Thread: [openupload-devel] Active Directory
Status: Beta
Brought to you by:
tsdogs
Menu
▾
▴
openupload-devel
|
From: Andy H. <and...@eu...> - 2009-04-22 22:16:28
|
Has anyone gotten AD authentication working? I have tried it here, but I can't seem to get it to work. I have several other websites that query AD here so it should work with the right configuration. Any help would be appreciated. Thanks, -Andy |
|
From: Alessandro B. <ts...@br...> - 2009-04-23 07:42:06
|
Sure, I had this working with AD. (haven't tested it for some time now, but it should just work) (LDAP works as I have it working at my office). The best way to set it up is: 1. Run the setup script and put the same groups in the configuration that you will be using in the AD configuration. You'll probably want to create a user which can access the AD in readonly so it can query users info (groups, name, email) i.e. registered -> Domain Users admins -> Domain Admins unregistered -> this does not matter (leave it unregistered) Or change actual configuration adding thoose groups. 2. Populate the database with your preferred settings. 3. Then edit the config.inc.php and add the following, replacing the values with your setup: /* Active Directory */ # $CONFIG['ldap']['host'] = '127.0.0.1'; /* specify that it is an Active directory */ # $CONFIG['ldap']['type'] = 'AD'; # $CONFIG['ldap']['user'] = 'rea...@ro...'; # $CONFIG['ldap']['password'] = 'readonlypassword'; /* DOMAIN for user login */ # $CONFIG['ldap']['domain'] = 'yourdomain.local'; # $CONFIG['ldap']['basedn'] = 'dc=yourdomain,dc=local'; # $CONFIG['ldap']['userdn'] = 'dc=yourdomain,dc=local'; # $CONFIG['ldap']['userclass']='user'; # $CONFIG['ldap']['uid']='cn'; # $CONFIG['ldap']['userfields'] = array ( 'cn' => 'login', 'name' => 'name', 'memberof' => 'group_id', 'mail' => 'email'); # $CONFIG['ldap']['groupdn'] = 'dc=roverdom,dc=local'; # $CONFIG['ldap']['groupclass']='group'; # $CONFIG['ldap']['gid']='distinguishedname'; # $CONFIG['ldap']['groupfields'] = array ( 'cn' => 'name', 'name' => 'description' ); 4. Change the authentication from "default" to "ldap" This will ignore all group and users that the db has, but at least if anything goes wrong you'll be able to switch back to default auth. Also note that I found a bug with current version. If you use the Admin page to change the settings the ldap/AD configuration will be broken as it does not currently handle the ARRAY values for "userfields" and "groupfields" so if you have to change the config, edit the config file for now. Somebody also suggested to associate the login field insthead of 'cn' to 'sAMAccountName' like: $CONFIG['ldap']['uid']='sAMAccountName'; $CONFIG['ldap']['userfields'] = array ( 'sAMAccountName' => 'login', 'cn' => 'name', 'memberof' => 'group_id', 'mail' => 'email'); Hope this helps. Alessandro Andy Hester ha scritto: > Has anyone gotten AD authentication working? I have tried it here, but > I can't seem to get it to work. I have several other websites that > query AD here so it should work with the right configuration. > > Any help would be appreciated. > > Thanks, > -Andy > > > ------------------------------------------------------------------------------ > Stay on top of everything new and different, both inside and > around Java (TM) technology - register by April 22, and save > $200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. > 300 plus technical and hands-on sessions. Register today. > Use priority code J9JMT32. http://p.sf.net/sfu/p > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Andy H. <and...@eu...> - 2009-04-23 18:34:27
|
Alessandro Briosi wrote: > Sure, > I had this working with AD. (haven't tested it for some time now, but it > should just work) (LDAP works as I have it working at my office). > > The best way to set it up is: > 1. Run the setup script and put the same groups in the configuration > that you will be using in the AD configuration. > I don't recall ever running this script. I think I just edited the config.inc.php file. When I go to the setup.inc.php in a browser I get an access denied message. I am quite sure that I am just being a little dense atm, but I can't seem to get this to work. I did edit the config file for AD, but I guess I am not sure how to tell openupload which groups map to which AD groups, etc. I think the part I am not getting right is here: > # $CONFIG['ldap']['basedn'] = 'dc=yourdomain,dc=local'; > # $CONFIG['ldap']['userdn'] = 'dc=yourdomain,dc=local'; > # $CONFIG['ldap']['userclass']='user'; > # $CONFIG['ldap']['uid']='cn'; > # $CONFIG['ldap']['userfields'] = array ( 'cn' => 'login', 'name' => > 'name', 'memberof' => 'group_id', 'mail' => 'email'); > # $CONFIG['ldap']['groupdn'] = 'dc=roverdom,dc=local'; > # $CONFIG['ldap']['groupclass']='group'; > # $CONFIG['ldap']['gid']='distinguishedname'; > # $CONFIG['ldap']['groupfields'] = array ( 'cn' => 'name', 'name' => > 'description' ); > Also, is it correct to assume that one this config file is correct that this will work, or are there other things that must be done with the database, etc? Thanks again, -Andy |
