[Xerte] Re: Xerte LDAP behaviour (Mis-behaviour!)

Alistair McNaught Alistair.McNaught at HEAcademy.ac.uk
Tue May 7 20:07:05 BST 2013


Seconded - welcome to the community Lee!

Alistair

From: xerte-bounces at lists.nottingham.ac.uk [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
Sent: 07 May 2013 19:57
To: 'Xerte discussion list'
Subject: [Xerte] Re: Xerte LDAP behaviour (Mis-behaviour!)

Hi Lee
many thanks for sharing this and sorry that it caused you a headache finding the solution. There have been various postings here and on the developer list over time about LDAP and other solutions people found or coded but the archives aren't the easiest to search or more importantly find what you need and we're hoping the new community site and the forums therein will help with that.

But I felt compelled to reply to your message to say what a great and welcoming contrast it is to see someone from an IT team proactively working hard to resolve such issues and presumably establish an institutional install for the benefit of teaching and learning. Then without any prompting sharing the results of that work back with this community.

IT teams get a hard time and bad press a lot of the time from their non-IT colleagues and sometimes that's deserved and sometimes not. I responded to someone earlier today who had been given all sorts of reasons by their IT team why XOT couldn't be installed at that organisation most of which were complete nonsense. So thank you for restoring the balance and for sharing the results. More importantly good luck with the roll out of what is a fantastic application and should reward your efforts in due course even if your efforts aren't directly acknowledged.

You'll find lots of support here regarding future updates and new functionality so please stay subscribed and post any questions/issues if and when they occur.

Cheers
Ron

From: xerte-bounces at lists.nottingham.ac.uk<mailto:xerte-bounces at lists.nottingham.ac.uk> [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Brophy, Lee
Sent: 07 May 2013 18:50
To: xerte at lists.nottingham.ac.uk<mailto:xerte at lists.nottingham.ac.uk>
Subject: [Xerte] Xerte LDAP behaviour (Mis-behaviour!)

Hello all,

                Apologies if this has been brought up before (I certainly couldn't find it in the archives), but I thought it may be useful to share a simple solution I have come across for those using LDAP authentication in Xerte, specifically V2.0 in my case but applicable for other versions I suspect. For those who want to skip to the solution (in red below) this fix will allow you to authenticate with AD by specifying the root DN as opposed to a specific OU.

                We are running Xerte 2.0 under XAMPP in Windows 2008 and I have spent days trying to resolve the issue of authenticating against multiple OU's within AD. Setting up authentication for a single OU worked a treat from the off, however adding a second "base_dn" to search just would not behave as I thought it should as any users contained within the secondary OU simply couldn't log in (failed at the last stage with error "Issue connecting to ldap server (#4) : No entries found ").

                I tried various configurations and edited the database manually, which got me a little further than using the $$$ delimiters in the management interface. I also tried a little code hacking to output the parameters being pulled from the database by the PHP code and all seemed fine, but still no joy, so I took the plunge and decided to read the LDAP section of the PHP manual!

                Within about 10 minutes of searching through the PHP manual I came across the following page;

http://php.net/manual/en/function.ldap-search.php

If you search the above page for "ldap referrals" you should find a post relating to these ldap referrals, which are what prevent successful AD searches from the root DN of the domain, you will also find the code to turn these off.

HERE'S THE SOLUTION!

                For me personally the fix was as follows;

                Set up ldap through the xerte management page (should be pretty straight forward) or edit the ldap table in phpMyAdmin by following the "ldap" document in "%installdir%\xertetoolkits_2.0\documentation\"

                For "base_dn" specify your AD root DN e.g. "DN=MyDomain,DN=com"

                Next you need to edit the "Ldap.php" file contained within "%installdir%\xertetoolkits_2.0\library\Xerte\Authentication\" and add the following line

                                ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

       I have added it near to the top of the file, but within the php tags so mine looks like this;

                                <?php

/**
* For this to work, you'll need to have at least one entry in the XOT 'ldap' table. Example values (which work for me) are below :
*
 * ldap_host = localhost
* ldap_port = 389
* ldap_username = cn=admin,dc=blah,dc=com
* ldap_password = <plain text password which you can connect to ldap with>
* ldap_basedn = ou=xot,dc=blah,dc=com  -- this is where in the LDAP tree your XOT stuff lives.
 * ldap_filter = cn    - field we try to do a match for the end user's username on.
* ldap_filter_attr = uid
 *
 *
 */

ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

etc...

                Other than this the file stays the same. I am now able to authenticate using LDAP for a user regardless of their account location in AD and there is no need for multiple entries in the LDAP table.

Hopefully this will be of use to somebody, I know it has caused me somewhat of a headache!
Apologies for the essay!

Regards
Lee

Lee Brophy
Network Technician

Myerscough College
Bilsborrow, Preston, Lancashire, PR3 0RY
Tel: 01995 642134 Fax: 01995 642333
Web:  www.myerscough.ac.uk<http://www.myerscough.ac.uk>
P please consider the environment before printing this e-mail




This email is confidential and may be privileged. If you are not the intended recipient please accept our apologies. Please do not disclose, copy, or distribute information in this email nor take any action in reliance on its contents: to do so is strictly prohibited and may be unlawful. Please inform us that this message has gone astray before deleting it. Please note that views expressed in this email are those of the author and do not necessarily represent those of the Higher Education Academy. Please note that this e-mail has been created in the knowledge that Internet e-mail is not a secure communications medium. We advise that you understand and observe this lack of security when e-mailing us. Although we have taken steps to ensure this e-mail and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free. The Higher Education Academy Registered No 4930131
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20130507/ddb4d976/attachment.html>


More information about the Xerte mailing list