Bingo. Thank you! There's a second LDAP attribute that specifies a student's academic major. Ultimately that will probably prove as useful as the faculty/staff/student info I'm getting from 'pdsRole'. Could I duplicate the updateLDAPGroups function and run the same code against that second attribute? Or is that too clumsy an approach?
Regards, Mike On Wed, Feb 26, 2014 at 12:44 PM, Josh Thompson <[email protected]>wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Mike, > > That's interesting that it does not give the full DN for items in pdsrole. > Yes, you should be able to just match 'admin', 'employee', and 'staff'. I > think > > preg_match('/^(admin|employee|staff)$/', $data[0]['pdsrole'][$i], $match) > > will do it. > > Josh > > On Wednesday, February 26, 2014 12:22:43 PM Mike Haudenschild wrote: > > Hi Josh, > > > > Thanks for this troubleshooting tip. Getting some interesting output > here, > > so I'll probably need some help writing a regex to make this work -- > > assuming it's even possible. Would I just be able to match on the > strings > > 'admin', 'employee', and 'staff'? > > > > NB the "memberof" attribute in this particular LDAP deployment is > > 'pdsrole'. The DN given here isn't helpfrom from a VCL perspective since > > everyone in the institution is a member of 'ou=People'. > > > > (begin output) > > > > Array > > ( > > [count] => 1 > > [0] => Array > > ( > > [pdsrole] => Array > > ( > > [count] => 3 > > [0] => admin > > [1] => employee > > [2] => staff > > ) > > > > [0] => pdsrole > > [count] => 1 > > [dn] => uid=290933460177932,ou=People,o=institution.edu,o=cp > > ) > > > > ) > > > > (end output) > > > > On Thu, Feb 20, 2014 at 9:04 AM, Josh Thompson > <[email protected]>wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > Mike, > > > > > > The first thing I'd do is to put > > > > > > printArray($data); > > > > > > right after > > > > > > $data = ldap_get_entries($ds, $search); > > > > > > then go to User Lookup and look up a user that should have some group > > > memberships with the force checkbox selected. That will show you > exactly > > > what > > > is being returned by the ldap query. > > > > > > One guess related to things I've seen is that the "CN" is being > returned > > > in > > > lower case. You can add "i" to the end of the regular expression to > > > ignore > > > case: > > > > > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/i', > > > > > > If you want to join #asfvcl on freenode, I can help over IM. > > > > > > Josh > > > > > > On Wednesday, February 19, 2014 7:50:27 PM Mike Haudenschild wrote: > > > > This particular LDAP installation maintains group membership info in > a > > > > field called "pdsrole." The groups exist as CNs in the OU > > > > > > "accessgroups." > > > > > > > I'm trying to get VCL to provision the groups as per the docs ( > > > > > > > > http://vcl.apache.org/docs/ldapauth.html#mirroring-ldap-user-groups) > but > > > > haven't had any luck. I've been staring at this for awhile and I'm > sure > > > > I'm missing something obvious at this point. Any help would be > > > > > > appreciated. > > > > > > > I don't know if this matters in the context of finding groups, but I > had > > > > > > to > > > > > > > enable "lookupuserbeforeauth" in conf.php to get LDAP logins working. > > > > > > > > (The "o=institution.edu,o=cp" is strange but actually is correct.) > > > > > > > > The function from authmethods: > > > > > > > > function updatewcldapGroups($user) { > > > > > > > > global $authMechs; > > > > $auth = $authMechs['wcldap']; > > > > $ds = ldap_connect("ldap://{$auth['server']}/"); > > > > if(! $ds) > > > > > > > > return 0; > > > > > > > > ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); > > > > ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); > > > > > > > > $res = ldap_bind($ds, $auth['masterlogin'], > > > > > > > > $auth['masterpwd']); > > > > > > > > if(! $res) > > > > > > > > return 0; > > > > > > > > $search = ldap_search($ds, > > > > > > > > $auth['binddn'], > > > > > "{$auth['unityid']}={$user['unityid']}", > > > > array('pdsrole'), 0, 10, 15); > > > > > > > > if(! $search) > > > > > > > > return 0; > > > > > > > > $data = ldap_get_entries($ds, $search); > > > > $newusergroups = array(); > > > > if(! array_key_exists('pdsrole', $data[0])) > > > > > > > > return; > > > > > > > > for($i = 0; $i < $data[0]['pdsrole']['count']; $i++) { > > > > > > > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/', > > > > $data[0]['pdsrole'][$i], $match)) > > > > > > > > array_push($newusergroups, > > > > > > > > getUserGroupID($match[1], $user['affiliationid'])); > > > > > > > > } > > > > $newusergroups = array_unique($newusergroups); > > > > updateGroups($newusergroups, $user["id"]); > > > > > > > > } > > > > ?> > > > > > > > > Thanks very much, > > > > Mike > > > > > > - -- > > > - ------------------------------- > > > Josh Thompson > > > VCL Developer > > > North Carolina State University > > > > > > my GPG/PGP key can be found at pgp.mit.edu > > > > > > All electronic mail messages in connection with State business which > > > are sent to or received by this account are subject to the NC Public > > > Records Law and may be disclosed to third parties. > > > -----BEGIN PGP SIGNATURE----- > > > Version: GnuPG v2.0.22 (GNU/Linux) > > > > > > iEYEARECAAYFAlMGC3EACgkQV/LQcNdtPQMcYQCeIEKrOXtg01rr+EhhrL2Amovh > > > K7gAn1EVWJL4SY6SH5Zku7NLEw0nJmQV > > > =Bm+r > > > -----END PGP SIGNATURE----- > - -- > - ------------------------------- > Josh Thompson > VCL Developer > North Carolina State University > > my GPG/PGP key can be found at pgp.mit.edu > > All electronic mail messages in connection with State business which > are sent to or received by this account are subject to the NC Public > Records Law and may be disclosed to third parties. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iEYEARECAAYFAlMOKBUACgkQV/LQcNdtPQM5KACeMiwmih5KhOdE+T23DjZHp5FJ > PWMAmgO69qC640lFM99FhmHnyAHCxZLx > =2cld > -----END PGP SIGNATURE----- > >