|
From: Alessandro B. <ts...@br...> - 2009-04-23 22:43:27
|
On Thu, 23 Apr 2009 13:34:17 -0500, Andy Hester <and...@eu...> wrote: > Alessandro Briosi wrote: >> Sure, >> I had this working with AD. (haven't tested it for some time now, but it >> should just work) (LDAP works as I have it working at my office). >> >> The best way to set it up is: >> 1. Run the setup script and put the same groups in the configuration >> that you will be using in the AD configuration. >> > I don't recall ever running this script. I think I just edited the > config.inc.php file. When I go to the setup.inc.php in a browser I get > an access denied message. > > I am quite sure that I am just being a little dense atm, but I can't > seem to get this to work. > I did edit the config file for AD, but I guess I am not sure how to > tell openupload which groups map to which AD groups, etc. I think the > part I am not getting right is here: > ok so you probably got that 'cause it was not there with version 0.3 from which you upgraded. >> # $CONFIG['ldap']['basedn'] = 'dc=yourdomain,dc=local'; >> # $CONFIG['ldap']['userdn'] = 'dc=yourdomain,dc=local'; >> # $CONFIG['ldap']['userclass']='user'; >> # $CONFIG['ldap']['uid']='cn'; >> # $CONFIG['ldap']['userfields'] = array ( 'cn' => 'login', 'name' => >> 'name', 'memberof' => 'group_id', 'mail' => 'email'); >> # $CONFIG['ldap']['groupdn'] = 'dc=roverdom,dc=local'; >> # $CONFIG['ldap']['groupclass']='group'; >> # $CONFIG['ldap']['gid']='distinguishedname'; >> # $CONFIG['ldap']['groupfields'] = array ( 'cn' => 'name', 'name' => >> 'description' ); >> > Also, is it correct to assume that one this config file is correct that > this will work, or are there other things that must be done with the > database, etc? > Yes, you would have to map the groups in the database, changing the names to the ones that match the AD ones. The easiest way would be to rename the config.inc.php file, then run the setup (simply point to the openupload folder with the browser, not to the setup.php script directly, it will automatically load the setup script if it does not find the config.inc.php, i.e. http://mydomain.com/openupload/www/ I assume you are using version 0.4 now) Assign the correct settings for the database and populate it accordingly (check the groups, and select the mode you'd prefer i.e. restricted). Once setup is over put back the config.inc.php you had (unless you want to configure with the new one) and it should work. Another way would be to change the acl table in the database to match the groups of active directory, if you already done configurations, though you'll later have to fix the plugin acl and options too. Alessandro P.S. If you try to login and it simply re-displays the login screen (without a "login incorrect" message), AD is working, but the ACL are not correct. |
|
From: Andy H. <and...@eu...> - 2009-04-24 18:33:38
|
So I followed the instructions and got AD working and I have some questions... 1. Do you have a listing of permissions? Specifically u,d,g,r,l? (The rest seem pretty self explanatory). 2. Under rights I see a list of all the user groups in our user groups ou which is ~250 groups. How would be the best way to cut it down to only the 2 I am using? Can all of these groups use the openupload server if they show "Rights Set? No"? 3. It seems that the 'logout/login' link is broken and always says 'login' regardless of context. 4. Does it seem reasonable to just hide the user and group links if ldap is configured in config.inc.php? After fiddling around a little with the permissions, I am trying to make sure that I have the permissions set correctly. Thanks, Andy |
|
From: Alessandro B. <ts...@br...> - 2009-04-25 11:47:11
|
