Hi
I try to get groups in which user is a member from LDAP serwer.
We use Open LDAP witj GOSA, probably the different schema is the cause of the problem.
extensions/LDAPProvider/maintenance/ShowUserGroups.php can't read the groups.
First at all the the search attribute is memberUid, not uid, but after setting "searchattribute" => "memberUid", ShowUserInfo.php stops to work, and I am not aware, how to use different attributes for searching users and groups.
"searchattribute" => "memberUid" also don't resolves the problem with the groups.
Here is part of my LocalSettings.php
<code>
wfLoadExtension( 'PluggableAuth' );
wfLoadExtension( 'LDAPProvider' );
wfLoadExtension( 'LDAPAuthentication2' );
wfLoadExtension( 'LDAPAuthorization' );
wfLoadExtension( 'LDAPUserInfo' );
wfLoadExtension( 'LDAPGroups' );
$LDAPProviderDomainConfigProvider = function()
{
$config =
[
"example.bg" =>
[
"connection" =>
[
"server" => "ldap.example.bg",
"port" => "389",
"enctype" => "clear",
"user" => "cn=admin,dc=example,dc=bg",
"pass" => "****",
"options" => [
// "LDAP_OPT_DEREF" => 1,
"LDAP_DEREF_ALWAYS" => 1
],
"basedn" => "dc=example,dc=bg",
"userbasedn" => "dc=example,dc=bg",
"searchattribute" => "memberUid",
"emailattribute" => "mail",
"groupobjectclass" => "posixGroup",
"groupattribute" => "",
"groupbasedn" => "dc=example,dc=bg",
//"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\GroupMember::factory"
"grouprequest" => "MediaWiki\\Extension\\LDAPProvider\\UserGroupsRequest\\Configurable::factory",
],
"authorization" =>
[
[
"rules" =>
[
"groups" =>
[
]
]
],
"groupsync" =>
[
"mechanism" => "allgroups",
"locally-managed" => [ "local", "wiki", "group", "names" ]
]
],
"userinfo" =>
[
]
];
return new \MediaWiki\Extension\LDAPProvider\DomainConfigProvider\InlinePHPArray( $config );
};
</code>
This non works and in the log file I see:
<code>
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 fd=44 ACCEPT from IP=100.100.10.1:48104 (IP=0.0.0.0:389)
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 BIND dn="cn=admin,dc=example,dc=bg" method=128
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 BIND dn="cn=admin,dc=example,dc=bg" mech=SIMPLE ssf=0
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=0 RESULT tag=97 err=0 text=
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(memberUid=bozhotest)"
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SRCH attr=* memberof
Jun 11 16:24:10 gosa slapd[12258]: <= bdb_equality_candidates: (memberUid) not indexed
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(&(objectClass=*)(cn=cn=calgroup_example,ou=groups,dc=example,dc=bg))"
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH attr=dn
Jun 11 16:24:10 gosa slapd[12258]: <= bdb_equality_candidates: (cn) not indexed
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=3 UNBIND
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 fd=44 closed
</code>
With ldapsearch:
ldapsearch -x -a always -b "dc=example,dc=bg" "(memberUid=bozhotest)"
returns the groups and the record in the log file is:
<code>
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 fd=268 ACCEPT from IP=127.0.0.1:59392 (IP=0.0.0.0:389)
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 BIND dn="cn=admin,dc=example,dc=bg" method=128
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 BIND dn="cn=admin,dc=example,dc=bg" mech=SIMPLE ssf=0
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=0 RESULT tag=97 err=0 text=
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SRCH base="dc=example,dc=bg" scope=2 deref=3 filter="(memberUid=bozhotest)"
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SRCH attr=cn sn uid postalAddress telephoneNumber
Jun 11 12:12:07 gosa slapd[12258]: <= bdb_equality_candidates: (memberUid) not indexed
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=1 SEARCH RESULT tag=101 err=0 nentries=5 text=
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH base="cn=calgroup_example,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH attr=* +
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=3 SRCH base="cn=calgroup_zastrahovateli,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=3 SRCH attr=* +
etc.
</code>
The main differences in the two logs, as I can see are:
Jun 11 16:24:10 gosa slapd[12258]: conn=357601 op=2 SRCH base="dc=example,dc=bg" scope=2 deref=0 filter="(&(objectClass=*)(cn=cn=calgroup_example,ou=groups,dc=example,dc=bg))"
and
Jun 11 12:12:07 gosa slapd[12258]: conn=354613 op=2 SRCH base="cn=calgroup_example,ou=groups,dc=example,dc=bg" scope=0 deref=0 filter="(&(objectClass=*))"
Aslo probably this:
SRCH attr=* memberof
and
SRCH attr=* +
Which parameters have I to change, to achive both searches to work?
Thank you in advacne
Bozho