[Xerte] Re: Xerte LDAP behaviour (Mis-behaviour!)
Brophy, Lee
lbrophy at myerscough.ac.uk
Wed May 8 12:24:44 BST 2013
Good afternoon,
Thanks very much for the feedback and comments, I have to admit it is nice to be appreciated.
As you suspected Ron we certainly are using Xerte as an institutional teaching and learning tool. It was requested by one of our teacher trainers Abi, who is very in touch with technology and is always looking at ways to enhance time spent in the classroom, so I know she'll be very grateful for the effort made to get Xerte up and running. From what I've seen personally it seems like a very fast and efficient application and I think it will prove to be a fantastic resource for both staff and students.
Hopefully I'll be able to continue to contribute as things develop with Xerte as I know I have found the information on the Community website and in the mailing archives invaluable, so thank you to those who have also contributed it really has been a big help!
Many thanks
Lee
Lee Brophy
Network Technician
Myerscough College
Bilsborrow, Preston, Lancashire, PR3 0RY
Tel: 01995 642134 Fax: 01995 642333
Web: www.myerscough.ac.uk
please consider the environment before printing this e-mail
-----Original Message-----
From: xerte-bounces at lists.nottingham.ac.uk [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of xerte-request at lists.nottingham.ac.uk
Sent: 07 May 2013 20:44
To: xerte at lists.nottingham.ac.uk
Subject: Xerte Digest, Vol 127, Issue 12
Send Xerte mailing list submissions to
xerte at lists.nottingham.ac.uk
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.nottingham.ac.uk/mailman/listinfo/xerte
or, via email, send a message with subject or body 'help' to
xerte-request at lists.nottingham.ac.uk
You can reach the person managing the list at
xerte-owner at lists.nottingham.ac.uk
When replying, please edit your Subject line so it is more specific than "Re: Contents of Xerte digest..."
Today's Topics:
1. Re: Xerte LDAP behaviour (Mis-behaviour!) (Alistair McNaught)
2. Re: Xerte LDAP behaviour (Mis-behaviour!) (Dave Burnett)
----------------------------------------------------------------------
Message: 1
Date: Tue, 7 May 2013 19:07:05 +0000
From: Alistair McNaught <Alistair.McNaught at HEAcademy.ac.uk>
To: Xerte discussion list <xerte at lists.nottingham.ac.uk>
Subject: [Xerte] Re: Xerte LDAP behaviour (Mis-behaviour!)
Message-ID:
<F0AEBF37A5C5AB4A852BCBA19A91325045F65F at HEAEXCHMBX01.HEAcademy.ac.uk>
Content-Type: text/plain; charset="us-ascii"
Seconded - welcome to the community Lee!
Alistair
From: xerte-bounces at lists.nottingham.ac.uk [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
Sent: 07 May 2013 19:57
To: 'Xerte discussion list'
Subject: [Xerte] Re: Xerte LDAP behaviour (Mis-behaviour!)
Hi Lee
many thanks for sharing this and sorry that it caused you a headache finding the solution. There have been various postings here and on the developer list over time about LDAP and other solutions people found or coded but the archives aren't the easiest to search or more importantly find what you need and we're hoping the new community site and the forums therein will help with that.
But I felt compelled to reply to your message to say what a great and welcoming contrast it is to see someone from an IT team proactively working hard to resolve such issues and presumably establish an institutional install for the benefit of teaching and learning. Then without any prompting sharing the results of that work back with this community.
IT teams get a hard time and bad press a lot of the time from their non-IT colleagues and sometimes that's deserved and sometimes not. I responded to someone earlier today who had been given all sorts of reasons by their IT team why XOT couldn't be installed at that organisation most of which were complete nonsense. So thank you for restoring the balance and for sharing the results. More importantly good luck with the roll out of what is a fantastic application and should reward your efforts in due course even if your efforts aren't directly acknowledged.
You'll find lots of support here regarding future updates and new functionality so please stay subscribed and post any questions/issues if and when they occur.