Andy Hester ha scritto: > So I followed the instructions and got AD working and I have some > questions... > good ;) > 1. Do you have a listing of permissions? Specifically u,d,g,r,l? (The > rest seem pretty self explanatory). > hmm, not sure if it's in the documentation (which mainly is laking :) ) u -> upload d and g -> download r -> remove l -> personal file list > 2. Under rights I see a list of all the user groups in our user groups > ou which is ~250 groups. How would be the best way to cut it down to > only the 2 I am using? Can all of these groups use the openupload > server if they show "Rights Set? No"? > I'd suggest you to create an organizational Unit (ou) which contains only the groups you's want to check. i.e. $CONFIG['ldap']['groupdn']='ou=OpenUploadGroups,dc=mydomain,dc=local'; and put the groups under that OU in AD. Otherwise you'll probably would have to change the ldap auth to do a different query for the groups. We might think on improving it in next release. > 3. It seems that the 'logout/login' link is broken and always says > 'login' regardless of context. this is pretty odd, I guess I'll have to test AD too. I don't get that with openLDAP, so maybe it's some acl. > > 4. Does it seem reasonable to just hide the user and group links if > ldap is configured in config.inc.php? > User and Group admin is not supported by the ldap auth method so it is reasonable, they should not be displayed yes, this is a bug. Alessandro |
|
From: Andy H. <and...@eu...> - 2009-04-28 18:58:08
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Alessandro Briosi wrote:
<blockquote cite="mid:49F...@br..." type="cite">
<pre wrap="">
Andy Hester ha scritto:
</pre>
<blockquote type="cite">
<pre wrap="">3. It seems that the 'logout/login' link is broken and always says
'login' regardless of context.
</pre>
</blockquote>
<pre wrap=""><!---->this is pretty odd, I guess I'll have to test AD too. I don't get that
with openLDAP, so maybe it's some acl.
</pre>
<br>
</blockquote>
Also,<br>
<br>
It seems that when I moved to Active Directory I have a different
behavior for file listings. When logging in as a user, I see a "Public
Files" link on the top of the page and not a "My Files" link like I am
used to. Also, users can now see files uploaded by other users. This
may be the result of some change that I made while fiddling with the
site as opposed to a bug or such. For the moment I have just disabled
file listing for the users. <br>
<br>
-Andy<br>
<br>
<br>
</body>
</html>
|
|
From: Alessandro B. <ts...@br...> - 2009-04-28 19:17:05
|
hmm, I might think there is something with the "groups" and the "unregistered" group. It seems the correct group is not associated to the user, or users that are "registered" users are also members of the "unregistered" group. This should explain the problems you have. AD support checks for every group associated to the user (if it can find it) and applies the rules on every group. Unless no group has access to some functionality it denies access to it. AFAIR also nested groups are checked. that's why probably having a "ou" with the openupload groups in there and bind to that "ou" for the groups would be best. Open Upload won't find other groups so only thoose are checked in the acl (though don't use nested groups then). Please also check the "unregistered" group in the config.inc.php file, that should match some group in active directory so you can set rights for it. ... ok. Looking at the source the fact that you get the "Public Files" means that the user is not logged in, or that the AD login field is not correctly populated. Are you sure that in the config.inc.php file the line with associated fields like this?: $CONFIG['ldap']['userfields'] = array ( 'cn' => 'login', 'name' => 'name', 'memberof' => 'group_id', 'mail' => 'email'); This behavier is caused by a missing 'login' value when a user logs in. Alessandro Andy Hester ha scritto: > Alessandro Briosi wrote: >> Andy Hester ha scritto: >> >>> 3. It seems that the 'logout/login' link is broken and always says >>> 'login' regardless of context. >>> >> this is pretty odd, I guess I'll have to test AD too. I don't get that >> with openLDAP, so maybe it's some acl. >> >> >> > Also, > > It seems that when I moved to Active Directory I have a different > behavior for file listings. When logging in as a user, I see a "Public > Files" link on the top of the page and not a "My Files" link like I am > used to. Also, users can now see files