-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mike,
I don't remember in which version it was introduced, but you can go to Privileges->Additional User Permissions and grant "Manage Federated User Groups" to be able to see the LDAP based groups under Manage Groups. You will not be able to edit the membership of the groups since that part is managed from LDAP. Josh On Wednesday, February 26, 2014 3:03:07 PM Mike Haudenschild wrote: > (Apologies for the second email.) Also, is it still true that "Manage > Groups" only displays VCL-local groups? I *do* see the LDAP groups > populating when I "add group" from the privilege tree, but I just want to > make sure I'm not missing something. > > Thanks again, > Mike > > On Wed, Feb 26, 2014 at 3:00 PM, Mike Haudenschild <[email protected]>wrote: > > Bingo. Thank you! > > > > There's a second LDAP attribute that specifies a student's academic major. > > > > Ultimately that will probably prove as useful as the > > faculty/staff/student > > > > info I'm getting from 'pdsRole'. Could I duplicate the updateLDAPGroups > > function and run the same code against that second attribute? Or is that > > too clumsy an approach? > > > > Regards, > > Mike > > > > On Wed, Feb 26, 2014 at 12:44 PM, Josh Thompson <[email protected]>wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA1 > >> > >> Mike, > >> > >> That's interesting that it does not give the full DN for items in > >> pdsrole. > >> Yes, you should be able to just match 'admin', 'employee', and 'staff'. > >> I > >> think > >> > >> preg_match('/^(admin|employee|staff)$/', $data[0]['pdsrole'][$i], $match) > >> > >> will do it. > >> > >> Josh > >> > >> On Wednesday, February 26, 2014 12:22:43 PM Mike Haudenschild wrote: > >> > Hi Josh, > >> > > >> > Thanks for this troubleshooting tip. Getting some interesting output > >> > >> here, > >> > >> > so I'll probably need some help writing a regex to make this work -- > >> > assuming it's even possible. Would I just be able to match on the > >> > >> strings > >> > >> > 'admin', 'employee', and 'staff'? > >> > > >> > NB the "memberof" attribute in this particular LDAP deployment is > >> > 'pdsrole'. The DN given here isn't helpfrom from a VCL perspective > >> > >> since > >> > >> > everyone in the institution is a member of 'ou=People'. > >> > > >> > (begin output) > >> > > >> > Array > >> > ( > >> > > >> > [count] => 1 > >> > [0] => Array > >> > > >> > ( > >> > > >> > [pdsrole] => Array > >> > > >> > ( > >> > > >> > [count] => 3 > >> > [0] => admin > >> > [1] => employee > >> > [2] => staff > >> > > >> > ) > >> > > >> > [0] => pdsrole > >> > [count] => 1 > >> > [dn] => uid=290933460177932,ou=People,o=institution.edu > >> > >> ,o=cp > >> > >> > ) > >> > > >> > ) > >> > > >> > (end output) > >> > > >> > On Thu, Feb 20, 2014 at 9:04 AM, Josh Thompson > >> > >> <[email protected]>wrote: > >> > > -----BEGIN PGP SIGNED MESSAGE----- > >> > > Hash: SHA1 > >> > > > >> > > Mike, > >> > > > >> > > The first thing I'd do is to put > >> > > > >> > > printArray($data); > >> > > > >> > > right after > >> > > > >> > > $data = ldap_get_entries($ds, $search); > >> > > > >> > > then go to User Lookup and look up a user that should have some group > >> > > memberships with the force checkbox selected. That will show you > >> > >> exactly > >> > >> > > what > >> > > is being returned by the ldap query. > >> > > > >> > > One guess related to things I've seen is that the "CN" is being > >> > >> returned > >> > >> > > in > >> > > lower case. You can add "i" to the end of the regular expression to > >> > > ignore > >> > > case: > >> > > > >> > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/i', > >> > > > >> > > If you want to join #asfvcl on freenode, I can help over IM. > >> > > > >> > > Josh > >> > > > >> > > On Wednesday, February 19, 2014 7:50:27 PM Mike Haudenschild wrote: > >> > > > This particular LDAP installation maintains group membership info > >> > >> in a > >> > >> > > > field called "pdsrole." The groups exist as CNs in the OU > >> > > > >> > > "accessgroups." > >> > > > >> > > > I'm trying to get VCL to provision the groups as per the docs ( > >> > > > > >> > > > http://vcl.apache.org/docs/ldapauth.html#mirroring-ldap-user-groups > >> > > > ) > >> > >> but > >> > >> > > > haven't had any luck. I've been staring at this for awhile and I'm > >> > >> sure > >> > >> > > > I'm missing something obvious at this point. Any help would be > >> > > > >> > > appreciated. > >> > > > >> > > > I don't know if this matters in the context of finding groups, but > >> > >> I had > >> > >> > > to > >> > > > >> > > > enable "lookupuserbeforeauth" in conf.php to get LDAP logins > >> > >> working. > >> > >> > > > (The "o=institution.edu,o=cp" is strange but actually is correct.) > >> > > > > >> > > > The function from authmethods: > >> > > > > >> > > > function updatewcldapGroups($user) { > >> > > > > >> > > > global $authMechs; > >> > > > $auth = $authMechs['wcldap']; > >> > > > $ds = ldap_connect("ldap://{$auth['server']}/"); > >> > > > if(! $ds) > >> > > > > >> > > > return 0; > >> > > > > >> > > > ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); > >> > > > ldap_set_option($ds, LDAP_OPT_REFERRALS, 0); > >> > > > > >> > > > $res = ldap_bind($ds, $auth['masterlogin'], > >> > > > > >> > > > $auth['masterpwd']); > >> > > > > >> > > > if(! $res) > >> > > > > >> > > > return 0; > >> > > > > >> > > > $search = ldap_search($ds, > >> > > > > >> > > > $auth['binddn'], > >> > >> "{$auth['unityid']}={$user['unityid']}", > >> > >> > > > array('pdsrole'), 0, 10, 15); > >> > > > > >> > > > if(! $search) > >> > > > > >> > > > return 0; > >> > > > > >> > > > $data = ldap_get_entries($ds, $search); > >> > > > $newusergroups = array(); > >> > > > if(! array_key_exists('pdsrole', $data[0])) > >> > > > > >> > > > return; > >> > > > > >> > > > for($i = 0; $i < $data[0]['pdsrole']['count']; $i++) { > >> > > > > >> > > > if(preg_match('/^CN=(.+),ou=accessgroups,o=institution.edu,o=cp/', > >> > > > $data[0]['pdsrole'][$i], $match)) > >> > > > > >> > > > array_push($newusergroups, > >> > > > > >> > > > getUserGroupID($match[1], $user['affiliationid'])); > >> > > > > >> > > > } > >> > > > $newusergroups = array_unique($newusergroups); > >> > > > updateGroups($newusergroups, $user["id"]); > >> > > > > >> > > > } > >> > > > ?> > >> > > > > >> > > > Thanks very much, > >> > > > Mike > >> > > > >> > > - -- > >> > > - ------------------------------- > >> > > Josh Thompson > >> > > VCL Developer > >> > > North Carolina State University > >> > > > >> > > my GPG/PGP key can be found at pgp.mit.edu > >> > > > >> > > All electronic mail messages in connection with State business which > >> > > are sent to or received by this account are subject to the NC Public > >> > > Records Law and may be disclosed to third parties. > >> > > -----BEGIN PGP SIGNATURE----- > >> > > Version: GnuPG v2.0.22 (GNU/Linux) > >> > > > >> > > iEYEARECAAYFAlMGC3EACgkQV/LQcNdtPQMcYQCeIEKrOXtg01rr+EhhrL2Amovh > >> > > K7gAn1EVWJL4SY6SH5Zku7NLEw0nJmQV > >> > > =Bm+r > >> > > -----END PGP SIGNATURE----- > >> > >> - -- > >> - ------------------------------- > >> Josh Thompson > >> VCL Developer > >> North Carolina State University > >> > >> my GPG/PGP key can be found at pgp.mit.edu > >> > >> All electronic mail messages in connection with State business which > >> are sent to or received by this account are subject to the NC Public > >> Records Law and may be disclosed to third parties. > >> -----BEGIN PGP SIGNATURE----- > >> Version: GnuPG v2.0.22 (GNU/Linux) > >> > >> iEYEARECAAYFAlMOKBUACgkQV/LQcNdtPQM5KACeMiwmih5KhOdE+T23DjZHp5FJ > >> PWMAmgO69qC640lFM99FhmHnyAHCxZLx > >> =2cld > >> -----END PGP SIGNATURE----- - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlMOUqwACgkQV/LQcNdtPQP30wCfazPP8frvHGnkp4QXPmyLPDqe CwwAn2IUo/GJRM3ePx9wbw60TjKr8bE7 =UYp1 -----END PGP SIGNATURE-----
