Hi everyone,
As I'm not sure if it's a bug or just an expression of my inability to configure the module the correct way but as I haven't found anything in the bug reports I guess it's the second...
The problem:
No group entry is derived from LDAP, connection to server is established correctly and also authentication works fine so far.
The roles exists as cn=Webmasters,ou=groups,dc=my,dc=host,dc=de in LDAP with the attribute memberuid holding all user-uids
The users exist as: dn: uid=test,ou=people,dc=my,dc=host,dc=de
In the server test, the block "User Group Membership Functions Test" contains only zeros as results and the authorization test displaying nothing I know to work with:
Derive from DN (without filter): Deaktiviert (deactivated)
Groups DNs (without filter):
Convert full dn to value of first attribute before mapping:
Use Mappings as Filter = 1
Configured Mappings:
Admins|Admins
Webmasters|Webmasters
fachschaft|fachschaft
vorstand|vorstand
Also the log reports no warnings/errors , neither for the tests nor for a login with a users
If this is a problem with my config a more detailed output from the tests could be usefull at all...
Comments
Comment #1
yalet CreditAttribution: yalet commentedI think this thread might be the same issue:
http://drupal.org/node/1842630
Comment #2
KeepXtreme CreditAttribution: KeepXtreme commentedno, I don't think so as I don't get even the unfiltered groups out of the ldap request...
Comment #3
James Tipler CreditAttribution: James Tipler commentedWhatever this is I'm getting exactly the same thing. So either it's a bug, or we're both being dim in the same way. I've been tracking the slapd.log over a test attempt of two and it is performing the search and showing nentries=5 as i would expect (I'm in 5 groups) but then doesn't go on to actually return anything to the test page. Actual mappings from DN to Drupal role are similarly not occurring.
I'll post the slapd.log if anyone wants to see it.
Edit now I'm back at work and have had coffee:
I'm pretty certain this is a bug now, I'm going to alter the status if that's ok with you OP. Set it back if I'm wrong.
from "User Group Membership Functions Test" :
http://i.imgur.com/MzpgB.jpg
(sorry, can't work out how I upload images to this site to make that legit)
from slapd.log:
So there's 6 connections, one for each test, and unless I've massively misunderstood what the word "Count" means in "User Group Membership Functions Test" it shouldn't be returning 0 when the slapd.log shows nentries 5 each time...
The LDAP server is openLDAP if that's helpful to know.
Comment #4
James Tipler CreditAttribution: James Tipler commentedComment #5
johnbarclay CreditAttribution: johnbarclay commentedI would definately try 7.x-2.x-dev. Alot of the ldap authorization was rewritten for it. Its better to post bugs against -dev unless you are following all the patches and issues and know none of them are related to a given issue.
Comment #6
James Tipler CreditAttribution: James Tipler commentedApologies, I didn't check the version when I posted. This still occurs using the latest dev release. Updating the version in the ticket accordingly.
Comment #7
James Tipler CreditAttribution: James Tipler commentedI don't suppose anyone has gotten anywhere with this? I'm still looking into it on and off but I've not made any progress recently.
Comment #8
James Tipler CreditAttribution: James Tipler commentedWell, I've found the _cause_ of the problem...
The situation arises thus:
LDAP Group Entry Attribute Holding User's DN, CN, etc. = memberuid
User attribute held in "LDAP Group Entry Attribute Holding..." = uid
...and the DN of a typical group looks like this cn=sysman,ou=group,ou=current,dc=maths,dc=ox,dc=ac,dc=uk
now, get to Line 1640 of LdapServer.class.php inside the function groupMembershipsFromEntryResursive
in my case, uid is held. If you look at the group however, there's no uid attribute in it's dn, the group value we're looking for is a cn, so that always returns false.
I've got a simple patch that overrides this for me by forcing $member_id = $group_entry['dn']; in all cases, but I can't work out why it's doing this check here anyway so it's not one I'm happy to submit.
Comment #9
JBeugnot CreditAttribution: JBeugnot commentedHi James,
i have the same issue, do you have more informations about it ?
Julien
Comment #10
johnbarclay CreditAttribution: johnbarclay commentedThe goal of this loop is to generate a query of the form:
(&(objectClass=[$this->groupObjectClass])(|([$this->groupMembershipsAttr]=groupid1)([$this->groupMembershipsAttr]=groupid2))
such as:
(&(objectClass=group)(|(cn=groupid1)(cn=groupid2)) so it can find the groups the "$current_group_entries" are in. At this point in the code its not looking at users, just groups.
In your case you might be looking for something like:
(&(objectClass=group)(|(member=[DN1])(member=[DN2]))
so hard coding Dn makes it work maybe. The code should be like:
You can see where this would get quite query intensive. I would suggest not using the nested groups or reworking the code so "$member_group_dns" variable held the appropriate attribute.
Comment #11
johnbarclay CreditAttribution: johnbarclay commentedComment #12
johnbarclay CreditAttribution: johnbarclay commentedThis should be merged with #1965160: LDAP Servers: Group-Membership not derived correctly for non nested groups. They are very close.