uploaded by other users. This > may be the result of some change that I made while fiddling with the > site as opposed to a bug or such. For the moment I have just disabled > file listing for the users. > > -Andy > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Register Now & Save for Velocity, the Web Performance & Operations > Conference from O'Reilly Media. Velocity features a full day of > expert-led, hands-on workshops and two days of sessions from industry > leaders in dedicated Performance & Operations tracks. Use code vel09scf > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf > > > ------------------------------------------------------------------------ > > _______________________________________________ > Openupload-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openupload-devel |
|
From: Andy H. <and...@eu...> - 2009-04-28 20:23:14
|
Alessandro Briosi wrote: > hmm, I might think there is something with the "groups" and the > "unregistered" group. > > It seems the correct group is not associated to the user, or users that > are "registered" users are also members of the "unregistered" group. > This should explain the problems you have. > Right now I have in config.inc.php: $CONFIG['register']['nologingroup'] = 'unregistered'; $CONFIG['register']['default_group'] = 'upload_users'; does this look correct? > AD support checks for every group associated to the user (if it can find > it) and applies the rules on every group. Unless no group has access to > some functionality it denies access to it. > AFAIR also nested groups are checked. > that's why probably having a "ou" with the openupload groups in there > and bind to that "ou" for the groups would be best. Open Upload won't > find other groups so only thoose are checked in the acl (though don't > use nested groups then). > I did create a separate OU for this and it only has upload_users and upload_admins... No users are currently members of both groups. > Please also check the "unregistered" group in the config.inc.php file, > that should match some group in active directory so you can set rights > as above the only thing I see about an '"unregistered" group in the config.inc.php' is this: $CONFIG['register']['nologingroup'] = 'unregistered'; $CONFIG['register']['default_group'] = 'upload_users'; Not sure if this is correct. > for it. > ... > > ok. > Looking at the source the fact that you get the "Public Files" means > that the user is not logged in, or that the AD login field is not > correctly populated. > Are you sure that in the config.inc.php file the line with associated > fields like this?: > $CONFIG['ldap']['userfields'] = array ( 'cn' => 'login', 'name' => > 'name', 'memberof' => 'group_id', 'mail' => 'email'); > Yes. I have this line exactly like above. Login does work and provides the different rights for upload_admins vs upload_users. > This behavier is caused by a missing 'login' value when a user logs in. > > Alessandro > > A |
|
From: Alessandro B. <ts...@br...> - 2009-04-28 21:17:37
|
Andy Hester ha scritto: > Right now I have in config.inc.php: > > $CONFIG['register']['nologingroup'] = 'unregistered'; > $CONFIG['register']['default_group'] = 'upload_users'; > > does this look correct? > >> AD support checks for every group associated to the user (if it can find >> it) and applies the rules on every group. Unless no group has access to >> some functionality it denies access to it. >> AFAIR also nested groups are checked. >> that's why probably having a "ou" with the openupload groups in there >> and bind to that "ou" for the groups would be best. Open Upload won't >> find other groups so only thoose are checked in the acl (though don't >> use nested groups then). >> > I did create a separate OU for this and it only has upload_users and > upload_admins... > No users are currently members of both groups. ok >> Please also check the "unregistered" group in the config.inc.php file, >> that should match some group in active directory so you can set rights >> > as above the only thing I see about an '"unregistered" group in the > config.inc.php' is this: > $CONFIG['register']['nologingroup'] = 'unregistered'; > $CONFIG['register']['default_group'] = 'upload_users'; > > Not sure if this is correct. if you have an 'unregistered' group in AD this is ok. It's only usefull to assign rights to not logged in users. (like download) the second one is the group to be assigned for User