I promise I'm coming to the end of my questions!
Now that I have the FAQ running the way I want, I'd like to use LDAP to integrate our exising Windows Server 2003 Active Directory.
On my Linux box I'm running Ubuntu 10.04 (but will use 9.0 when I reinstall for ease of Webmin installation). I ran sudo apt-get install php5-ldap, and then did the phpmyfaq setup.
During setup, I entered, then verified in the ldap.php file the following values..
"ldap_server" = IP of my Windows 2003 server
"ldap_port" = 389
"ldap_user" = hotspot\administrator
"ldap_password = password
"ldap_base" = dc=servername, dc=domainname
I then activated the LDAP option in config.
when I attempt to use a domain account to login, I get the following debug information.
phpMyFAQ warning [2]: ldap_search(): Search: No such object in Ldap.php on line 167
phpMyFAQ warning [2]: ldap_first_entry() expects parameter 2 to be resource, boolean given in Ldap.php on line 174
phpMyFAQ warning [2]: ldap_get_values() expects parameter 2 to be resource, null given in Ldap.php on line 181
But, once I've enabled LDAP, I get the same messages when attempting to use a non-domain user account as well. For domain accounts, should I use the Domain\User form? Or if it were working, would just the domain user account be sufficent? Example... Domain\user or just user?
My problem could very well be on the Windows side or the Linux side... but any advice is appreciated.
LDAP
Moderator: Thorsten
Re: LDAP
Hi,
bye
Thorsten
do you see any errors on your Windows server? Please also check the LDAP configuration in config/constants_ldap.php.Tinman wrote:But, once I've enabled LDAP, I get the same messages when attempting to use a non-domain user account as well. For domain accounts, should I use the Domain\User form? Or if it were working, would just the domain user account be sufficent? Example... Domain\user or just user?
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: LDAP
LDAP is running on the server, and I don't see any errors. I reinstalled Ubuntu and then LDAP using...
1. sudo apt-get update
2. sudo apt-get install likewise-open
3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
4. sudo update-rc.d likewise-open defaults
5. sudo /etc/init.d/likewise-open start
From http://anothersysadmin.wordpress.com/20 ... buntu-804/
With that, I'm able to log into the linux server using my Domain credentials, so LDAP is working on that level. I then ran sudo apt-get install php5-ldap and configured the FAQ.
I can log into the FAQ using my personal domain account, but I think that's only because I've got those details specified in /var/www/faq/config/ldap.php When I try a different account, it fails with this output... (similar to my last output)....
phpMyFAQ warning [2]: ldap_get_values(): supplied argument is not a valid ldap result entry resource in Ldap.php on line 181
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in Session.php on line 380
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 589
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 590
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 591
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 592
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 593
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 594
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 595
My Constants_Ldap.php has this (comment fields excluded)...
$PMF_LDAP['ldap_mapping']= array (
'name' => 'cn',
'username' => 'samAccountName',
'mail' => 'mail');
$PMF_LDAP['ldap_use_domain_prefix'] = true;
$PMF_LDAP["ldap_options"]=array (
LDAP_OPT_PROTOCOL_VERSION => 3,
LDAP_OPT_REFERRALS =>0 );
Not sure if this is right or wrong. Considering that I can log into the server with Domain credentials, I'm pretty sure the problem is in my FAQ configuration, I just know what to change.
1. sudo apt-get update
2. sudo apt-get install likewise-open
3. sudo domainjoin-cli join fqdn.of.your.domain Administrator
4. sudo update-rc.d likewise-open defaults
5. sudo /etc/init.d/likewise-open start
From http://anothersysadmin.wordpress.com/20 ... buntu-804/
With that, I'm able to log into the linux server using my Domain credentials, so LDAP is working on that level. I then ran sudo apt-get install php5-ldap and configured the FAQ.
I can log into the FAQ using my personal domain account, but I think that's only because I've got those details specified in /var/www/faq/config/ldap.php When I try a different account, it fails with this output... (similar to my last output)....
phpMyFAQ warning [2]: ldap_get_values(): supplied argument is not a valid ldap result entry resource in Ldap.php on line 181
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in Session.php on line 380
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 589
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 590
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 591
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 592
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 593
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 594
phpMyFAQ warning [2]: Cannot modify header information - headers already sent by (output started at /var/www/faq/inc/functions.php:173) in index.php on line 595
My Constants_Ldap.php has this (comment fields excluded)...
$PMF_LDAP['ldap_mapping']= array (
'name' => 'cn',
'username' => 'samAccountName',
'mail' => 'mail');
$PMF_LDAP['ldap_use_domain_prefix'] = true;
$PMF_LDAP["ldap_options"]=array (
LDAP_OPT_PROTOCOL_VERSION => 3,
LDAP_OPT_REFERRALS =>0 );
Not sure if this is right or wrong. Considering that I can log into the server with Domain credentials, I'm pretty sure the problem is in my FAQ configuration, I just know what to change.
