Hi Luckmore, I'm assuming you've already set up the things mentioned under "Mirroring LDAP User Groups" here:
https://vcl.apache.org/docs/ldapauth.html Do you have the user in vclusers directly, or is the user in a group that is nested under vclusers? A normal ldap lookup of a user in AD does not return nested group memberships. When using the generic.php script, do you see that the user is a member of vclusers? Look for the memberof attribute. Another thing to check would be the regular expression in your update***Groups function. I've found using an online regular expression tester like https://regex101.com/ can be really helpful for testing regular expressions. Josh On Tuesday, September 29, 2020 6:17:16 AM EDT L Chirongo wrote: > Hi Josh, > > Would you have an update on my last request. I'm trying to do a mirrored > group which I can use to reserve VMs. > > User lookup returns results but tge group part is empty. > > Regards, > Luckmore Chirongo > > On Thu, 24 Sep 2020, 18:26 L Chirongo, <[email protected]> wrote: > > Thank you Josh for the assistance. > > > > I am now able to authenticate using Windows AD. > > > > The last item I would like guidance on is the User Groups, so I can assign > > images. I have done a user lookup while logged in as local Admin, as well > > as log in with the relevant AD user successfully. However, the AD group > > does not show up in VCL user groups. The AD user is already assigned to > > the > > vclusers group in AD. > > > > At this time, I plan to use one group (*vclusers*) for everyone and > > gradually separate them. > > > > Please assist on this. > > > > Regards, > > Luckmore Chirongo > > > > On Wed, Sep 23, 2020 at 9:46 PM Josh Thompson <[email protected]> > > > > wrote: > >> Hi Luckmore, > >> > >> After tracing through the code a bit, it looks like your authentication > >> must > >> work correctly, and then the problem is encountered after it redirects > >> you > >> back to the site after setting an authentication cookie. It looks like > >> the > >> user set in the authentication cookie must be "[email protected]". > >> However, the code is expceting the part after the '@' to be a VCL > >> affiliation > >> name, rather than a domain name. I'm not sure if it is documented > >> anywhere or > >> not, but affiliation names cannot contain '.' characters. Is the > >> affiliation.name in your database set to 'domain.ac.bw' for id 6? If > >> so, try > >> changing it to something without any '.' characters in it. > >> > >> Let us know if that fixes the problem. > >> > >> Josh > >> > >> On Tuesday, September 22, 2020 12:50:13 PM EDT L Chirongo wrote: > >> > Hi Josh, > >> > > >> > I enabled logging and below is the part from /var/log/messages when I > >> > >> was > >> > >> > attempting to do the domain login in VCL: > >> > > >> > Sep 22 17:43:09 mgt systemd-logind: New session 4 of user root. > >> > Sep 22 17:43:10 mgt dbus[764]: [system] Activating service > >> > name='org.freedesktop.problems' (using servicehelper) > >> > Sep 22 17:43:10 mgt dbus[764]: [system] Successfully activated service > >> > 'org.freedesktop.problems' > >> > Sep 22 17:45:24 mgt httpd: ERROR(1): Failed to get user info from > >> > >> database. > >> > >> > userid was [email protected]#012Mode was > >> > main#012#012#012Backtrace:#012=-=-=-=-=-=-=-=-=-=-=-=#012Call#:1 => > >> > index.php:initGlobals() (line#:60)#012#012Backtrace with > >> > Arguments:#012=-=-=-=-=-=-=-=-=-=-=-=#012Call#:1 => > >> > >> index.php:initGlobals() > >> > >> > (line#:60)#012Arguments(none):#012----------------------- > >> > Sep 22 17:47:25 mgt httpd: PHP Fatal error: Call to undefined function > >> > getFooter() in /var/www/html/vcl-2.5.1/.ht-inc/utils.php on line 14234 > >> > > >> > I noticed *generic.php* successfully binds and the user variable > >> > >> contains > >> > >> > only the userid with no suffix. Is there a way to remove the domain > >> > >> suffix > >> > >> > from the userid being sent in VCL? > >> > > >> > I tried to remove the suffix by changing conf.php to read *userid => > >> > >> "%s",* > >> > >> > but the suffix is still being sent as seen in /var/log/messages > >> > > >> > Regards, > >> > Luckmore Chirongo > >> > > >> > On Tue, Sep 22, 2020 at 3:45 PM L