I'm making progress with the redesign for 5x-2-dev. My plan is to finish the LDAP Auth module before creating a dev release, but that should be soon. In the mean time I was hoping to get some early testers on the user interfaces & server testing changes I've made. The more testing & feedback I get now, the more stable this will be and the sooner I can move on to an official 6x release. Please help, especially if you have access to LDAP servers other than OpenLDAP & Microsoft AD.

A word of caution: Please only test this on a test site. I'm not sure reverting to the old module will work with existing LDAP users yet. It has been a major redesign and will require an uninstall of previous version - updating will not work - though when released that should not effect any user accounts.

I'm looking for feedback on:

  • New administer page layout - settings/admin/ldapcore
  • New LDAP server test functionality - attempts to provide feedback on configuration for both anonymous & non-anonymous binding.
  • Enabling related modules

Things to try:

  • Adding, activating, editing, and deleting LDAP servers on LDAP Core admin page
  • Enabling & disabling 2 test LDAP modules (LDAPtest & LDAPtest2); neither does anything functional other than interact with the LDAP Core admin page
  • Create known bad & known good LDAP configurations to check server test identification of errors & feedback. Testing servers is done from settings/admin/ldapcore once a server is created.

Please restrict your comments to clear, concise suggestions and feedback so I can keep working on the next release. Include screenshots if applicable & useful.

Thanks,
Matt

CommentFileSizeAuthor
#15 image.png28.82 KBAnonymous (not verified)
#13 image.png27.76 KBAnonymous (not verified)
#12 ldap_integration_5x-2-dev_alpha.tar_.gz11.07 KBscafmac
#10 image1.png30.59 KBAnonymous (not verified)
#5 case1.png50.77 KBjohnbarclay
#5 case2.png52.83 KBjohnbarclay
#5 case3.png56.01 KBjohnbarclay
#2 initial.png59.24 KBjohnbarclay
#2 test_success.png83.06 KBjohnbarclay
ldap_integration_5x-2-dev_alpha.tgz10.99 KBscafmac

Comments

cwgordon7’s picture

Awesome!

*subscribe* :)

johnbarclay’s picture

StatusFileSize
new83.06 KB
new59.24 KB

I installed the attachement. Generally like the interface, especially the "test" and activate/deactivate functionality.

======================================
I had to change line 4 of ldapcore.module to include the correct path:
form:
include_once('ldap_integration/LDAPInterface.php');
to:
include_once('LDAPInterface.php');
to get it to work.

===============================================
Initial /admin/settings/ldapcore after configuring ldap server (initial.jpg) :

- has extra "Enable LDAP test" row in table
- table not structured correctly. First row has no checkbox, last row has 2 checkboxes Showing

===============================================
"Test" link success: Good LDAP Configuration and Password. (test_Success.png)
- shows "LDAPInterface: Success" twice
- event though successful, shows in red

===============================================
When changing to Bad LDAP Port:
- There is a long delay, then I get a redbox error:

warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Can't contact LDAP server in /Library/WebServer/Documents/drupalshared/sites/portal.ed.uiuc.edu/modules/ldaptest/LDAPInterface.php on line 151.

This error comes up on any page after bad LDAP conf data is given.

This is a good error catch. But I'm expecting it to take the configuration, then let me use the test link to test it.

When I hit the test link afterward (http://portal.ed.uiuc.edu/admin/settings/ldapcore/test/UIUC_LDAP) the page timesout rather than giving me a failed test page. After that all pages timeout event the root page until I fix the port number via mysql interface.

Perhaps a new ldap configuration should start in a deactivated state, until the user activates it. That way the user can use the test link first and get a better error message.

===============================================

Deactivate and Activate works as expected.

==========================================
Privileged is correct spelling of Privledged
==========================================
When i test a desctivated LDAP, it gives me an "Access Denied" page. Seems reasonable, but maybe should say "you need to activate this LDAP before testing". Though it seems you should be able to test it without activating it.

