From: Grant J. <fgj...@up...> - 2009-07-23 19:48:13
|
Hey, What am I not setting properly in LDAP config? I just want to make one of my LDAP schemas work at first then I'll look at searching all three. I get the following errors: ******************************* Warning: ldap_search() [function.ldap-search]: Search: Local error in /usr/local/vufind/web/sys/User.php on line 72 Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in /usr/local/vufind/web/sys/User.php on line 73 Here's my config: ********************* [LDAP] host = ldap.myuniv.ca port = 389 basedn = "ou=MYOUNIT,o=MYORG" uid = cn This works in ezproxy: *************************** URL ldap://my-ldap.novell.server.ca/ou=ONE,o=UNIV?uid?sub?(objectClass=person) |
From: Till K. <kin...@gm...> - 2009-07-24 12:31:13
|
Grant Johnson schrieb: > Hey, > > What am I not setting properly in LDAP config? Let's see. But again: Im doing that just in theory, I haven't used LDAP with VuFind... All around LDAP authentification is happening in web/sys/User.php in function loginLDAP(). I guess you will need to modify that, because that seems to be an implementation of a LDAP login for a very specific setting... Let's see, what it does: It first calls ldap_connect() to open a connection to the LDAP server. If connect is successfull the line ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); switches to LDAP protocol version 3 (default is version 2 in PHP). Does your server support that? If not try commenting out that line. The next line of code ldap_start_tls($conn); forces a switch to TLS encryption for that connection (which works only in protocal version 3 as far as I know). Does your server support that? Again, try without that line. Then an anonymous search down the tree from the configured basedn is done using uid=$username ($username is the string a user entered as username in the authentication form). uid is hard coded as attribute holding the username. Is that correct for your server (seems you want to do something with cn?)? If not, adjust it. Other question: Does your server allow anonymous searches or do you need to do an authenticated bind first? If a matching entry is found in the directory, an authenticated bind is made using the dn of the found LDAP entry plus the password the user entered: @ldap_bind($conn, $info[0]['dn'], $password); (again after forcing protocol version 3 and TLS) If that bind was successful, we are doing again a search on attribute uid and finally retrieve the attribute values of matching records. Those are parsed then into a Vufind User object (by calling processLDAPUser(), again using hard coded attribute values... That's all very specif to a specific situation, it seems... I think, you won't get that working without rewriting it specific to your LDAP scenario, if you don't have the same setup by accident... Someone has good ideas how to get a more generalized LDAP solution into VuFind, that may be configured for local needs? > Here's my config: > ********************* > [LDAP > host = ldap.myuniv.ca > port = 389 > basedn = "ou=MYOUNIT,o=MYORG" > uid = cn Looks good, I'd say, but doesn't help... The uid setting is used only once in a declaration of an other variable ($rdn), but that $rdn isn't used anywhere again?! Hmmm, work in grogress? Anyone working on that? Regards, Till -- http://twitter.com/tillk |
From: Walker, D. <dw...@ca...> - 2009-07-24 15:35:40
|
> Someone has good ideas how to get a more generalized > LDAP solution into VuFind, that may be configured for > local needs? I don't. But I work on a project where this same question came-up, and we decided not to do this, for one reason, really: EZProxy now has an option called CASServiceURL [1]. It basically allows you to set-up your EZProxy server as a CAS server [1]. If VUFind supports CAS authentication, then you can basically use EZProxy as your login to VUFind. Since a lot of institutions now are using Shibboleth, CAS, and now have the option to use EZproxy as a CAS server -- all of which are already tied into your campus directory -- it seems advantageous to push the messy details of LDAP authentication to those systems, and let an application like VUFind simply piggy-back its authentication on top of that. Otherwise, you're stuck with all kinds of LDAP headaches. Just my $0.2. --Dave [1] http://www.oclc.org/support/documentation/ezproxy/cfg/casserviceurl/default.htm [2] http://www.jasig.org/cas ================== David Walker Library Web Services Manager California State University http://xerxes.calstate.edu ________________________________________ From: Till Kinstler [kin...@gm...] Sent: Friday, July 24, 2009 5:30 AM To: vuf...@li... Subject: Re: [VuFind-General] LDAP Error Grant Johnson schrieb: > Hey, > > What am I not setting properly in LDAP config? Let's see. But again: Im doing that just in theory, I haven't used LDAP with VuFind... All around LDAP authentification is happening in web/sys/User.php in function loginLDAP(). I guess you will need to modify that, because that seems to be an implementation of a LDAP login for a very specific setting... Let's see, what it does: It first calls ldap_connect() to open a connection to the LDAP server. If connect is successfull the line ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); switches to LDAP protocol version 3 (default is version 2 in PHP). Does your server support that? If not try commenting out that line. The next line of code ldap_start_tls($conn); forces a switch to TLS encryption for that connection (which works only in protocal version 3 as far as I know). Does your server support that? Again, try without that line. Then an anonymous search down the tree from the configured basedn is done using uid=$username ($username is the string a user entered as username in the authentication form). uid is hard coded as attribute holding the username. Is that correct for your server (seems you want to do something with cn?)