Cheers
Ron
From: xerte-bounces at lists.nottingham.ac.uk<mailto:xerte-bounces at lists.nottingham.ac.uk> [mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of Brophy, Lee
Sent: 07 May 2013 18:50
To: xerte at lists.nottingham.ac.uk<mailto:xerte at lists.nottingham.ac.uk>
Subject: [Xerte] Xerte LDAP behaviour (Mis-behaviour!)
Hello all,
Apologies if this has been brought up before (I certainly couldn't find it in the archives), but I thought it may be useful to share a simple solution I have come across for those using LDAP authentication in Xerte, specifically V2.0 in my case but applicable for other versions I suspect. For those who want to skip to the solution (in red below) this fix will allow you to authenticate with AD by specifying the root DN as opposed to a specific OU.
We are running Xerte 2.0 under XAMPP in Windows 2008 and I have spent days trying to resolve the issue of authenticating against multiple OU's within AD. Setting up authentication for a single OU worked a treat from the off, however adding a second "base_dn" to search just would not behave as I thought it should as any users contained within the secondary OU simply couldn't log in (failed at the last stage with error "Issue connecting to ldap server (#4) : No entries found ").
I tried various configurations and edited the database manually, which got me a little further than using the $$$ delimiters in the management interface. I also tried a little code hacking to output the parameters being pulled from the database by the PHP code and all seemed fine, but still no joy, so I took the plunge and decided to read the LDAP section of the PHP manual!
Within about 10 minutes of searching through the PHP manual I came across the following page;
http://php.net/manual/en/function.ldap-search.php
If you search the above page for "ldap referrals" you should find a post relating to these ldap referrals, which are what prevent successful AD searches from the root DN of the domain, you will also find the code to turn these off.
HERE'S THE SOLUTION!
For me personally the fix was as follows;
Set up ldap through the xerte management page (should be pretty straight forward) or edit the ldap table in phpMyAdmin by following the "ldap" document in "%installdir%\xertetoolkits_2.0\documentation\"
For "base_dn" specify your AD root DN e.g. "DN=MyDomain,DN=com"
Next you need to edit the "Ldap.php" file contained within "%installdir%\xertetoolkits_2.0\library\Xerte\Authentication\" and add the following line
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
I have added it near to the top of the file, but within the php tags so mine looks like this;
<?php
/**
* For this to work, you'll need to have at least one entry in the XOT 'ldap' table. Example values (which work for me) are below :
*
* ldap_host = localhost
* ldap_port = 389
* ldap_username = cn=admin,dc=blah,dc=com
* ldap_password = <plain text password which you can connect to ldap with>
* ldap_basedn = ou=xot,dc=blah,dc=com -- this is where in the LDAP tree your XOT stuff lives.
* ldap_filter = cn - field we try to do a match for the end user's username on.
* ldap_filter_attr = uid
*
*
*/
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
etc...
Other than this the file stays the same. I am now able to authenticate using LDAP for a user regardless of their account location in AD and there is no need for multiple entries in the LDAP table.
Hopefully this will be of use to somebody, I know it has caused me somewhat of a headache!
Apologies for the essay!
Regards
Lee
Lee Brophy
Network Technician
Myerscough College
Bilsborrow, Preston, Lancashire, PR3 0RY
Tel: 01995 642134 Fax: 01995 642333
Web: www.myerscough.ac.uk<http://www.myerscough.ac.uk>
P please consider the environment before printing this e-mail
This email is confidential and may be privileged. If you are not the intended recipient please accept our apologies. Please do not disclose, copy, or distribute information in this email nor take any action in reliance on its contents: to do so is strictly prohibited and may be unlawful. Please inform us that this message has gone astray before deleting it. Please note that views expressed in this email are those of the author and do not necessarily represent those of the Higher Education Academy. Please note that this e-mail has been created in the knowledge that Internet e-mail is not a secure communications medium. We advise that you understand and observe this lack of security when e-mailing us. Although we have taken steps to ensure this e-mail and attachments are free from any virus, we advise that in keeping with good computing practice the recipient should ensure they are actually virus free. The Higher Education Academy Registered No 4930131
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20130507/ddb4d976/attachment-0001.html>
------------------------------
Message: 2
Date: Tue, 7 May 2013 15:43:16 -0400
From: Dave Burnett <d_b_burnett at hotmail.com>
To: Xerte list <xerte at lists.nottingham.ac.uk>
Subject: [Xerte] Re: Xerte LDAP behaviour (Mis-behaviour!)