============================
enabling and disabling 2 test ldap modules worked fine.

scafmac’s picture

John,

Thanks for the comments. Regarding the first one - I've checked the tar file and my own copy. They both match and contain the correct include line which is:

include_once('ldap_integration/LDAPInterface.php');

If your LDAPInterface.php file is in the root ldap_integration directory, then it is not right. What did you use to untar the download? The md5sum of the download should match the one below. If the md5sum differ, would you try to download it again or else send me the copy you downloaded?
ldap_integration_5x-2-dev_alpha.tgz md5sum: 25c110709fd2c2131810ca19f49199db

If you retry, make sure to uninstall the modules first, or you could try just truncating the modules table. Thanks for the images. To help with the extra checkboxes, would you be able to send the contents of the {ldapcore} & {ldapmodule} tables before you nuke em? Minus any sensitive data, but you appear not to have a privileged account set up so that should be easy.

Quite unfortunately the LDAP library returns that LDAP message "Success" when my configuration is wrong. So far I believe I've only seen it when the attribute array is empty on search. I'll double check that - you have no control over it. Once I better understand what causes it, I will catch it & replace the message.

With regard to the repeated message - it should happen once / per base DN. So, do you have 2 base DNs set?

Can you confirm the following:

  • There is no privileged dn & password set up in your success.png test? Or at least one of them (DN or password) is missing?
  • Your server allows anonymous binds.
  • Does your server allow anonymous searches for CNs?
  • You have set up two base DNs?
  • You had TLS enabled for the bad port test? Did you have it on for other tests too and it worked then?
  • Did you try bad server URIs and get reasonable error message?
  • You only turned on the one LDAPTest module?

Thanks

darthclue@drupal.org’s picture

In general, I can echo and confirm most everything that johnbarclay reported.

========================================================

My LDAPInterface.php was in the correct location (ldap_integration/LDAPInterface.php) so this wasn't an issue for me.

========================================================

New interface is nice and having the test/activate/deactivate right there is nice. Would be better if servers were deactivated by default and could be tested before being activated.

========================================================

I also receive the red box error when attempting TLS (which I know isn't working):

warning: ldap_start_tls() [function.ldap-start-tls]: Unable to start TLS: Protocol error in /var/www/d5/sites/all/modules/ldap_integration/ldap_integration/LDAPInterface.php on line 151.

But I am able to recover via the web interface by just turning it off.

========================================================

If I don't have either of the testing modules enabled I get the following error when hitting 'Save Configuration' at admin/settings/ldapcore:

warning: Invalid argument supplied for foreach() in /var/www/d5/sites/all/modules/ldap_integration/ldapcore.module on line 652.

========================================================

I can confirm that having both testing modules enabled results in the Dual checkboxes situation as shown in johns initial.jpg.

========================================================

Attempted a test with 2 Base DN's; one good, one bad. Got 2 distinct messages, one good, one bad.

LDAPInterface: Success (This happens when I provide a bad DN to search on)
LDAPInterface: Anonymous search succeeded (This happens when I provide a good DN to search on)

========================================================

Attempted a test with a known bad server URI and got the following:

LDAPInterface: Success (Red Message)
LDAPInterface: Anonymous bind failed (Yellow Message)

========================================================

I know that in my case I shouldn't ever have 2 or max 3 ldap servers but there could be rare users who have enough that the new layout could be a problem. I added a total of 5 just to see what the interface does and I can see where this could become very difficult to use.

========================================================

I'm guessing that this is a feature incomplete interface as I noticed several things missing including the system wide options tab and settings for username attribute and email attribute.

Overall, I like the changes. Looking forward to seeing more.

johnbarclay’s picture

StatusFileSize
new56.01 KB
new52.83 KB
new50.77 KB

Configuration: I have one base DN and a privileged user. My server does not allow anonymous searches. I had TLS enabled in all cases and it worked with all configs correct.

I have 3 test cases with everything configured correctly, images of test cases attached. I'm guessing the problem is in the ldapcore_admin_list_checkboxes theming function.