Registration which is not supported by AD authentication. > >> for it. >> ... >> >> ok. >> Looking at the source the fact that you get the "Public Files" means >> that the user is not logged in, or that the AD login field is not >> correctly populated. >> Are you sure that in the config.inc.php file the line with associated >> fields like this?: >> $CONFIG['ldap']['userfields'] = array ( 'cn' => 'login', 'name' => >> 'name', 'memberof' => 'group_id', 'mail' => 'email'); >> > Yes. I have this line exactly like above. > > Login does work and provides the different rights for upload_admins vs > upload_users. > > OK the problem is here I think. the 'login' field is not populated for some reason. Probably the 'cn' field is not correct. If you look at the database the files do not have any user associated, that is why you see the "Public Files" and they are all visible by everybody. could you try using this insthead then? $CONFIG['ldap']['uid']='sAMAccountName'; $CONFIG['ldap']['userfields'] = array ( 'sAMAccountName' => 'login', 'cn' => 'name', 'memberof' => 'group_id', 'mail' => 'email'); Alessandro |
|
From: Andy H. <and...@eu...> - 2009-04-28 21:36:09
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> Alessandro Briosi wrote: <blockquote cite="mid:49F...@br..." type="cite"><br> <pre wrap=""><!---->OK the problem is here I think. the 'login' field is not populated for some reason. Probably the 'cn' field is not correct. If you look at the database the files do not have any user associated, that is why you see the "Public Files" and they are all visible by everybody. could you try using this insthead then? $CONFIG['ldap']['uid']='sAMAccountName'; $CONFIG['ldap']['userfields'] = array ( 'sAMAccountName' => 'login', 'cn' => 'name', 'memberof' => 'group_id', 'mail' => 'email'); Alessandro -</pre> </blockquote> Sorry, I misspoke. I am already using the sAMAccountName version - it doesn't seem to work at all with 'cn'. Also, when I login, I use my AD log on id which is a alpha-numeric value, but my AD display name is displayed correctly in the top right side of the page. Based on this it does seem to know which user I am.<br> <br> -Andy<br> <br> </body> </html> |
|
From: Alessandro B. <ts...@br...> - 2009-04-28 21:44:55
|
Andy Hester ha scritto:
> Sorry, I misspoke. I am already using the sAMAccountName version - it
> doesn't seem to work at all with 'cn'. Also, when I login, I use my AD
> log on id which is a alpha-numeric value, but my AD display name is
> displayed correctly in the top right side of the page. Based on this it
> does seem to know which user I am.
>
Well, it uses the AD user account to check for the group info, but I'm
quite sure the specific 'login' field is not populated.
Try changing the template file.
templates/index.tpl
insert a new line after line 23 like this: (after {$user.name} ):
<br />{$user.login}
and see if it prints something after the user name (once you log in).
If it does, then there is a bug somewhere, and I'll try AD again tomorrow.
BTW: is this a 2003 , 2000 , mixed or 2008 AD?
(I have only tested a 2003 AD domain afair, and it worked with 'cn')
Alessandro
|
|
From: Andy H. <and...@eu...> - 2009-04-28 22:12:35
|
Alessandro Briosi wrote:
> Well, it uses the AD user account to check for the group info, but I'm
> quite sure the specific 'login' field is not populated.
>
> Try changing the template file.
> templates/index.tpl
>
> insert a new line after line 23 like this: (after {$user.name} ):
> <br />{$user.login}
>
> and see if it prints something after the user name (once you log in).
> If it does, then there is a bug somewhere, and I'll try AD again tomorrow.
>
It does not print anything after making this change. It would seem that
you are correct about the field not being populated, although I am not
sure why.
> BTW: is this a 2003 , 2000 , mixed or 2008 AD?
>
2003.
> (I have only tested a 2003 AD domain afair, and it worked with 'cn')
>
If I use the 'cn' version, nothing happens after login (not even a
'Login Incorrect' error, but it does error if I put something bogus into
the login). But the 'cn' and the sAMAccountName are the same value.
> Alessandro
>
Thanks Alessandro
-Andy
|
|
From: Alessandro B. <ts...@br...> - 2009-04-28 22:25:48
|
Andy Hester ha scritto:
> Alessandro Briosi wrote:
>> Well, it uses the AD user account to check for the group info, but I'm
>> quite sure the specific 'login' field is not populated.
