I am using this module against a Mac OSX Open Directory. I am also using the March 11th, 2006 code from the WIKI site
Users are able to log in just fine but the groups are not coming over as roles (nor mapping).
I tracked this issue down to the following (well at least I think I have).
OS X stores groups at
cn=groups,dc=example,dc=com
and the groups are containers with a multivalued attribute (memberUid)
so for example my user account would have a DN of
uid=jredding,cn=users,dc=example,dc=com
and the groups I was a member of would have DNs of
cn=jacobsgroup,cn=groups,dc=example,dc=com
and a multivalued attribute (memberUid) would contain a value of
jredding
I tracked the issue down to the function
ldap_integration_user_login()
The following code (located at line 437) is what I am questioning
$entries_groups = array();
if ($groups_as_entries && $entries = variable_get('ldap_group_entries', '')) {
$entries_array = explode("\r\n", $entries);
foreach ($entries_array as $entry) {
$tmp = $ldap->retrieveMultiAttribute($entry, variable_get('ldap_group_entries_attribute', LDAP_DEFAULT_GROUP_ENTRIES_ATTRIBUTE));
if (variable_get('ldap_group_entries_attribute_full_dn', false)) {
if (_ldap_integration_in_array_nocase($user->ldap_dn, $tmp)) {
$entries_groups[] = $entry;
}
}
else {
if (_ldap_integration_in_array_nocase($user->name, $tmp)) {
$entries_groups[] = $entry;
}
}
}
}
Once more with my comments/questions
$entries_groups = array();
if ($groups_as_entries && $entries = variable_get('ldap_group_entries', '')) {
$entries_array = explode("\r\n", $entries);
foreach ($entries_array as $entry) {
This foreach loops through all DNs where groups are stored... example
cn=groups,dc=example,dc=com
$tmp = $ldap->retrieveMultiAttribute($entry, variable_get('ldap_group_entries_attribute', LDAP_DEFAULT_GROUP_ENTRIES_ATTRIBUTE));
I think this $ldap->retrieveMultiAttribute call is supposed to return back all MemberUids (as returned by ldap_group_entries_attribute) but it does not return anything.
My assumption is that this is because the groups are container beneath groups and each subcontainer contains the member listing. each container would need to be searched.
the rest of the code fails to work and when the "groups" are parsed they are blank.
Any ideas? suggestions?
-Jacob
Comment | File | Size | Author |
---|---|---|---|
#8 | ldapauth.module.patch | 1.06 KB | pereljon |
Comments
Comment #1
acrowe CreditAttribution: acrowe commentedI'm having this same problem on 4.7 with my OS X directory. Did you ever get it working?
Comment #2
mkg CreditAttribution: mkg commentedHi,
I was wondering if you had any luck with the ldap groups in mac os x and drupal.
I am also trying to setup this scenario, I am having trouble getting it to authenticate but.
any tips ? I am using a fairly standard install of mac os x server and using open directory logins on the mac network, so ldap is working, but am a bit lost on the particular strings to enter in the ldap_authentication module in drupal to get it to talk.
like what "LDAP login pattern" , "LDAP login replacement" strings do you use ?
any help would be most appreciated.
thanks
Michael
Comment #3
pablobm CreditAttribution: pablobm commentedHi guys, I'm the "perpetrator" of this module. Sorry that I took "a wee bit" to attend this bug. I'm working on a complete code refactoring and am looking at all bugs in order to get the new design as perfect as possible.
The problem here is that the module expects the "Entries containing groups (one per line):" setting to look like:
Rather than just:
If, after all this time passed since this bug was first published, anybody can confirm this solves their problem, please do.
I understand this may not be escalable on some configurations, so for next version I'll add the posibility of adding wildcards so it can be done as:
Comment #4
jredding CreditAttribution: jredding commentedSorry everyone for taking my time to follow up on this too.
pablobm, that worked perfectly! (group membership).
So here is my setup for Mac OS X LDAP server.
Everything is STOCK except for 2 lines of custom code (a very small mod that would be easy to incorporate into the new code)
First Our setup:
-Webserver on Linux/Apache box
-xServe running stock OSX 10.4 Open Directory
-Users have multiple short names
the first name is their full name (ex. jacobredding)
the second is a short name of their choosing
**Users may have 3 or more short names (important later on)
Now Drupal's LDAP Module configuration (Drupal 4.7 but same setting for 4.6)
Server settings:
standard setup
Login Procedure:
edirectory/Active Directory
cn=users,dc=my,dc=domain
username attribute: uid
Groups and Roles:
Groups exist as LDAP entries where a multivalued attribute contains the members' CNs
cn=groupname,cn=groups,dc=my,dc=domain
ex. If you have a group name WebsiteEditors it would be
cn=WebsiteEditors,cn=groups,dc=my,dc=domain
Attribute holding group members: MemberUid
LDAP Attributes
mail = mail
That's it!! except for one little item.
The Mac Shortnames pose a slight problem.
Take this example
testuser is the long name
tuser is a short name
test is a short name
All three names can be used to log onto the Drupal system and they all map to the same user account, except that because the name used to login is different a separate drupal account will be created for each account logged into.
i.e.
on Day 1 I use testuser to login, a drupal account named testuser is created.
on Day 2 I user test to login, a second drupal account is created (identical to the other)
This is actually a very simple fix. In the function _ldap_integration_ldap_login() the system is using $login_string to do a user_load and a $tmp_user. I simply replaced this with the $name from the DN of the object that was authenticated against succesfully (handled by the AD functions).
Here's the code
Hopefully all of that made sense, if not let me know and Ill follow up. This should be an easy fix for the next version.
Thanks for all the hard work it is MUCH appreciated!!!!
Comment #5
pablobm CreditAttribution: pablobm commentedYou are welcome
Comment #6
(not verified) CreditAttribution: commentedComment #7
nandkishor CreditAttribution: nandkishor commentedwe have xserver mac os 10.5.7, I want to solution for webmail user can be access ldap users mail address.
Comment #8
pereljon CreditAttribution: pereljon commentedI am using the current 6.x-1.0-beta2 with Mac OS X 10.6 Server and ran across the same issue. Our users have several uids, and if they log in with different uids, then a drupal user is created for each uid. Additionally, the user's groups are only recognized for the first/primary uid. I took jredding's idea of the patch for the old version of LDAP Integration and rolled up a patch that seems to fix the issue for me in the current beta.
Essentially, I had to move the ldap authentication (_ldapauth_auth) in ldapauth_authenticate to before the user_load. Then I do a retrieveAttribute on the uid, and set this to the $name. Then the user_load tries to load a user with the authenticated uid, instead of with the $name that the user typed in.
If there is some other way to do this please let me know. If not, enjoy the patch and let me know if it helped!
Cheers!
Jonathan Perel
Comment #9
johnbarclay CreditAttribution: johnbarclay commentedComment #10
cgmonroe CreditAttribution: cgmonroe commentedChanging this to a feature request and marking it as "needs work"... mainly because it needs to be redone for the new dev version.
I'd also like to see some thought about / tests done with non-Mac ldap scenarios... it's not clear if this might have some side effects for existing non-Mac sites or not.