======================================
Case 1: both ldaptest and ldaptest 2 modules disabled on test of ldap:

Red: 2 x LDAPInterface: Success
Yellow: LDAPInterface: Anonymous search failed or found nothing. Possible causes:

* Anonymous binds allowed, but not searches - should see one "LDAPInterface: Operation error" for each Base DN.
* Nothing found in any base DNs. If no "Operation error", check DNs.
* All base DNs missing. Add at least one.
Green: LDAPInterface: Privledged search succeeded

======================================
Case 2: ldaptest module only enabled. On test of ldap:

Same test messages in red, yellow, and green as case #1.

Checkboxes: (should only be one row)
row 1: Enable LDAP Test: no checkbox
row 2: Enable LDAP Test: one checkbox

======================================
Case 3: both ldaptest and ldaptest2 module enabled. On test of ldap:

Same test messages in red, yellow, and green as case #1.

Checkboxes: (should be 2 rows with one checkbox in each)
row 1: Enable LDAP Test: no checkbox
row 2: Enable LDAP Test: two checkboxes

Below are print_rs for $ldap_servers, $modules, and $form just before the line "return system_settings_form($form);" in the function ldapcore_admin_list_form. This is case #3 where both ldap modules are enabled. Note that in the form variable it says "Enable Great LDAP test" and "Enable LDAP test" but on the actual form it says "enable LDAP test" three times.


$ldap_servers

Array
(
    [1] => LDAPInterface Object
        (
            [connection] => Resource id #42
            [server] => ad.uiuc.edu
            [port] => 389
            [tls] => 1
            [attr_filter] => Array
                (
                    [0] => LDAPInterface
                    [1] => __empty_attr_filter
                )

            [basedn] => Array
                (
                    [0] => ou=campus accounts,dc=ad,dc=uiuc,dc=edu
                )

            [secretKey] => 
            [name] => UIUC_LDAP
            [binddn] => cn=ed-ldapuser,ou=workstations,ou=education,dc=ad,dc=uiuc,dc=edu
            [bindpw] => mygoodpassword
        )

)

$modules

Array
(
    [ldaptest] => ldaptest_ldapcore_suite
    [ldaptest2] => ldaptest2_ldapcore_suite
)

$form

Array
(
    [modules] => Array
        (
            [#type] => fieldset
            [#title] => LDAP Servers
            [#theme] => ldapcore_admin_list_form_table
            [data] => Array
                (
                    [#header] => Array
                        (
                            [0] => Array
                                (
                                    [data] => LDAP Servers
                                    [class] => row_head
                                )

                            [1] => UIUC_LDAP
                        )

                    [#row_header] => Array
                        (
                            [0] => Array
                                (
                                    [0] => Array
                                        (
                                            [data] => Operations
                                            [class] => row_head
                                        )

                                    [1] => Edit UIUC_LDAP
Deactivate UIUC_LDAP
Test UIUC_LDAP
Delete UIUC_LDAP
                                )

                            [1] => Array
                                (
                                    [0] => Array
                                        (
                                            [data] => Enable LDAP test
                                            [class] => row_head
                                        )

                                )

                            [2] => Array
                                (
                                    [0] => Array
                                        (
                                            [data] => Enable Great LDAP test
                                            [class] => row_head
                                        )

                                )

                        )

                )

            [ldaptest] => Array
                (
                    [#type] => checkboxes
                    [#options] => Array
                        (
                            [1] => UIUC_LDAP
                        )

                    [#theme] => ldapcore_admin_list_checkboxes
                    [#default_value] => 
                )

            [ldaptest2] => Array
                (
                    [#type] => checkboxes
                    [#options] => Array
                        (
                            [1] => UIUC_LDAP
                        )

                    [#theme] => ldapcore_admin_list_checkboxes
                    [#default_value] => 
                )

        )

)
cpugeniusmv’s picture

I have a hypothesis about the "Success" error. Are you using a self-signed certificate?

scafmac’s picture

Interesting...