Re: LDAP
Also..
I put LDAP event logging to grab every single event, and tried again. I noticed that when I login using my credentials, and everything works....well...everything works. If I use someone elses credentials, it's still my credentials that are passed to the server, then I get the above error messages.
I think it's using the details in LDAP.php to authenticate to the server, but then comparing the the supplied credentials against the ones being used to authenticate to the server, and failing the FAQ login. I hope that makes sense.. but I don't understand why.
I put LDAP event logging to grab every single event, and tried again. I noticed that when I login using my credentials, and everything works....well...everything works. If I use someone elses credentials, it's still my credentials that are passed to the server, then I get the above error messages.
I think it's using the details in LDAP.php to authenticate to the server, but then comparing the the supplied credentials against the ones being used to authenticate to the server, and failing the FAQ login. I hope that makes sense.. but I don't understand why.
Re: LDAP
First off, I promise that this unfortunate stream of though threads isn't just a plan to boost my post # for some mastermind plot. Sometimes I just think better outloud, and these next questions are pretty straight forward.
My understanding is that ./config/constants.php is what FAQ uses to authenticate to my Active Directory server.
Is it possible to use the username/password the user is supplying to authenticate? I'd rather not have a username/password stored in plain text sitting in my config folder.
Is there a setting to automatically append a domain prefix so my domain members don't need to type Domain\user?
Thanks again for the help.
My understanding is that ./config/constants.php is what FAQ uses to authenticate to my Active Directory server.
Is it possible to use the username/password the user is supplying to authenticate? I'd rather not have a username/password stored in plain text sitting in my config folder.
Is there a setting to automatically append a domain prefix so my domain members don't need to type Domain\user?
Thanks again for the help.
Re: LDAP
Hi,
first, my knowledge of LDAP is very poor, most of the LDAP code of phpMyFAQ is not by myself.
bye
Thorsten
first, my knowledge of LDAP is very poor, most of the LDAP code of phpMyFAQ is not by myself.
do you mean ./config/constants_ldap.php?Tinman wrote:My understanding is that ./config/constants.php is what FAQ uses to authenticate to my Active Directory server.
Yes, this should work...Tinman wrote:Is it possible to use the username/password the user is supplying to authenticate? I'd rather not have a username/password stored in plain text sitting in my config folder.
Maybe this could work by using additional configuration items in ./config/constants_ldap.phpTinman wrote:Is there a setting to automatically append a domain prefix so my domain members don't need to type Domain\user?
bye
Thorsten
phpMyFAQ Maintainer and Lead Developer
amazon.de Wishlist
amazon.de Wishlist
Re: LDAP
sorry...not constants.php... I meant ldap.php
<?php
$PMF_LDAP["ldap_server"] = 'ip of domain controller';
$PMF_LDAP["ldap_port"] = '389';
$PMF_LDAP["ldap_user"] = 'DOMAIN\user';
$PMF_LDAP["ldap_password"] = 'user's password';
$PMF_LDAP["ldap_base"] = 'ou=dept, ou=users, dc=subdomain, dc=domain, dc=com';
This is the file that took me the longest to figure out. At first I had the Ldap base set to the full distinguished name of the domain\users account - cn = 'domain user', ou=dept, ou=users, dc=subdomain, dc=domain, dc=com... I had to drop the specific domain user mentioned.
I noticed the account was authenticating to the server, but LDAP was still failing. By expanding the DN to the users folder, it started working right away.
I'm going to remove the LDAP service for logging into the linux server using domain credentials, that'll at lease lock down access to the configuration text files to people with the local linux login.
<?php
$PMF_LDAP["ldap_server"] = 'ip of domain controller';
$PMF_LDAP["ldap_port"] = '389';
$PMF_LDAP["ldap_user"] = 'DOMAIN\user';
$PMF_LDAP["ldap_password"] = 'user's password';
$PMF_LDAP["ldap_base"] = 'ou=dept, ou=users, dc=subdomain, dc=domain, dc=com';
This is the file that took me the longest to figure out. At first I had the Ldap base set to the full distinguished name of the domain\users account - cn = 'domain user', ou=dept, ou=users, dc=subdomain, dc=domain, dc=com... I had to drop the specific domain user mentioned.
I noticed the account was authenticating to the server, but LDAP was still failing. By expanding the DN to the users folder, it started working right away.
I'm going to remove the LDAP service for logging into the linux server using domain credentials, that'll at lease lock down access to the configuration text files to people with the local linux login.