Message-ID: <BLU153-W331BF3E723DE28C848E205A7BA0 at phx.gbl>
Content-Type: text/plain; charset="windows-1252"
Certainly a blast from the past for me.I spent a year in the U.K. working in Preston and living in Longridge.More than a few nights hiked down to the White Bull on Preston Road.And I just walked it again now with Google streetview.Time for a pint of Bombardier!
From: lbrophy at myerscough.ac.uk
To: xerte at lists.nottingham.ac.uk
Date: Tue, 7 May 2013 17:49:33 +0000
Subject: [Xerte] Xerte LDAP behaviour (Mis-behaviour!)
Hello all,
Apologies if this has been brought up before (I certainly couldn?t find it in the archives), but I thought it may be useful to share a simple solution I have come across for those using LDAP authentication in Xerte, specifically
V2.0 in my case but applicable for other versions I suspect. For those who want to skip to the solution (in red below) this fix will allow you to authenticate with AD by specifying the root DN as opposed to a specific OU.
We are running Xerte 2.0 under XAMPP in Windows 2008 and I have spent days trying to resolve the issue of authenticating against multiple OU?s within AD. Setting up authentication for a single OU worked a treat from the off, however adding a second ?base_dn? to search just would not behave as I thought it should as any users contained within the secondary OU simply couldn?t log in (failed at the last stage with error "Issue connecting to ldap server (#4) : No entries found ").
I tried various configurations and edited the database manually, which got me a little further than using the $$$ delimiters in the management interface. I also tried a little code hacking to output the parameters being pulled from the database by the PHP code and all seemed fine, but still no joy, so I took the plunge and decided to read the LDAP section of the PHP manual!
Within about 10 minutes of searching through the PHP manual I came across the following page;
http://php.net/manual/en/function.ldap-search.php
If you search the above page for ?ldap referrals? you should find a post relating to these ldap referrals, which are what prevent successful AD searches from the root DN of the domain, you will also find the code to turn these off.
HERE?S THE SOLUTION!
For me personally the fix was as follows;
Set up ldap through the xerte management page (should be pretty straight forward) or edit the ldap table in phpMyAdmin by following the ?ldap? document in ?%installdir%\xertetoolkits_2.0\documentation\?
For ?base_dn? specify your AD root DN e.g. ?DN=MyDomain,DN=com?
Next you need to edit the ?Ldap.php? file contained within ?%installdir%\xertetoolkits_2.0\library\Xerte\Authentication\? and add the following line
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
I have added it near to the top of the file, but within the php tags so mine looks like this;
<?php
/**
* For this to work, you'll need to have at least one entry in the XOT 'ldap' table. Example values (which work for me) are below :
*
* ldap_host = localhost
* ldap_port = 389
* ldap_username = cn=admin,dc=blah,dc=com
* ldap_password = <plain text password which you can connect to ldap with>
* ldap_basedn = ou=xot,dc=blah,dc=com -- this is where in the LDAP tree your XOT stuff lives.
* ldap_filter = cn - field we try to do a match for the end user's username on.
* ldap_filter_attr = uid
*
*
*/
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
etc?
Other than this the file stays the same. I am now able to authenticate using LDAP for a user regardless of their account location in AD and there is no need for multiple entries in the LDAP table.
Hopefully this will be of use to somebody, I know it has caused me somewhat of a headache!
Apologies for the essay!
Regards
Lee
Lee Brophy
Network Technician
Myerscough College
Bilsborrow, Preston, Lancashire, PR3 0RY
Tel: 01995 642134 Fax: 01995 642333
Web:
www.myerscough.ac.uk
P
please consider the environment before printing this e-mail
_______________________________________________
Xerte mailing list
Xerte at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte/attachments/20130507/9a80e314/attachment.html>
------------------------------
_______________________________________________
Xerte mailing list
Xerte at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte
End of Xerte Digest, Vol 127, Issue 12
**************************************
This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system:
you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
More information about the Xerte
mailing list