Editing an LDAP bridge

Squiz Matrix Support
1

Hi. I thought I'd experiment with an LDAP bridge, so I created one, and put in some values. That didn't work on the first go.


However, when I now try to open up the asset that contains the Bridge, I get an error:


[quote]ldap_list(): Search: Operations error



File: [SYSTEM_ROOT]/fudge/ldap/ldap.inc



Line:181[/quote]



After that, the contents of the asset are not listed. So I can't get back to the asset to edit it, or even to delete it. Do you know how to get round this problem?



Also, the LDAP Package manual said to put the Bridge in the 'appropriate location'. Should that be part of the Site, or what?



Thanks,



David C

2

The appropriate location is in the Authentication Systems folder in System Management, as a child of LDAP Authentication.


Which version of Matrix are you using? I thought that from 3.4 and higher, if the bridge couldn't connect, it would still show the asset. This sounds like an older version.

3

But wait... I solved this problem -- by going directly to the Asset with its ID number, then clearing the host and base DN fields.

However, if there is more information on the appropriate location, I'd still be interested.

Regards,

David C
4

[quote]The appropriate location is in the Authentication Systems folder in System Management, as a child of LDAP Authentication.


Which version of Matrix are you using? I thought that from 3.4 and higher, if the bridge couldn't connect, it would still show the asset. This sounds like an older version.[/quote]



Thanks for the info.



We are using 3.4.4 (although there have been some other weird little things with the installation as well, which I'm trying to sort out separately).



Thanks,



David C

5

The current release version in that branch of Matrix is v3.4.7. You should probably contact Squiz to organise an upgrade to see if that resolves this issue.

6

Playing with a 3.6.1 LDAP bridge - added it under
Authentications Systems

  • LDAP Authentication

    — UWA LDAP Bridge



    Entered the Details and Attibutes seemingly OK. The Connection Status on the Details screen reads 'Connected'.



    However I get a fatal error when going to the Directory Tree screen:



    Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 128 bytes) in /mnt/apps/mysource_matrix_tst/fudge/ldap/ldap.inc on line 219

    UWA LDAP bridge

    [UNLOCKED] Under Construction



    And on the LDAP User setup screen when I acquire the lock I get an 'Action cancelled' screen and have to logout and back in.



    Do we need to up the allocated memory? We increased the allocated memory in php.ini due to problems uploading large pdf's but this seems to be calling for more allocated memory in ldap.inc?



    Thanks,

    Sarah
7

You'll need to bump the memory limit in mysource_matrix/core/web/index.php to 24M or 32M to allow Matrix to use more memory.

8

Increased the memory and can now acquire the lock on the LDAP User setup screen.


For the Directory Tree it is displaying our users however we're still getting a couple of PHP notices and a MySource error:


[quote]PHP Notice 

File: [SYSTEM_ROOT]/packages/ldap/ldap_bridge/ldap_bridge.inc Line: 366

Message: Undefined index: dn

Backtrace: Show[/quote]


[quote]PHP Notice 

File: [SYSTEM_ROOT]/packages/ldap/ldap_bridge/ldap_bridge.inc Line: 367

Message: Undefined index: dn

Backtrace: Show [/quote]


[quote]MySource Error 

File: [SYSTEM_ROOT]/core/include/assertions.inc Line: 504

Message: [ASSERT EXCEPTION] [NULL] "" is not a valid asset ID (LINE 790 IN [SYSTEM_ROOT]/core/include/asset_manager.inc) [SYS0270]

Backtrace: Show[/quote]



Sarah

9

Sounds like your Attribute Setup may be incorrect. This is the usual configuration.


For Active Directory:


     
    User ID           samaccountname
    Common Name       cn
    First Name        givenname
    Last Name         sn
    Email Address     mail
    Group Membership  memberof
    Group Name        ou


[b]For OpenLDAP v3:[/b]

     
    User ID           uid
    Common Name       cn
    First Name        givenName
    Last Name         sn
    Email Address     mail
    Group Membership  ou
    Group Name        ou


Does that help?
10

We're using Active Directory and we have the configuration you've suggested entered.


As well as the PHP Notices and MySource Error we also seem to only be getting a partial Directory Tree listing - it doesn't get to the end of all our users.



If I try to expand the LDAP bridge in the asset map I get the following error:

11

Sounds like inconsistencies in the LDAP response from the server. I know there have been some changes made to the LDAP handling code to better handle non-standard entities in LDAP entries (like & characters). I'll highlight this thread to Greg, see if he can poke his head in here.

12

I've seen this before on another Active Directory setup. I found that some of the groups (I think they had an organizationalUnit object class) didnt have a DN attribute. Matrix needs this DN to identify the LDAP users and groups within the tree.


See if you can find the groups that are not being displayed in the Directory Tree (or where it is dying) and check that they have a DN.

13

They all have a dn.


We've discovered it seems to fall over on nested groups - where groups have a group as a member.

14

In case anyone is interested we fixed this one by filtering the search down to the users - so we could exclude the nested groups causing the problem.


We edited the ldap_bridge.inc file to remove


    'group'                                 => 'cn',


From the array

    */
            var $_group_types = Array(
                                                            'organizationalunit'    => 'ou',
                                                            'group'                     => 'cn',
                                                            'groupofnames'         => 'cn',
                                                            'domain'                   => 'dc',
                                                            'container'                => 'cn',
                                                            'organization'            => 'o',
                                                    );

 &nbsp; &nbsp; &nbsp; &nbsp;/**</pre><br />




Cheers,

Sarah