Welcome to OCS Inventory NG community support, where you can ask questions and receive answers from other members of the community.

Please ask questions only in English or French.

Release 2.11.1 available

The official documentation can be found on http://wiki.ocsinventory-ng.org. Read it before asking your question.

OCS 2.2RC1 LDAP MemberOf attrubute

Hi, I had successfully configured LDAP authentication for 2.2 RC2. LDAP authenticates users but it seems to ommit the memberof attribute in config. To be able to enable ldap login i had to apply a little patch:

modify backend/identity/methode/ldap.php lines :

$f1_value=$_SESSION['OCS']['details'][$f1_name];
$f2_value=$_SESSION['OCS']['details'][$f2_name];
to:
$f1_value=$config['LDAP_CHECK_FIELD1_VALUE'];
$f2_value=$config['LDAP_CHECK_FIELD2_VALUE'];

With above all AD users are able to login but all of them are given sadmin role. Looks like memberOf attribute is not checked.

My LDAP config is:

CONEX_LDAP_SERVEUR:IP of domain controller (MS AD 2008r2)
CONEX_ROOT_DN: DN of user who is used to query AD
CONEX_ROOT_PW: pass for above
CONEX_LDAP_PORT: 389
CONEX_DN_BASE_LDAP: OU=it,OU=OurUsers,DC=domain,DC=name
CONEX_LOGIN_FIELD: SAMAccountName
CONEX_LDAP_PROTOCOL_VERSION: 3
CONEX_LDAP_CHECK_FIELD1_NAME: memberOf
CONEX_LDAP_CHECK_FIELD1_VALUE: CN=grp.ocs.admin,OU=OurGroups,DC=domain,DC=name
CONEX_LDAP_CHECK_FIELD1_ROLE: Super Administrators

FIELD 2 and rest are unconfigured.

Above config works perfectly on version 2.1.2 of OCS server. 

EDIT:

I think I have found a possible bug in ldap:

when I have uncommented debug in in /usr/share/ocsinventory-reports/ocsreports/backend/identity/methode/ldap.php it appeared:

field1: memberOf value=CN=grp.ocs.admin,OU=OurGroups,DC=domain,DC=name condition: CN=grp.ocs.admin,OU=OurGroups,DC=domain,DC=name role=sadmin level=
field2: value= condition: role=admin level=
user: jan.kos will have level= and role=sadmin

Above user doesn't belong to ldap group: grp.ocs.admin. Seems to me, that

condition is copied to value somewhere. Am I right?

in OCS Inventory NG server for Unix by (190 points)
edited by

1 Answer

+1 vote

Ok, I have managed to fix is for my pourpose by editing:

/usr/share/ocsinventory-reports/ocsreports/backend/AUTH/methode/ldap.php:

Added:

$gr_output = $info[0]['memberof'];
array_shift($gr_output);
//save user groups in session as separate data as well.
$_SESSION['OCS']['details']['groups']=$gr_output;

/usr/share/ocsinventory-reports/ocsreports/backend/identity/methode/ldap.php:

Changed whole section of LDAP casing to:

$usr_gr=$_SESSION['OCS']['details']['groups'];
/*uncomment for debug
        echo ("<pre>");
        echo ("session information:<br>");
        echo ("f1_name: ".$f1_name."<br>");
        echo ("f1_value: ".$f1_value."<br>");
        echo ("f2_name: ".$f2_name."<br>");
        echo ("f2_value: ".$f2_value."<br>");
        echo ("f2_value2: ".$f2_value2."<br>");
        echo ("</pre>");
        echo ("<pre>GROUPS:<br>");
        print_r($usr_gr);
        echo ("</pre>");
        echo ("default Role: ".$defaultRole."</br>");
        */
        
