[Xerte] Re: Xerte LDAP behaviour (Mis-behaviour!)

Ron Mitchell ronm at mitchellmedia.co.uk
Tue May 7 19:56:49 BST 2013

Hi Lee

many thanks for sharing this and sorry that it caused you a headache finding
the solution. There have been various postings here and on the developer
list over time about LDAP and other solutions people found or coded but the
archives aren't the easiest to search or more importantly find what you need
and we're hoping the new community site and the forums therein will help
with that.


But I felt compelled to reply to your message to say what a great and
welcoming contrast it is to see someone from an IT team proactively working
hard to resolve such issues and presumably establish an institutional
install for the benefit of teaching and learning. Then without any prompting
sharing the results of that work back with this community.


IT teams get a hard time and bad press a lot of the time from their non-IT
colleagues and sometimes that's deserved and sometimes not. I responded to
someone earlier today who had been given all sorts of reasons by their IT
team why XOT couldn't be installed at that organisation most of which were
complete nonsense. So thank you for restoring the balance and for sharing
the results. More importantly good luck with the roll out of what is a
fantastic application and should reward your efforts in due course even if
your efforts aren't directly acknowledged.


You'll find lots of support here regarding future updates and new
functionality so please stay subscribed and post any questions/issues if and
when they occur.





From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Brophy, Lee
Sent: 07 May 2013 18:50
To: xerte at lists.nottingham.ac.uk
Subject: [Xerte] Xerte LDAP behaviour (Mis-behaviour!)


Hello all,


                Apologies if this has been brought up before (I certainly
couldn't find it in the archives), but I thought it may be useful to share a
simple solution I have come across for those using LDAP authentication in
Xerte, specifically V2.0 in my case but applicable for other versions I
suspect. For those who want to skip to the solution (in red below) this fix
will allow you to authenticate with AD by specifying the root DN as opposed
to a specific OU.


                We are running Xerte 2.0 under XAMPP in Windows 2008 and I
have spent days trying to resolve the issue of authenticating against
multiple OU's within AD. Setting up authentication for a single OU worked a
treat from the off, however adding a second "base_dn" to search just would
not behave as I thought it should as any users contained within the
secondary OU simply couldn't log in (failed at the last stage with error
"Issue connecting to ldap server (#4) : No entries found "). 


                I tried various configurations and edited the database
manually, which got me a little further than using the $$$ delimiters in the
management interface. I also tried a little code hacking to output the
parameters being pulled from the database by the PHP code and all seemed
fine, but still no joy, so I took the plunge and decided to read the LDAP
section of the PHP manual!  


                Within about 10 minutes of searching through the PHP manual
I came across the following page;




If you search the above page for "ldap referrals" you should find a post
relating to these ldap referrals, which are what prevent successful AD
searches from the root DN of the domain, you will also find the code to turn
these off.




                For me personally the fix was as follows;


                Set up ldap through the xerte management page (should be
pretty straight forward) or edit the ldap table in phpMyAdmin by following
the "ldap" document in "%installdir%\xertetoolkits_2.0\documentation\"


                For "base_dn" specify your AD root DN e.g.


                Next you need to edit the "Ldap.php" file contained within
"%installdir%\xertetoolkits_2.0\library\Xerte\Authentication\" and add the
following line 


                                ldap_set_option($ldap, LDAP_OPT_REFERRALS,


       I have added it near to the top of the file, but within the php tags
so mine looks like this;





* For this to work, you'll need to have at least one entry in the XOT 'ldap'
table. Example values (which work for me) are below :


 * ldap_host = localhost

* ldap_port = 389

* ldap_username = cn=admin,dc=blah,dc=com

* ldap_password = <plain text password which you can connect to ldap with>

* ldap_basedn = ou=xot,dc=blah,dc=com  -- this is where in the LDAP tree
your XOT stuff lives. 

 * ldap_filter = cn    - field we try to do a match for the end user's
username on.

* ldap_filter_attr = uid 





ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);




                Other than this the file stays the same. I am now able to
authenticate using LDAP for a user regardless of their account location in
AD and there is no need for multiple entries in the LDAP table. 


Hopefully this will be of use to somebody, I know it has caused me somewhat
of a headache! 

Apologies for the essay!




Lee Brophy

Network Technician


Myerscough College

Bilsborrow, Preston, Lancashire, PR3 0RY

Tel: 01995 642134 Fax: 01995 642333

Web:   <http://www.myerscough.ac.uk> www.myerscough.ac.uk  

P please consider the environment before printing this e-mail


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20130507/9c4e4cac/attachment-0001.html>

More information about the Xerte mailing list