>>
>> Try changing the template file.
>> templates/index.tpl
>>
>> insert a new line after line 23 like this: (after {$user.name} ):
>> <br />{$user.login}
>>
>> and see if it prints something after the user name (once you log in).
>> If it does, then there is a bug somewhere, and I'll try AD again tomorrow.
>>
> It does not print anything after making this change. It would seem that
> you are correct about the field not being populated, although I am not
> sure why.
>
>> BTW: is this a 2003 , 2000 , mixed or 2008 AD?
>>
> 2003.
>
>> (I have only tested a 2003 AD domain afair, and it worked with 'cn')
>>
> If I use the 'cn' version, nothing happens after login (not even a
> 'Login Incorrect' error, but it does error if I put something bogus into
> the login). But the 'cn' and the sAMAccountName are the same value.
>
>
Maybe it's a rights issue of the "readonly" user. Can you try with an
Administrator account as the "readonly" user to see if this fixes the
problem?
That's my last guess for tonight. if this is not the case I'll check AD
tomorrow.
Alessandro
|
|
From: Alessandro B. <ts...@br...> - 2009-04-29 18:21:20
|
ok there is defenatly something which has changed with SP2 or so. the AD
structure now looks pretty strange, and the problems are 2
1. searching the user fails
2. searching the groups also fails
I need to find a better way to handle this.
Alessandro
Alessandro Briosi ha scritto:
>
> Andy Hester ha scritto:
>> Alessandro Briosi wrote:
>>> Well, it uses the AD user account to check for the group info, but I'm
>>> quite sure the specific 'login' field is not populated.
>>>
>>> Try changing the template file.
>>> templates/index.tpl
>>>
>>> insert a new line after line 23 like this: (after {$user.name} ):
>>> <br />{$user.login}
>>>
>>> and see if it prints something after the user name (once you log in).
>>> If it does, then there is a bug somewhere, and I'll try AD again tomorrow.
>>>
>> It does not print anything after making this change. It would seem that
>> you are correct about the field not being populated, although I am not
>> sure why.
>>
>>> BTW: is this a 2003 , 2000 , mixed or 2008 AD?
>>>
>> 2003.
>>
>>> (I have only tested a 2003 AD domain afair, and it worked with 'cn')
>>>
>> If I use the 'cn' version, nothing happens after login (not even a
>> 'Login Incorrect' error, but it does error if I put something bogus into
>> the login). But the 'cn' and the sAMAccountName are the same value.
>>
>>
>
> Maybe it's a rights issue of the "readonly" user. Can you try with an
> Administrator account as the "readonly" user to see if this fixes the
> problem?
>
>
> That's my last guess for tonight. if this is not the case I'll check AD
> tomorrow.
>
> Alessandro
>
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Alessandro B. <ts...@br...> - 2009-05-01 23:00:59
Attachments:
ldap.inc.php
|
ok, it should now be fixed in SVN. Attaching it so you can test it (and
others might review it )
It's more a hack then a real solution. (I need to re-think about this)
you need to change the following in your config.inc.php file
$CONFIG['register']['default_group']='Domain Users';
$CONFIG['ldap']['uid']='sAMAccountName';
$CONFIG['ldap']['userfields'] = array ( 'samaccountname' => 'login',
'name' => 'name', 'mail' => 'email', 'distinguishedname' => 'uid');
$CONFIG['ldap']['gid']='member';
$CONFIG['ldap']['groupfields'] = array ( 'samaccountname' => 'name',
'name' => 'description' );
other settings might remain the same.
Alessandro
Alessandro Briosi ha scritto:
> ok there is defenatly something which has changed with SP2 or so. the AD
> structure now looks pretty strange, and the problems are 2
> 1. searching the user fails
> 2. searching the groups also fails
>
> I need to find a better way to handle this.
>
> Alessandro
>
> Alessandro Briosi ha scritto:
>> Andy Hester ha scritto:
>>> Alessandro Briosi wrote:
>>>> Well, it uses the AD user account to check for the group info, but I'm
>>>> quite sure the specific 'login' field is not populated.