So I'm using Drupal-5.7 and I've tried the Garland theme, though up until now I've been using a custom theme based on Zen. None of them show the checkbox problem you both demonstrate. What theme are you using? Is it a phptemplate based theme? What OS is your web server running? The form array looks fine to me - it looks exactly like mine.

In the theme_ldapcore_admin_list_form_table function, would you change:

        $cells = explode('><', drupal_render($form[$key]));

to:

        $html = drupal_render($form[$key]);
        $cells = explode('><', $html);

Then send a dump of those two vars, $html & $cells.

John, you appear to be testing against a Microsoft AD server, is that correct? The LDAPInterface: Success is confusing for me. Again it isn't something I can duplicate. I'm testing against an AD server as well & do not get that message unless I do a garbage search. I wonder if enabling TLS changes the status messages... I do not have access to a TLS enabled LDAP server unfortunately. I've tried against an OpenLDAP server and I get different status messages all together.

Also, not that it matters because you sent along the images John, but you didn't mention in your description that there was a message indicating the privileged search succeeded. I was worried about that, until I saw your images. :) I want to provide feedback on both the anonymous and privileged configurations, but I realize the messages are confusing. Perhaps there should be a checkbox to perform anonymous searches, and otherwise they are not used (or tested). That would simplify the feedback and would remove the need to perform an anonymous bind uselessly all of the time. Any thoughts?

scafmac’s picture

It might also be helpful if you could share the source html from your browser for the table with id="ldapcore_server" from the LDAP Core admin page.

Thanks

cpugeniusmv’s picture

It would be acceptable in my opinion to skip the anonymous search test if credentials have been provided. To make it obvious that the anonymous bind test is being skipped, you could replace what is now the output of the test with something like "credentials have been provided, skipping anonymous bind test...".

Anonymous’s picture

StatusFileSize
new30.59 KB

I'm using a fresh install of 5.7 with Garland on Apache/2.2.8 with PHP 5.2.6.

Made the changes to theme_ldapcore_admin_list_form_table.

With both testing modules enabled (Image 1):

$html:

Array
(
    [0] => <div class="form-checkboxes"
    [1] => input type="checkbox" name="ldaptest[1]" id="edit-ldaptest-1" value="1" class="form-checkbox" checked="checked" /
    [2] => input type="checkbox" name="ldaptest[2]" id="edit-ldaptest-2" value="2" class="form-checkbox" /
    [3] => input type="checkbox" name="ldaptest[3]" id="edit-ldaptest-3" value="3" class="form-checkbox" /
    [4] => input type="checkbox" name="ldaptest[4]" id="edit-ldaptest-4" value="4" class="form-checkbox" /
    [5] => input type="checkbox" name="ldaptest[5]" id="edit-ldaptest-5" value="5" class="form-checkbox" /
    [6] => /div>
)

$cells:

Array
(
    [0] => <div class="form-checkboxes"
    [1] => input type="checkbox" name="ldaptest2[1]" id="edit-ldaptest2-1" value="1" class="form-checkbox" checked="checked" /
    [2] => input type="checkbox" name="ldaptest2[2]" id="edit-ldaptest2-2" value="2" class="form-checkbox" /
    [3] => input type="checkbox" name="ldaptest2[3]" id="edit-ldaptest2-3" value="3" class="form-checkbox" /
    [4] => input type="checkbox" name="ldaptest2[4]" id="edit-ldaptest2-4" value="4" class="form-checkbox" /
    [5] => input type="checkbox" name="ldaptest2[5]" id="edit-ldaptest2-5" value="5" class="form-checkbox" /
    [6] => /div>
)
<table id="ldapcore_server">
 <thead><tr><th class="row_head">LDAP Servers</th><th>local</th><th>badserver</th><th>fraud</th><th>gizmo</th><th>moreservers</th> </tr></thead>

