LDAP/Active Directory

buggy · August 13, 2004, 4:32am

I've been working on our LDAP/Active Directory problem and have tracked the problem back to the Root DN. How does the LDAP bridge handle containers? Suppose I have a root container OU=XX and 3 containers below that (OU=A, OU=B and OU=C). If I point the LDAP bridge at OU=XX shouldn't I see 3 containers below if for A, B and C with the users and groups inside those containers? Currently it looks like I need to set up 3 LDAP bridges (one for each of OU=A,OU=XX; OU=B,OU=XX and OU=C,OU=XX).

How will this work if the users are located in OU=A but the groups they belong to are located in OU=C)?

gsherwood · August 13, 2004, 4:41am

Chances are that the version of active directory you are using is not quite supported. If the containers are not being read as groups or users, they wont appear under the LDAP bridge. I'd have to take a look at the data returned by the ldap_list function to see how your groups are being represented to Matrix.

If everything is working correctly, your 3 containers should appear in the asset map under the container represented by the root DN.

Avi_Miller · August 13, 2004, 5:40am

It could also be related to the Attribute Setup for the LDAP bridge itself. You need to let Matrix know how the Container/Group is identified. The attribute should be 'cn' – otherwise Matrix does not recognise the containers.

buggy · August 13, 2004, 6:19am

I'm now able to get organizational units to show up. When I try to expand one I get the following message pop-up "Could not do request: error while parsing: XML declaration may only begin entities". Any clues as to where I might start looking for this?

Also I've patched packages/ldap/ldap_bridge/ldap_bridge.inc as follows

At line 190 I added

case 'domain' :

if (!isset($data[$attrs['dc']][0])) continue(2);

$name = $data[$attrs['dc']][0];

$type = 'ldap_user_group';

break;

At line 358 (after adding the last patch) I added

else if ($class == 'domain') $attr = 'dc';

This way it can handle using dc's in addition to ou's for the container.

buggy · August 13, 2004, 6:29am

I left out 1 line from my patch:

$result = $ldap->search($base_dn,'(|(|(|(objectClass=organizationalunit)(objectClass=organizationalperson))(objectClass=group))(ob

ectClass=domain))', false);

at 163. The previous line numbers were all out by 2.

I'm currently faced with two problems.

The root DN needs to be the root DN for the AD (i.e DC=XXX,DC=edu,DC=au) because our AD admin put in containers below this point for users. This patch should take care of that.
One of the contains is OU=City Library,DC=XXX,DC=edu,DC=au. Below this are other containers for each department in the City. Without the patch I can now set the root DN to OU=City Library,DC=XXX,DC=edu,DC=au and see the containers below it but I get the error message I previously reported when I try to expand one.

PS: I'm working without the patch to make it easier to debug but will need to add it once this problem has been sorted out.

askegg · August 19, 2004, 3:02am

OU's are named by the attribute "ou", not "cn" - is this configurable in Matrix?

[quote]If the containers are not being read as groups or users, they wont appear under the LDAP bridge[/quote]

Both users and groups are not container objects, so I assume you mean Matrix reads and interprets OU's as a group? If so, how is group membership determined?

[quote]I'd have to take a look at the data returned by the ldap_list function to see how your groups are being represented to Matrix[/quote]

In AD groups have the object class of top and group. OU's are top and organizationalUnit, but they are named by the attribute ou, not cn.

Have you thought about changing the search scope to sub to include all users and groups? Since AD is essentially flat (as evidenced by the fact you can't have two objects with the same name anywhere in the tree) you will not get any namespace conflicts. This would need benchmarking depending on your environment.

I watch with interest as I would love to try the LDAP bridge, but have not yet had a response to my emails…

Avi_Miller · August 19, 2004, 4:13am

The LDAP bridge modifcations by Buggy have been applied back into the core LDAP CVS tree and are now working on both OpenLDAP and Active Directory. The new code is far more stable on Active Directory implementations and does handle Containers and Groups better.

Matrix does NOT intepret OUs as groups (I made a mistake in the previous post). You need to create groups in AD and assign permissions in Matrix to actual group objects. These are then referred to via the "memberOf" attribute of LDAP users.

Edited to add: When did you send your emails and to whom? I can follow that up for you if you drop me a PM.