<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Garamond;
panose-1:2 2 4 4 3 3 1 1 8 3;}
@font-face
{font-family:Webdings;
panose-1:5 3 1 2 1 5 9 6 7 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hello all,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Apologies if this has been brought up before (I certainly couldn’t find it in the archives), but I thought it may be useful to share a simple solution I have come across for those using LDAP authentication in Xerte, specifically
V2.0 in my case but applicable for other versions I suspect. For those who want to skip to the solution (in red below) this fix will allow you to authenticate with AD by specifying the root DN as opposed to a specific OU.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> We are running Xerte 2.0 under XAMPP in Windows 2008 and I have spent days trying to resolve the issue of authenticating against multiple OU’s within AD. Setting up authentication for a single OU worked a treat from the
off, however adding a second “base_dn” to search just would not behave as I thought it should as any users contained within the secondary OU simply couldn’t log in (failed at the last stage with error "Issue connecting to ldap server (#4) : No entries found
"). <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> I tried various configurations and edited the database manually, which got me a little further than using the $$$ delimiters in the management interface. I also tried a little code hacking to output the parameters being
pulled from the database by the PHP code and all seemed fine, but still no joy, so I took the plunge and decided to read the LDAP section of the PHP manual!
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Within about 10 minutes of searching through the PHP manual I came across the following page;<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="text-indent:36.0pt"><a href="http://php.net/manual/en/function.ldap-search.php">http://php.net/manual/en/function.ldap-search.php</a>
<o:p></o:p></p>
<p class="MsoNormal" style="text-indent:36.0pt"><o:p> </o:p></p>
<p class="MsoNormal" style="text-indent:36.0pt">If you search the above page for “ldap referrals” you should find a post relating to these ldap referrals, which are what prevent successful AD searches from the root DN of the domain, you will also find the code
to turn these off.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:red">HERE’S THE SOLUTION! <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:red"> For me personally the fix was as follows;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:red"> Set up ldap through the xerte management page (should be pretty straight forward) or edit the ldap table in phpMyAdmin by following the “ldap” document in “%installdir%\xertetoolkits_2.0\documentation\”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:red"> For “base_dn” specify your AD root DN e.g. “DN=MyDomain,DN=com”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:red"> Next you need to edit the “Ldap.php” file contained within “%installdir%\xertetoolkits_2.0\library\Xerte\Authentication\” and add the following line
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:red"> </span>
<span style="font-size:10.0pt;font-family:Consolas;color:black;background:#F0F0F0">ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas;color:black;background:#F0F0F0"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:Consolas;color:black;background:#F0F0F0">
</span><span style="color:red;background:#F0F0F0">I have added it near to the top of the file, but within the php tags so mine looks like this;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:red;background:#F0F0F0"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:red;background:#F0F0F0">
</span><span style="background:#F0F0F0"><?php<o:p></o:p></span></p>
<p class="MsoNormal"><span style="background:#F0F0F0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">/**<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">* For this to work, you'll need to have at least one entry in the XOT 'ldap' table. Example values (which work for me) are below :<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">*
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0"> * ldap_host = localhost<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">* ldap_port = 389<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">* ldap_username = cn=admin,dc=blah,dc=com<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">* ldap_password = <plain text password which you can connect to ldap with><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">* ldap_basedn = ou=xot,dc=blah,dc=com -- this is where in the LDAP tree your XOT stuff lives.
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0"> * ldap_filter = cn - field we try to do a match for the end user's username on.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">* ldap_filter_attr = uid
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0"> *
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0"> *
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0"> */<o:p></o:p></span></p>
<p class="MsoNormal"><span style="background:#F0F0F0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt;text-indent:36.0pt"><span style="background:#F0F0F0">etc…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="background:#F0F0F0"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="background:#F0F0F0"> <span style="color:red">
Other than this the file stays the same. I am now able to authenticate using LDAP for a user regardless of their account location in AD and there is no need for multiple entries in the LDAP table.
<o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="color:red;background:#F0F0F0"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="background:#F0F0F0">Hopefully this will be of use to somebody, I know it has caused me somewhat of a headache!
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="background:#F0F0F0">Apologies for the essay!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="background:#F0F0F0"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="background:#F0F0F0">Regards<br>
Lee<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:#002060;mso-fareast-language:JA">Lee Brophy</span><span style="mso-fareast-language:JA"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:#002060;mso-fareast-language:JA">Network Technician</span><span style="mso-fareast-language:JA"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Arial","sans-serif";color:#002060;mso-fareast-language:JA"> </span><span style="mso-fareast-language:JA"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:14.0pt;font-family:"Garamond","serif";color:#006633;mso-fareast-language:JA">Myerscough College</span><span style="mso-fareast-language:JA"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#002060;mso-fareast-language:JA">Bilsborrow, Preston, Lancashire, PR3 0RY</span><span style="mso-fareast-language:JA"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#002060;mso-fareast-language:JA">Tel: 01995 642134 Fax: 01995 642333</span><span style="mso-fareast-language:JA"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Arial","sans-serif";color:#002060;mso-fareast-language:JA">Web:</span><span style="font-family:"Arial","sans-serif";color:#0070C0;mso-fareast-language:JA">
</span><span style="font-family:"Arial","sans-serif";color:#1F497D;mso-fareast-language:JA"><a href="http://www.myerscough.ac.uk"><span style="color:#1F497D">www.myerscough.ac.uk</span></a>
</span><span style="mso-fareast-language:JA"><o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:8.0pt;font-family:Webdings;color:green;mso-fareast-language:JA">P</span></b><b><span style="font-size:8.0pt;font-family:"Verdana","sans-serif";color:black;mso-fareast-language:JA">
</span></b><b><span style="font-size:8.0pt;font-family:"Tahoma","sans-serif";color:green;mso-fareast-language:JA">please consider the environment before printing this e-mail</span></b><span style="mso-fareast-language:JA"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>