    //echo("USER is a member of the following groups: <pre>");
    //print_r($usr_gr);
    //echo("</pre>");
if ($f1_value != '')
{
    //NEW CODE BELOW
    //FIXME: casing? -> 'memberOf'
    if ($f1_name == "memberOf")
    {
        //uncomment for debug
        //echo("<b>Field 1 is set TO</b> LDAP attribute <b>".$f1_value."</b><br>");
        // search through ldap user groups

        if (in_array($f1_value, $usr_gr))
        {
        //uncomment for debug
        //echo ("user :<b>".$_SESSION['OCS']["loggeduser"]." is a member</b> of group: <b>".$f1_value."</b><br>");
        //echo ("and will be granted role: <b>".$config['LDAP_CHECK_FIELD1_ROLE']."</b><br>");
        $defaultRole=$config['LDAP_CHECK_FIELD1_ROLE'];
        
    } /*else {
        
        echo ("user :".$_SESSION['OCS']["loggeduser"]." is  NOT a member of group: ".$f1_value."<br>");
        echo ("so user will be granted standard user role:<br>");
        //echo ("LDAP_CHECK_FIELD1_VALUE: ".$config['LDAP_CHECK_FIELD1_VALUE']."<br>");
        //echo ("f1_value: ".$f1_value."<br>");
        $defaultRole=$config['LDAP_CHECK_FIELD1_ROLE'];
        
        //if ($f1_value == $config['LDAP_CHECK_FIELD1_VALUE']) {
        //$defaultRole=$config['LDAP_CHECK_FIELD1_ROLE'];
        echo("now, default role is:  ".$defaultRole."<br>");
        //}
        
        
         }*/
    } else {
        if ($f1_value2 == $config['LDAP_CHECK_FIELD1_VALUE']) {
        $defaultRole=$config['LDAP_CHECK_FIELD1_ROLE'];
        //uncomment for debug
        //echo ("<b>Field 1 is NOT set</b> to LDAP attribute <b>memberof</b><br>");
        //echo("<b>Now, default role is:  ".$defaultRole."</b><br>");
        }
    }
        /*
    //the idea here is to iterate through the groups array looking for a match
    //if we find it, unset the array and store only the match, else leave as it is
    foreach($f1_value as $group){        
        if ($group == $config['LDAP_CHECK_FIELD1_VALUE'])
        {
        $f1_value=array();
        $f1_value=$group;

        }
    }
    */
}
    //the if below is now redundant since we already know that we have a match
    //the coding can be improved, but the logic works.
    //END NEW
if ($f2_value != '')
{    //IF below secures higher privileges from granted by field 1 to be overwritten by field2
    if ($defaultRole !="sadmin" ) {
        
    //NEW CODE BELOW
   if ($f2_name == "memberOf")
    {
        //uncomment for debug
        //echo("<b>Field 2 is set TO</b> LDAP attribute <b>".$f2_value."</b><br>");
        // search through ldap user groups
        if (in_array($f2_value, $usr_gr))
        {
        //uncomment for debug
        //echo ("user :".$_SESSION['OCS']["loggeduser"]." is a member of group: ".$f2_value."<br>");
        //echo ("and will be granted role: ".$config['LDAP_CHECK_FIELD2_ROLE']."<br>");
        $defaultRole=$config['LDAP_CHECK_FIELD2_ROLE'];
        }
    } else {
        if ($f2_value2 == $config['LDAP_CHECK_FIELD2_VALUE']) {
        $defaultRole=$config['LDAP_CHECK_FIELD2_ROLE'];
        //uncomment for debug
        //echo ("Field 2 is <b>NOT</b> set to LDAP attribute <b>memberof</b><br>");
        //echo ("Field 2 Value of: <b>".$f2_value2." </b>will be taken into account.<br>");
        //echo("<b>Now, default role is:  ".$defaultRole."</b><br>");
        }
        
    }
}

Sources attached at:

http://miloszengel.com/downloads/ocsng/ocsng-ldap2.2-fixed.zip

by (190 points)
It works! Thank you! :)
 
Powered by Question2Answer
...