mail config for mac os 10.5.7 xserver [#61858]

I am using this module against a Mac OSX Open Directory. I am also using the March 11th, 2006 code from the WIKI site
Users are able to log in just fine but the groups are not coming over as roles (nor mapping).

I tracked this issue down to the following (well at least I think I have).

OS X stores groups at
cn=groups,dc=example,dc=com
and the groups are containers with a multivalued attribute (memberUid)

so for example my user account would have a DN of
uid=jredding,cn=users,dc=example,dc=com
and the groups I was a member of would have DNs of
cn=jacobsgroup,cn=groups,dc=example,dc=com
and a multivalued attribute (memberUid) would contain a value of
jredding

I tracked the issue down to the function

ldap_integration_user_login()

The following code (located at line 437) is what I am questioning
$entries_groups = array();
if ($groups_as_entries && $entries = variable_get('ldap_group_entries', '')) {
$entries_array = explode("\r\n", $entries);
foreach ($entries_array as $entry) {
$tmp = $ldap->retrieveMultiAttribute($entry, variable_get('ldap_group_entries_attribute', LDAP_DEFAULT_GROUP_ENTRIES_ATTRIBUTE));
if (variable_get('ldap_group_entries_attribute_full_dn', false)) {
if (_ldap_integration_in_array_nocase($user->ldap_dn, $tmp)) {
$entries_groups[] = $entry;
}
}
else {
if (_ldap_integration_in_array_nocase($user->name, $tmp)) {
$entries_groups[] = $entry;
}
}
}
}

Once more with my comments/questions
$entries_groups = array();
if ($groups_as_entries && $entries = variable_get('ldap_group_entries', '')) {
$entries_array = explode("\r\n", $entries);
foreach ($entries_array as $entry) {

This foreach loops through all DNs where groups are stored... example
cn=groups,dc=example,dc=com

$tmp = $ldap->retrieveMultiAttribute($entry, variable_get('ldap_group_entries_attribute', LDAP_DEFAULT_GROUP_ENTRIES_ATTRIBUTE));

I think this $ldap->retrieveMultiAttribute call is supposed to return back all MemberUids (as returned by ldap_group_entries_attribute) but it does not return anything.

My assumption is that this is because the groups are container beneath groups and each subcontainer contains the member listing. each container would need to be searched.

the rest of the code fails to work and when the "groups" are parsed they are blank.

Any ideas? suggestions?

-Jacob

Comment	File	Size	Author
#8	ldapauth.module.patch	1.06 KB	pereljon

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

acrowe CreditAttribution: acrowe commented 16 May 2006 at 19:46

Category:

bug

» support

I'm having this same problem on 4.7 with my OS X directory. Did you ever get it working?

Comment #2

mkg CreditAttribution: mkg commented 22 June 2006 at 09:09

Title:

Groups and Roles not working

» LDAP config for mac os x server

Hi,

I was wondering if you had any luck with the ldap groups in mac os x and drupal.

I am also trying to setup this scenario, I am having trouble getting it to authenticate but.

any tips ? I am using a fairly standard install of mac os x server and using open directory logins on the mac network, so ldap is working, but am a bit lost on the particular strings to enter in the ldap_authentication module in drupal to get it to talk.

like what "LDAP login pattern" , "LDAP login replacement" strings do you use ?

any help would be most appreciated.

thanks

Michael

Comment #3

pablobm CreditAttribution: pablobm commented 8 July 2006 at 17:34

Hi guys, I'm the "perpetrator" of this module. Sorry that I took "a wee bit" to attend this bug. I'm working on a complete code refactoring and am looking at all bugs in order to get the new design as perfect as possible.

The problem here is that the module expects the "Entries containing groups (one per line):" setting to look like:

cn=group1,cn=groups,dc=example,dc=com
cn=group2,cn=groups,dc=example,dc=com
cn=group3,cn=groups,dc=example,dc=com
cn=group4,cn=groups,dc=example,dc=com

Rather than just:

cn=groups,dc=example,dc=com

If, after all this time passed since this bug was first published, anybody can confirm this solves their problem, please do.

I understand this may not be escalable on some configurations, so for next version I'll add the posibility of adding wildcards so it can be done as:

*,cn=groups,dc=example,dc=com

Comment #4

jredding CreditAttribution: jredding commented 12 July 2006 at 22:13

Sorry everyone for taking my time to follow up on this too.
pablobm, that worked perfectly! (group membership).