<tbody>
 <tr class="odd"><td class="row_head">Operations</td><td><span class="center"><a href="/admin/settings/ldapcore/edit/local">Edit local</a><br /><a href="/admin/settings/ldapcore/deactivate/local">Deactivate local</a><br /><a href="/admin/settings/ldapcore/test/local">Test local</a><br /><a href="/admin/settings/ldapcore/delete/local">Delete local</a></span></td><td><span class="center"><a href="/admin/settings/ldapcore/edit/badserver">Edit badserver</a><br /><a href="/admin/settings/ldapcore/deactivate/badserver">Deactivate badserver</a><br /><a href="/admin/settings/ldapcore/test/badserver">Test badserver</a><br /><a href="/admin/settings/ldapcore/delete/badserver">Delete badserver</a></span></td><td><span class="center"><a href="/admin/settings/ldapcore/edit/fraud">Edit fraud</a><br /><a href="/admin/settings/ldapcore/deactivate/fraud">Deactivate fraud</a><br /><a href="/admin/settings/ldapcore/test/fraud">Test fraud</a><br /><a href="/admin/settings/ldapcore/delete/fraud">Delete fraud</a></span></td><td><span class="center"><a href="/admin/settings/ldapcore/edit/gizmo">Edit gizmo</a><br /><a href="/admin/settings/ldapcore/deactivate/gizmo">Deactivate gizmo</a><br /><a href="/admin/settings/ldapcore/test/gizmo">Test gizmo</a><br /><a href="/admin/settings/ldapcore/delete/gizmo">Delete gizmo</a></span></td><td><span class="center"><a href="/admin/settings/ldapcore/edit/moreservers">Edit moreservers</a><br /><a href="/admin/settings/ldapcore/deactivate/moreservers">Deactivate moreservers</a><br /><a href="/admin/settings/ldapcore/test/moreservers">Test moreservers</a><br /><a href="/admin/settings/ldapcore/delete/moreservers">Delete moreservers</a></span></td> </tr>

 <tr class="even"><td class="row_head">Enable LDAP test</td> </tr>
 <tr class="odd"><td class="row_head">Enable LDAP test</td><td><input type="checkbox" name="ldaptest[1]" id="edit-ldaptest-1" value="1" class="form-checkbox" checked="checked" /></td><td><input type="checkbox" name="ldaptest[2]" id="edit-ldaptest-2" value="2" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest[3]" id="edit-ldaptest-3" value="3" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest[4]" id="edit-ldaptest-4" value="4" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest[5]" id="edit-ldaptest-5" value="5" class="form-checkbox" /></td> </tr>
 <tr class="even"><td class="row_head">Enable LDAP test</td><td><input type="checkbox" name="ldaptest[1]" id="edit-ldaptest-1" value="1" class="form-checkbox" checked="checked" /></td><td><input type="checkbox" name="ldaptest[2]" id="edit-ldaptest-2" value="2" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest[3]" id="edit-ldaptest-3" value="3" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest[4]" id="edit-ldaptest-4" value="4" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest[5]" id="edit-ldaptest-5" value="5" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest2[1]" id="edit-ldaptest2-1" value="1" class="form-checkbox" checked="checked" /></td><td><input type="checkbox" name="ldaptest2[2]" id="edit-ldaptest2-2" value="2" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest2[3]" id="edit-ldaptest2-3" value="3" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest2[4]" id="edit-ldaptest2-4" value="4" class="form-checkbox" /></td><td><input type="checkbox" name="ldaptest2[5]" id="edit-ldaptest2-5" value="5" class="form-checkbox" /></td> </tr>
</tbody></table>
scafmac’s picture

darthclue & John,

Ah ha. When I moved my test site to a server with PHP 5.1.6, I can replicate the extra checkboxes... The LDAP error messages also appear to be different between the two versions of PHP. Thanks for helping to track that down. I'll try to get a new version available for testing soon.

John, can you confirm your server is running PHP 5?

Thanks

scafmac’s picture

StatusFileSize
new11.07 KB

Attached is a new version for testing. Changes include:

  • Changed so only anonymous searches or privileged DN searches are tested, not both
  • Fixed PHP 5 problem with table theming.
  • Changed to always show underlying LDAP error.

