This particular LDAP installation maintains group membership info in a
field called "pdsrole." The groups exist as CNs in the OU "accessgroups."
I'm trying to get VCL to provision the groups as per the docs (
http://vcl.apache.org/docs/ldapauth.html#mirroring-ldap-user-groups) but
haven't had any luck. I've been staring at this for awhile and I'm sure
I'm missing something obvious at this point. Any help would be appreciated.
I don't know if this matters in the context of finding groups, but I had to
enable "lookupuserbeforeauth" in conf.php to get LDAP logins working.
(The "o=institution.edu,o=cp" is strange but actually is correct.)
The function from authmethods:
function updatewcldapGroups($user) {
global $authMechs;
$auth = $authMechs['wcldap'];
$ds = ldap_connect("ldap://{$auth['server']}/");
if(! $ds)
return 0;
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$res = ldap_bind($ds, $auth['masterlogin'],
$auth['masterpwd']);
if(! $res)
return 0;
$search = ldap_search($ds,
$auth['binddn'],
"{$auth['unityid']}={$user['unityid']}",
array('pdsrole'), 0, 10, 15);
if(! $search)
return 0;
$data = ldap_get_entries($ds, $search);
$newusergroups = array();
if(! array_key_exists('pdsrole', $data[0]))
return;
for($i = 0; $i < $data[0]['pdsrole']['count']; $i++) {
if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/',
$data[0]['pdsrole'][$i], $match))
array_push($newusergroups,
getUserGroupID($match[1], $user['affiliationid']));
}
$newusergroups = array_unique($newusergroups);
updateGroups($newusergroups, $user["id"]);
}
?>
Thanks very much,
Mike