>>>>
>>>> Try changing the template file.
>>>> templates/index.tpl
>>>>
>>>> insert a new line after line 23 like this: (after {$user.name} ):
>>>> <br />{$user.login}
>>>>
>>>> and see if it prints something after the user name (once you log in).
>>>> If it does, then there is a bug somewhere, and I'll try AD again tomorrow.
>>>>
>>> It does not print anything after making this change. It would seem that
>>> you are correct about the field not being populated, although I am not
>>> sure why.
>>>
>>>> BTW: is this a 2003 , 2000 , mixed or 2008 AD?
>>>>
>>> 2003.
>>>
>>>> (I have only tested a 2003 AD domain afair, and it worked with 'cn')
>>>>
>>> If I use the 'cn' version, nothing happens after login (not even a
>>> 'Login Incorrect' error, but it does error if I put something bogus into
>>> the login). But the 'cn' and the sAMAccountName are the same value.
>>>
>>>
>> Maybe it's a rights issue of the "readonly" user. Can you try with an
>> Administrator account as the "readonly" user to see if this fixes the
>> problem?
>>
>>
>> That's my last guess for tonight. if this is not the case I'll check AD
>> tomorrow.
>>
>> Alessandro
>>
>> ------------------------------------------------------------------------------
>> Register Now & Save for Velocity, the Web Performance & Operations
>> Conference from O'Reilly Media. Velocity features a full day of
>> expert-led, hands-on workshops and two days of sessions from industry
>> leaders in dedicated Performance & Operations tracks. Use code vel09scf
>> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>> _______________________________________________
>> Openupload-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openupload-devel
>
> ------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O'Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
> _______________________________________________
> Openupload-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openupload-devel
|
|
From: Andy H. <and...@eu...> - 2009-05-05 20:11:33
|
Alessandro Briosi wrote: > ok, it should now be fixed in SVN. Attaching it so you can test it > (and others might review it ) > It's more a hack then a real solution. (I need to re-think about this) > So I replaced the ldap.inc.php file and made the changes to config.inc.php and it functions as expected now. The user is recognized, the login was displayed (we changed index.tpl to test for this), the links show 'My Files' and 'Logout' as expected. Thanks for the fix! The only question I have about it is why the default group was set to 'Domain Users'? Could it be set for example to another group in my open upload OU? The reason I ask is that we may include 'domain users' in our 'open upload users' group to grant user access. I'm not sure what effect this would have. Other than this point, I'm not sure why this is a hack. -Andy |
|
From: Alessandro B. <ts...@br...> - 2009-05-06 08:23:47
|
Hi Andy, Andy Hester ha scritto: > Alessandro Briosi wrote: >> ok, it should now be fixed in SVN. Attaching it so you can test it >> (and others might review it ) >> It's more a hack then a real solution. (I need to re-think about this) >> > So I replaced the ldap.inc.php file and made the changes to > config.inc.php and it functions as expected now. The user is > recognized, the login was displayed (we changed index.tpl to test for > this), the links show 'My Files' and 'Logout' as expected. Thanks for > the fix! > Good. > The only question I have about it is why the default group was set to > 'Domain Users'? Could it be set for example to another group in my open > upload OU? The reason I ask is that we may include 'domain users' in > our 'open upload users' group to grant user access. I'm not sure what > effect this would have. Other than this point, I'm not sure why this is > a hack. > That's exactly why this is a hack. There is no easy way to find out the primary user group (Domain Users should be the default, but not always) If you add Domain Users to the OU groups then Open Upload should be able to also see that groups (so the basedn must change). I'm not sure Open Upload would handle this group in group thing right now. The "Domain Users" member attribute does not contain the users which are part of if, and also the user memberOf attribute does not contain it. As I said I need to rethink on how to properly handle the AD backend. There is this library adLDAP.php which should handle it and is small, so I'm wondering if I need to switch to it insthead of using my own. Of course right now you can change the "Domain Users" value to anything you like, but anybody which is able to authenticate against AD whould be granted at least the rights of that group. Alessandro |
|
From: Andy H. <and...@eu...> - 2009-04-28 21:39:17
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Alessandro Briosi wrote:
<blockquote cite="mid:49F...@br..." type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Please also check the "unregistered" group in the config.inc.php file,
that should match some group in active directory so you can set rights
</pre>
</blockquote>
<pre wrap="">as above the only thing I see about an '"unregistered" group in the
config.inc.php' is this:
$CONFIG['register']['nologingroup'] = 'unregistered';
$CONFIG['register']['default_group'] = 'upload_users';
Not sure if this is correct.