Chirongo <[email protected]> > >> > >> wrote: > >> > > Hi Josh, > >> > > > >> > > Thanks for your response. > >> > > > >> > > Yes, I have an affiliation with ID 6 in the affiliation table. I will > >> > >> go > >> > >> > > ahead and enable the logging as you advised. > >> > > > >> > > Regards, > >> > > Luckmore Chirongo > >> > > > >> > > On Tue, 22 Sep 2020, 15:06 Josh Thompson, <[email protected]> > >> > >> wrote: > >> > >> Hi Luckmore, > >> > >> > >> > >> Welcome to the VCL community! Thanks for your interest in using > >> > >> VCL. > >> > >> > >> > >> It sounds like your LDAP configuration is mostly correct. You have > >> > >> affiliationid set to 6 for your "BU LDAP" entry. Do you have an > >> > >> entry in > >> > >> > >> your > >> > >> affiliation table with and id of 6? I'd recommend enabling php > >> > >> error > >> > >> logging > >> > >> so that you can see what error is being hit a little more clearly. > >> > >> I'd > >> > >> > >> recommend modifying /etc/php.ini and configuring it to log to > >> > >> syslog. > >> > >> You'll > >> > >> also need to ensure log_errors is set to On. > >> > >> > >> > >> log_errors = On > >> > >> error_log = syslog > >> > >> > >> > >> You can also configure it to log to a file, but getting the > >> > >> permissions > >> > >> > >> correct for that to work can be tricky. The file has to be owned by > >> > >> the > >> > >> > >> same > >> > >> user that httpd runs as. > >> > >> > >> > >> After modifying php.ini, you'll need to restart httpd. Once you > >> > >> have > >> > >> logging > >> > >> enabled, try logging in with LDAP again and see if you see more > >> > >> information > >> > >> about the error in /var/log/messages. > >> > >> > >> > >> Let us know how it goes. > >> > >> > >> > >> Josh > >> > >> > >> > >> On Monday, September 21, 2020 4:47:23 PM EDT L Chirongo wrote: > >> > >> > Hello, > >> > >> > > >> > >> > I have set up LDAPS on my Active directory to authenticate VCL > >> > >> using a > >> > >> > >> > self-signed wildcard certificate. Running *generic.php* is > >> > >> successful, > >> > >> > >> > giving a *Binding successful* message. > >> > >> > > >> > >> > Also, running *openssl s_client -showcerts -CAfile > >> > >> > /etc/pki/tls/certs/ca-bundle.crt -connect ad1.domain.ac.bw:636 > >> > >> > <http://ad1.domain.ac.bw:636>* gives a *“Verify return code: 0 > >> > >> (ok)”* > >> > >> > >> > message. > >> > >> > >> > However when I try to authenticate using LDAP in VCL I get Error: > >> An > >> > >> > >> error > >> > >> > >> > >> > has occurred. If this problem persists, please email... > >> > >> > > >> > >> > Attached are configured parts of my generic.php, conf.php and > >> > >> > >> > >> ldapauth.php > >> > >> > >> > >> > files. > >> > >> > > >> > >> > Thanks in advance for assistance. > >> > >> > > >> > >> > Regards, > >> > >> > Luckmore Chirongo > >> > >> > >> > >> -- > >> > >> ------------------------------- > >> > >> Josh Thompson > >> > >> Systems Programmer > >> > >> Virtual Computing Lab (VCL) > >> > >> North Carolina State University > >> > >> > >> > >> [email protected] > >> > >> 919-515-5323 > >> > >> > >> > >> my GPG/PGP key can be found on pool.sks-keyservers.net > >> > >> > >> > >> All electronic mail messages in connection with State business which > >> > >> are sent to or received by this account are subject to the NC Public > >> > >> Records Law and may be disclosed to third parties. > >> > >> -- > >> ------------------------------- > >> Josh Thompson > >> Systems Programmer > >> Virtual Computing Lab (VCL) > >> North Carolina State University > >> > >> [email protected] > >> 919-515-5323 > >> > >> my GPG/PGP key can be found on pool.sks-keyservers.net > >> > >> All electronic mail messages in connection with State business which > >> are sent to or received by this account are subject to the NC Public > >> Records Law and may be disclosed to third parties. -- ------------------------------- Josh Thompson Systems Programmer Virtual Computing Lab (VCL) North Carolina State University [email protected] 919-515-5323 my GPG/PGP key can be found on pool.sks-keyservers.net All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties.
signature.asc
Description: This is a digitally signed message part.