So here is my setup for Mac OS X LDAP server.
Everything is STOCK except for 2 lines of custom code (a very small mod that would be easy to incorporate into the new code)

First Our setup:
-Webserver on Linux/Apache box
-xServe running stock OSX 10.4 Open Directory
-Users have multiple short names
the first name is their full name (ex. jacobredding)
the second is a short name of their choosing
**Users may have 3 or more short names (important later on)

Now Drupal's LDAP Module configuration (Drupal 4.7 but same setting for 4.6)
Server settings:
standard setup

Login Procedure:
edirectory/Active Directory
cn=users,dc=my,dc=domain
username attribute: uid

Groups and Roles:
Groups exist as LDAP entries where a multivalued attribute contains the members' CNs
cn=groupname,cn=groups,dc=my,dc=domain
ex. If you have a group name WebsiteEditors it would be
cn=WebsiteEditors,cn=groups,dc=my,dc=domain

Attribute holding group members: MemberUid

LDAP Attributes
mail = mail

That's it!! except for one little item.

The Mac Shortnames pose a slight problem.
Take this example
testuser is the long name
tuser is a short name
test is a short name

All three names can be used to log onto the Drupal system and they all map to the same user account, except that because the name used to login is different a separate drupal account will be created for each account logged into.
i.e.
on Day 1 I use testuser to login, a drupal account named testuser is created.
on Day 2 I user test to login, a second drupal account is created (identical to the other)

This is actually a very simple fix. In the function _ldap_integration_ldap_login() the system is using $login_string to do a user_load and a $tmp_user. I simply replaced this with the $name from the DN of the object that was authenticated against succesfully (handled by the AD functions).

Here's the code

function _ldap_integration_ldap_login($login_string, $pass) {
<snippity snip snip>

  if (ldap_integration_auth($name, $pass, $server)) {

//Patched May 4th, 2006 by Jacob Redding
//This patch changes the NAME variable to the 1st UID in the list.
//Why? IF Users have multiple UIDs they can log in with any of them
//without this 2 line path a drupal user account will be created for each of the UIDs
//with this 2 line path a single drupal user account will be created based on the 1st uid of the DN

    //--Begin Patch
      $dn = _ldap_integration_login2dn("$name$at$server");
      $login_string = $ldap->retrieveAttribute($dn, 'uid');
    //--End Path (see I told you it was only 2 lines)

    $user = user_load(array('name' => $login_string));
    $tmp_user->name = $login_string;
    if (!$user->uid) { // Register this new user.
      // Changes to this user_save():
      //   1. 'pass' => $pass . Obviously.
      //   2. 'mail' => value of the mail attribute in the LDAP directory
      //   3. 'init' => same. BTW: what's the use of this field?
      //   4. 'ldap_authentified' => TRUE . There is a need to mark
      //      people as externally authentified.
      $dn = _ldap_integration_login2dn($login_string);

<snippity snip snip>

Hopefully all of that made sense, if not let me know and Ill follow up. This should be an easy fix for the next version.

Thanks for all the hard work it is MUCH appreciated!!!!

Comment #5

pablobm CreditAttribution: pablobm commented 12 July 2006 at 22:26

Assigned:	Unassigned	» pablobm
Status:	Active	» Fixed

You are welcome

Comment #6

(not verified) CreditAttribution: commented 26 July 2006 at 22:30

Status:

Fixed

» Closed (fixed)

Comment #7

nandkishor CreditAttribution: nandkishor commented 10 July 2009 at 05:54

Title:	LDAP config for mac os x server	» mail config for mac os 10.5.7 xserver
Version:	4.6.x-1.x-dev	» master
Component:	Code	» User interface
Assigned:	pablobm	» nandkishor
Priority:	Normal	» Critical
Status:	Closed (fixed)	» Active
Issue tags:		+LDAP integration

we have xserver mac os 10.5.7, I want to solution for webmail user can be access ldap users mail address.

Comment #8

pereljon CreditAttribution: pereljon commented 15 July 2010 at 21:57

File	Size
ldapauth.module.patch	1.06 KB

I am using the current 6.x-1.0-beta2 with Mac OS X 10.6 Server and ran across the same issue. Our users have several uids, and if they log in with different uids, then a drupal user is created for each uid. Additionally, the user's groups are only recognized for the first/primary uid. I took jredding's idea of the patch for the old version of LDAP Integration and rolled up a patch that seems to fix the issue for me in the current beta.

Essentially, I had to move the ldap authentication (_ldapauth_auth) in ldapauth_authenticate to before the user_load. Then I do a retrieveAttribute on the uid, and set this to the $name. Then the user_load tries to load a user with the authenticated uid, instead of with the $name that the user typed in.

If there is some other way to do this please let me know. If not, enjoy the patch and let me know if it helped!

Cheers!

Jonathan Perel

Comment #9

johnbarclay CreditAttribution: johnbarclay commented 6 August 2011 at 20:00

Version:

master

» 6.x-1.x-dev

Comment #10

cgmonroe CreditAttribution: cgmonroe commented 6 April 2012 at 18:45

Category:	support	» feature
Priority:	Critical	» Normal
Status:	Active	» Needs work

Changing this to a feature request and marking it as "needs work"... mainly because it needs to be redone for the new dev version.

I'd also like to see some thought about / tests done with non-Mac ldap scenarios... it's not clear if this might have some side effects for existing non-Mac sites or not.