</pre>
</blockquote>
<pre wrap=""><!---->
if you have an 'unregistered' group in AD this is ok. It's only usefull
to assign rights to not logged in users. (like download)
the second one is the group to be assigned for User Registration which
is not supported by AD authentication.
</pre>
</blockquote>
I do not have an 'unregistered' group in AD. Only upload_users and
upload_admins. In the Rights section of the admin page it list three
groups:<br>
<br>
Any<br>
upload_admins<br>
upload_users<br>
<br>
I will try creating an empty group called 'unregistered' in that OU to
see if that fixes anything.<br>
<br>
-Andy<br>
<br>
</body>
</html>
|
|
From: Andy H. <and...@eu...> - 2009-04-28 21:46:09
|
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Andy Hester wrote:
<blockquote cite="mid:49F...@eu..." type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
Alessandro Briosi wrote:
<blockquote cite="mid:49F...@br..." type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Please also check the "unregistered" group in the config.inc.php file,
that should match some group in active directory so you can set rights
</pre>
</blockquote>
<pre wrap="">as above the only thing I see about an '"unregistered" group in the
config.inc.php' is this:
$CONFIG['register']['nologingroup'] = 'unregistered';
$CONFIG['register']['default_group'] = 'upload_users';
Not sure if this is correct.
</pre>
</blockquote>
<pre wrap=""><!---->
if you have an 'unregistered' group in AD this is ok. It's only usefull
to assign rights to not logged in users. (like download)
the second one is the group to be assigned for User Registration which
is not supported by AD authentication.
</pre>
</blockquote>
I do not have an 'unregistered' group in AD. Only upload_users and
upload_admins. In the Rights section of the admin page it list three
groups:<br>
<br>
Any<br>
upload_admins<br>
upload_users<br>
<br>
I will try creating an empty group called 'unregistered' in that OU to
see if that fixes anything.<br>
<br>
-Andy<br>
</blockquote>
So I created the emptu group called 'unregistered and the Rights page
sees it and maps it to the 'unregistered' group. Try again and the
site still shows 'Public Files' when logged in as an upload_user or as
an upload_admin. All files are still visible (I had to allow 'l'
permissions for upload_users to check this)<br>
<br>
-Andy<br>
<br>
</body>
</html>
|
|
From: Alessandro B. <ts...@br...> - 2009-04-28 21:47:51
|
Andy Hester ha scritto: > Alessandro Briosi wrote: >>>> Please also check the "unregistered" group in the config.inc.php file, >>>> that should match some group in active directory so you can set rights >>>> >>>> >>> as above the only thing I see about an '"unregistered" group in the >>> config.inc.php' is this: >>> $CONFIG['register']['nologingroup'] = 'unregistered'; >>> $CONFIG['register']['default_group'] = 'upload_users'; >>> >>> Not sure if this is correct. >>> >> >> if you have an 'unregistered' group in AD this is ok. It's only usefull >> to assign rights to not logged in users. (like download) >> >> the second one is the group to be assigned for User Registration which >> is not supported by AD authentication. >> > I do not have an 'unregistered' group in AD. Only upload_users and > upload_admins. In the Rights section of the admin page it list three > groups: > > Any > upload_admins > upload_users > If you populated the db with the setup script then probably you have some rights set for the unregistered users > I will try creating an empty group called 'unregistered' in that OU to > see if that fixes anything. > Yes, so you can manage (or remove completly) the group rights of not logged in users. I should fix this ... Alessandro |
Thanks for helping keep SourceForge clean.
X