HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


LDAP woes: Setup but not?

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#90692 (In Topic #18316)
Avatar

Fan in action

LDAP has not been enabled in your configuration

So I am baffled. I have setup OCP before but this is the first time trying to incorporate it into my existing AD infrastructure. 

This server is self hosted, running latest Debian build, also running Request Tracker 4 that is currently successfully using LDAP Auth from the same DC. OCP is 9.0.1

Now, I have gone through the configureation-forum-LDAP settings but when i go to security-ldap I get the "LDAP has not been enabled in your configuration" error.

Am I missing something in apache2? I followed the install directions.

Here is the Stack trace...
(version: 9.0.1, PHP version: 5.3.3-7+squeeze14, URL: /portal/adminzone/index.php?page=admin_ocf_ldap&type=misc&keep_fatalistic=1)

Stack trace…

File -> '/var/www/portal/sources/failure.php'
Line -> 693
Function -> 'die_html_trace'
Args -> array

File -> '/var/www/portal/sources/global2.php'
Line -> 1009
Function -> '_fatal_exit'
Args -> array

File -> '/var/www/portal/sources/failure.php'
Line -> 240
Function -> 'fatal_exit'
Args -> array

File -> '/var/www/portal/sources/global2.php'
Line -> 969
Function -> '_generic_exit'
Args -> array

File -> '/var/www/portal/adminzone/pages/modules/admin_ocf_ldap.php'
Line -> 129
Function -> 'warn_exit'
Args -> array

File -> '/var/www/portal/sources/zones.php'
Line -> 425
Function -> 'run'
Class -> 'Module_admin_ocf_ldap'
Object -> Module_admin_ocf_ldap::__set_state(array( ))
Type -> '->'
Args -> array ( )

File -> '/var/www/portal/sources/site.php'
Line -> 838
Function -> 'load_module_page'
Args -> array ( 0 => 'adminzone/pages/modules/admin_ocf_ldap.php', 1 => 'admin_ocf_ldap', )

File -> '/var/www/portal/sources/site.php'
Line -> 629
Function -> 'request_page'
Args -> array ( 0 => 'admin_ocf_ldap', 1 => true, )

File -> '/var/www/portal/adminzone/index.php'
Line -> 39
Function -> 'do_site'
Args -> array ( )

Back to the top
 
Posted
Rating:
#90694
Avatar

The code in ocPortal to load up LDAP is contingent on this passing…

Code

if ((function_exists('ldap_connect')) && (get_option('ldap_is_enabled',true)=='1'))

Check the 'ldap_is_enabled' option is on (putting that into the admin zone search will find it, it'll have a human readable but similar display name).

Moreover though, make sure the PHP LDAP extension is installed.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90696
Avatar

Fan in action

Thank you, my next question was going to be, do i need an apache2 ldap component or if I only needed a php specific one.

From shell on debian running: apt-get install php5-ldap seems to have done the trick.

Now on to my next error, which i think is in my OCP ldap config.
"LDAP: Invalid credentials; 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece"

Back to the top
 
Posted
Rating:
#90697
Avatar

This is where it gets highly technical, LDAP isn't so easy to configure right. I could help but it would need to be via a support ticket.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90699
Avatar

Fan in action

unfortunately i can't get a purchase approved for a concept that i am trying to prove out. is there a way to make ocportal log more verbose? Like a debug mode, or am I just missing a log file somewhere?
Back to the top
 
Posted
Rating:
#90700
Avatar

You can always stick &keep_fatalistic=1 on the URL like you did before (via the show stack trace link). That'll show where any error comes from. ocPortal doesn't really skip over errors so there's a good chance that'll take you to the root of the problem.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90701
Avatar

Ah, and we also have &keep_ldap_debug=1 to make it spit out the error behind a failed member-login bind. That largely overlaps with keep_fatalistic in many places.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90702
Avatar

Fan in action

does
http://my.domain.com/portal/adminzone/index.php?page=admin_config&type=category&id=SECTION_FORUMS#group_LDAP

put the values in quotes (single or double) or do i need to place the quotes around something like username

CN=LDAP User,CN=Users,DC=domain,DC=com

(and no, my domain is not "domain") :)
Back to the top
 
Posted
Rating:
#90703
Avatar

You shouldn't need quotes anywhere.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90704
Avatar

Fan in action

hmm well everything i can find on this error suggests that it can't find the user. Of course, im not even sure it thinks it can find the server
Back to the top
 
Posted
Rating:
#90705
Avatar

Is it the initial bind failing, or a login?

Initial bind (controlled via 'Username (RDN) for binding to LDAP server…' option) ses this code:

Code

$test=@ldap_bind($LDAP_CONNECTION,$login,get_option('ldap_bind_password')); // This sometimes causes errors, and isn't always needed. Hence error output is suppressed
You could try putting exit($login); before that line to confirm what ocPortal is connecting with, and then testing that against an external tool or what your own LDAP directory browser is saying.

The actual logins uses this line, and a similar remark applies:

Code

$test=@ldap_bind($LDAP_CONNECTION,$login,$password);


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90706
Avatar

This is in sources/ocf_ldap.php


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90708
Avatar

Fan in action

this is on the bind, right after I save the forum/LDAP settings, this pops up as a warning at the top.

I get the same error when i try to login with a different user.

I'm no sure how to test that with an external tool. putting that line in did not seem to change anything. Though i think im missing a step from your suggestion.
Back to the top
 
Posted
Rating:
#90710
Avatar

Fan in action

ok so i am getting this:
CN=LDAP User@CN=Users,DC=domain,DC=com
Back to the top
 
Posted
Rating:
#90711
Avatar

I get the same error

What's the stack trace of the error?


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90712
Avatar

Fan in action

ok, in sources/ocf_ldap.php I commented out $login=ldap_get_login_string($cn);

and replace it with $login='CN=LDAP User,CN=Users,DC=mydomain,DC=com';

and it now works… so did I put somethign in the form wrong or is the ldap_get_login_string doing something funny?
Back to the top
 
Posted
Rating:
#90713
Avatar

Did you try setting the Username to simply LDAP User? It builds up the rest of the bind DN from other settings.

Code

$login=member_property().'='.$cn.','.member_search_qualifier().get_option('ldap_base_dn');


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90714
Avatar

Although actually the code is supposed to allow the full DN in Username too, if you set it.

If 'LDAP login domain' was set, that's fox it – it'd use the Active Directory style logins, maybe that was your problem.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#90716
Avatar

Fan in action

I actually tried setting every field, I still ended up with an "@" in there.

so setting it manually for me at least seems like its going to be the way it is for right now. Thank you for your help!
Back to the top
 
Posted
Rating:
#90717
Avatar

The only '@' I can find in the code is here:

Code


      if (member_property()=='sAMAccountName')
      {
         $login=$cn.'@'.preg_replace('#^dc=#','',str_replace(',dc=','.',get_option('ldap_base_dn')));


But would be odd if you were using 'sAMAccountName', I think you said Linux.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
There are too many online users to list.
Control functions:

Quick reply   Expand