? If not, adjust it. Other question: Does your server allow anonymous searches or do you need to do an authenticated bind first? If a matching entry is found in the directory, an authenticated bind is made using the dn of the found LDAP entry plus the password the user entered: @ldap_bind($conn, $info[0]['dn'], $password); (again after forcing protocol version 3 and TLS) If that bind was successful, we are doing again a search on attribute uid and finally retrieve the attribute values of matching records. Those are parsed then into a Vufind User object (by calling processLDAPUser(), again using hard coded attribute values... That's all very specif to a specific situation, it seems... I think, you won't get that working without rewriting it specific to your LDAP scenario, if you don't have the same setup by accident... Someone has good ideas how to get a more generalized LDAP solution into VuFind, that may be configured for local needs? > Here's my config: > ********************* > [LDAP > host = ldap.myuniv.ca > port = 389 > basedn = "ou=MYOUNIT,o=MYORG" > uid = cn Looks good, I'd say, but doesn't help... The uid setting is used only once in a declaration of an other variable ($rdn), but that $rdn isn't used anywhere again?! Hmmm, work in grogress? Anyone working on that? Regards, Till -- http://twitter.com/tillk ------------------------------------------------------------------------------ _______________________________________________ VuFind-General mailing list VuF...@li... https://lists.sourceforge.net/lists/listinfo/vufind-general |
From: Brad D. <bd...@st...> - 2009-07-24 17:29:08
Attachments:
ldapupgrade.tar
|
Hey Grant Brad at StFX I might be working on getting the LDAP configured for X soon. I'll let you know how it goes. We use AD here, though. There was a patch submitted to the JIRA tracker a while ago with cleaned up LDAP code and more configurable options. Not sure if it's going to make it into released code, but on first glance, it looked pretty good. I will probably work with that version of the LDAP code. I attached the proposed patch files to this email. Brad StFX -----Original Message----- From: Walker, David [mailto:dw...@ca...] Sent: Friday, July 24, 2009 12:35 PM To: Till Kinstler; vuf...@li... Subject: Re: [VuFind-General] LDAP Error > Someone has good ideas how to get a more generalized > LDAP solution into VuFind, that may be configured for > local needs? I don't. But I work on a project where this same question came-up, and we decided not to do this, for one reason, really: EZProxy now has an option called CASServiceURL [1]. It basically allows you to set-up your EZProxy server as a CAS server [1]. If VUFind supports CAS authentication, then you can basically use EZProxy as your login to VUFind. Since a lot of institutions now are using Shibboleth, CAS, and now have the option to use EZproxy as a CAS server -- all of which are already tied into your campus directory -- it seems advantageous to push the messy details of LDAP authentication to those systems, and let an application like VUFind simply piggy-back its authentication on top of that. Otherwise, you're stuck with all kinds of LDAP headaches. Just my $0.2. --Dave [1] http://www.oclc.org/support/documentation/ezproxy/cfg/casserviceurl/defa ult.htm [2] http://www.jasig.org/cas ================== David Walker Library Web Services Manager California State University http://xerxes.calstate.edu ________________________________________ From: Till Kinstler [kin...@gm...] Sent: Friday, July 24, 2009 5:30 AM To: vuf...@li... Subject: Re: [VuFind-General] LDAP Error Grant Johnson schrieb: > Hey, > > What am I not setting properly in LDAP config? Let's see. But again: Im doing that just in theory, I haven't used LDAP with VuFind... All around LDAP authentification is happening in web/sys/User.php in function loginLDAP(). I guess you will need to modify that, because that seems to be an implementation of a LDAP login for a very specific setting... Let's see, what it does: It first calls ldap_connect() to open a connection to the LDAP server. If connect is successfull the line ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3); switches to LDAP protocol version 3 (default is version 2 in PHP). Does your server support that? If not try commenting out that line. The next line of code ldap_start_tls($conn); forces a switch to TLS encryption for that connection (which works only in protocal version 3 as far as I know). Does your server support that? Again, try without that line. Then an anonymous search down the tree from the configured basedn is done using uid=$username ($username is the string a user entered as username in the authentication form). uid is hard coded as attribute holding the username. Is that correct for your server (seems you want to do something with cn?)? If not, adjust it. Other question: Does your server allow anonymous searches or do you need to do an authenticated bind first? If a matching entry is found in the directory, an authenticated bind is made using the dn of the found LDAP entry plus the password the user entered: @ldap_bind($conn, $info[0]['dn'], $password); (again after forcing protocol version 3 and TLS) If that bind was successful, we are doing again a search on attribute uid and finally retrieve the attribute values of matching records. Those are parsed then into a Vufind User object (by calling processLDAPUser(), again using hard coded attribute values... That's all very specif to a specific situation, it seems... I think, you won't get that working without rewriting it specific to your LDAP scenario, if you don't have the same setup by accident... Someone has good ideas how to get a more generalized LDAP solution into VuFind, that may be configured for local needs? > Here's my config: > ********************* > [LDAP > host = ldap.myuniv.ca > port = 389 > basedn = "ou=MYOUNIT,o=MYORG" > uid = cn Looks good, I'd say, but doesn't help... The uid setting is used only once in a declaration of an other variable ($rdn), but that $rdn isn't used anywhere again?! Hmmm, work in grogress? Anyone working on that? Regards, Till -- http://twitter.com/tillk ------------------------------------------------------------------------ ------ _______________________________________________ VuFind-General mailing list VuF...@li... https://lists.sourceforge.net/lists/listinfo/vufind-general ------------------------------------------------------------------------ ------ _______________________________________________ VuFind-General mailing list VuF...@li... https://lists.sourceforge.net/lists/listinfo/vufind-general |