Any feedback?

Anonymous’s picture

StatusFileSize
new27.76 KB

Is it possible to associate a Base DN with the error messages? I realize that this is probably just me being anal but being able to determine which Base DN is generating an error would be great for troubleshooting. In this instance, I'm using a known bad DN just to test the error generation.

scafmac’s picture

It's not easy because those errors are thrown by the underlying PHP LDAP package. I was trying to catch & interpret them before, but was getting inconsistent results. For now I'm just going to leave it as is.

Anonymous’s picture

StatusFileSize
new28.82 KB

I don't have a broad base to test this and the syntax is probably non-compliant with Drupal but I made the following change to LDAPInterface.php at line 345:

$msg = t('LDAPInterface: %error', array('%error' => preg_replace('/\[.*\]/', '', $p2) .', Base DN = \''.$p5['base_dn'].'\''));

This returns the base_dn that was in use at the time that the error is generated.

scafmac’s picture

Sure that's easy, but there is no simple way to show it only when relevant. You could start searching for certain error messages. Which I guess is simple conceptually, but a bit of a maintenance headache and time suck to get right initially with the variety of LDAP servers & changes between PHP 4 & 5. However, with that said, if you want to submit a patch for that function, I'd love to use it. Ideally, it would:

  • Display related data for specific error messages, consistently for PHP 4 & 5 and Microsoft AD & OpenLDAP
  • Never display unrelated data with error messages - ie no base DN when it is a URL or credentials problem
  • Always passes unexpected error messages without changing or filtering

Conceptually, a big switch statement would probably be the easiest maintenance-wise because of it's self documenting nature.

cpugeniusmv’s picture

This is minor, but a link should probably be added to the Administer -> By Module (/admin/by-module) page to go to the LDAP Core API settings page.

cpugeniusmv’s picture

From what I can tell, the current behavior of this module is to automatically connect and bind to every activated LDAP server for each page request. I think that the LDAPInterface should wait until a search, test, or whatever is executed before connecting.

It should be pretty easy to do, just check to see if the $connection member is null before continuing with the search, test, etc method.

Chris Johnson’s picture

Agreed. Lazy instantiation would be preferable, to optimize performance.

johnbarclay’s picture

yes. its self signed. Next chance I get I'll try it on another type.

johnbarclay’s picture

yep. 5.1.4 on Mac OS 10.4

cpugeniusmv’s picture

I think the "Success" error message is caused when a self-signed certificate is used and is valid. The pseudo-error can be avoided by adjusting the TLS_REQCERT environment variable in ldap.conf (location varies by distribution, check /etc and /etc/openldap).

From the man page:

       TLS_REQCERT <level>
              Specifies what checks to perform on server certificates in a TLS
              session, if any. The <level> can be specified as one of the fol-
              lowing keywords:

              never  The client will not request or check any server  certifi-
                     cate.

              allow  The server certificate is requested. If no certificate is
                     provided, the session proceeds normally. If  a  bad  cer-
                     tificate  is provided, it will be ignored and the session
                     proceeds normally.

              try    The server certificate is requested. If no certificate is
                     provided,  the  session  proceeds normally. If a bad cer-
                     tificate is provided, the session is  immediately  termi-
                     nated.

              demand | hard
                     These  keywords are equivalent. The server certificate is
                     requested. If no certificate is provided, or a  bad  cer-
                     tificate  is  provided, the session is immediately termi-
                     nated. This is the default setting.
gcharrier@drupalfr.org’s picture

Category: task » feature

Is the "LDAP import" a future functionnality of this 2nd version for Drupal 5.x ?

slashjiang’s picture

I install this module to my Drupal 6.2, I can not start this module because it does not compatible with drupal 6.2.
Hope the new release coming soon.
Thank you.

scafmac’s picture

Status: Active » Closed (fixed)

Thanks for the feedback - once I've gotten it enough together I'll create a dev branch for testing.