AD',
# ldap host
Host => '10.10.2.1',
# ldap base dn
#BaseDN => 'OU=Bristol,DC=c2c,DC=local',
BaseDN => 'DC=c2c,DC=local',
# search scope (one|sub)
SSCOPE => 'sub',
# The following is valid but would only be necessary if the
# anonymous user does NOT have permission to read from the LDAP tree
UserDN => 'CN=IT Admin,OU=NO GPOs,DC=c2c,DC=local',
UserPw => 'NOT TELLING',
CustomerUserSearchListLimit => 550,
AlwaysFilter => '',
SourceCharset => 'utf-8',
DestCharset => 'iso-8859-1',
},
# customer uniq id
CustomerKey => 'sAMAccountName',
# customer #
CustomerID => 'mail',
CustomerUserListFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchFields => ['sAMAccountName', 'cn', 'mail'],
CustomerUserSearchPrefix => '',
CustomerUserSearchSuffix => '*',
CustomerUserSearchListLimit => 250,
CustomerUserPostMasterSearchFields => ['mail'],
CustomerUserNameFields => ['givenname', 'sn'],
Map => [
# note: Login, Email and CustomerID needed!
# var, frontend, storage, shown, required, storage-type
#[ 'UserSalutation', 'Title', 'title', 1, 0, 'var' ],
[ 'UserFirstname', 'Firstname', 'givenname', 1, 1, 'var' ],
[ 'UserLastname', 'Lastname', 'sn', 1, 1, 'var' ],
[ 'UserLogin', 'Login', 'sAMAccountName', 1, 1, 'var' ],
[ 'UserEmail', 'Email', 'mail', 1, 1, 'var' ],
[ 'UserCustomerID', 'CustomerID', 'mail', 0, 1, 'var' ],
[ 'UserPhone', 'Phone', 'telephonenumber', 1, 0, 'var' ],
#[ 'UserAddress', 'Address', 'postaladdress', 1, 0, 'var' ],
#[ 'UserComment', 'Comment', 'description', 1, 0, 'var' ],
],
Back to the top
 
Posted
Rating:
#53026
Avatar

Fan in action

Oh, and LDAP sync doesnt work either.. :(
Back to the top
 
Posted
Rating:
#53027
Avatar

Hi,

If you want me to try and debug this on your server, please open up a bug report with details I'd need to test a login (e.g. test username) and something like FTP so I can make file changes…

https://ocportal.com/site/tickets/ticket.htm?ticket_template=bug&cost=free


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#53028
Avatar

Fan in action

Many thanks for the offer Chris, but it's not public.. Local server serving local clients..
Back to the top
 
Posted
Rating:
#53029
Avatar

Fan in action

If it's possible to set a debug log somewhere…..
Back to the top
 
Posted
Rating:
#53030
Avatar

I can throw out some suggestions/questions to you if you have the patience to keep trying them. I just don't want to take up lots of your time.

The first thing I would do to debug login is change:

Code

if (@ldap_bind($LDAP_CONNECTION,$pre.$cn,$password))
to:

Code

if (ldap_bind($LDAP_CONNECTION,$pre.$cn,$password))

That'll make it spit out errors. We suppress errors as OpenLDAP puts spurious ones out, but by reading the error here we might learn something.

One recent LDAP problem was that the logins actually needed to be prepended with a Windows domain, like "EXAMPLE\someuser". If that's the case we need to go into OcCLE and type:

Code

:set_value('ldap_login_qualifier','EXAMPLE\');
But before we try that let's see if the bind command (an auth check, essentially) says anything interesting.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#53031
Avatar

Fan in action

Chris, I'm happy for any support you can give.. AS I said, I really wouldnt mind using this, and as for using up my time… I'm the boss! :)



DEBUG -
Function      'ocportal_error_handler'
Args    

2

'ldap_bind() [<a href=\' http://www.php.net/manual/en/function.ldap-bind.php\'>function.ldap-bind.php</a>]: Unable to bind to server: Invalid credentials'

'/var/www/html/home2/sources/ocf_ldap.php'

188

array ( 'cn' => 'dhallagent', 'password' => 'xxxxxxxxxx', 'LDAP_CONNECTION' => NULL, 'pre' => '', )



When trying the CLI part, I get "There was a problem retreiving the XML Data - 403 Forbidden"
Back to the top
 
Posted
Rating:
#53032
Avatar

Fan in action

I have tried ALL permutations for binding to the AD LDAP Server.
dhall
dhall@c2c.local
Even the full DN - CN=Doug Hall,OU=IT,OU=Users,OU=Bristol,DC=c2c,DC=local
Back to the top
 
Posted
Rating:
#53033
Avatar

Is dhallagent the CN, or is there a different CN (like a human name)? If there's a different one, please try that.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#53034
Avatar

Fan in action

dhallagent, is a standard user account I have, and dhall is full diomain admin "god" account.
dhalladmin has the same right etc as all the users out in the back office..
I have tried 2 other accounts.. No joy.
Back to the top
 
Posted
Rating:
#53035
Avatar

Fan in action

To update, I've reluctantly made "Anonymous Bind" available on Active Directory. Anon Bind tested outside of the website, and works. Still no go via OCPortal..
Back to the top
 
Posted
Rating:
#53036
Avatar

I mean, if you look in Active Directory for 'dhallagent', is the CN actually something different? I believe in Active Directory the usernames are different from the CN's.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#53037
Avatar

Fan in action

Back to the top
 
Posted
Rating:
#53038
Avatar

Hi,

I've re-read through all this, and it seems I would really need to step through the code line-by-line to work out exactly what to do as I just don't know Active Directory well enough to relate your configuration and the code without lots of experimentation. Unfortunately there's no way I can replicate an environment to test in, so I don't think there's much more I can do to resolve this, unless some how you managed to get an ocPortal setup linked in to your LDAP server but available via the web.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: