Page 1 of 2
LDAP Group Filter
Posted: Mon Oct 02, 2023 4:24 pm
by tdellanna
Hi, i have a question.
I have configurate ldap.php with a simple metod:
==
$PMF_LDAP['ldap_server'] = 'ldap://cittadellasalute.to.it';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'CN=myuser,CN=Users,DC=mysites,DC=to,DC=it';
$PMF_LDAP['ldap_password'] = 'mypassword';
$PMF_LDAP['ldap_base'] = 'DC=mysites,DC=to,DC=it';
==
This configuration it's work, but all of my ad user can access to my website.
If i want to deny access at all user, but allow access for only one ad group?
I have tried the same configuration with this add lines:
==
$PMF_LDAP['ldap_use_memberOf'] = true;
$PMF_LDAP['ldap_mapping']['memberOf'] = 'cn=faq_PdL,ou=groups,DC=cittadellasalute,DC=to,DC=it';
==
But it's not work.
We have a solution?
Thanks!
Thomas
Re: LDAP Group Filter
Posted: Mon Oct 02, 2023 9:33 pm
by Thorsten
Hi,
do you get any errors?
bye
Thorsten
Re: LDAP Group Filter
Posted: Tue Oct 03, 2023 9:23 am
by tdellanna
hi,
the error is "Wrong Credential". But the credential it's correct.
I have try to change configuration with this line:
==
$PMF_LDAP['ldap_group_filter'] = '(&(objectClass=group)(cn=faq_PdL))';
$PMF_LDAP['ldap_user_filter'] = '(&(objectClass=user)(memberOf=cn=faq_PdL,ou=groups,dc=cittadellasalute,dc=to,dc=it))';
==
But it's the same result.
Do you have an example for similar configuration?
Thanks,
Thomas
Re: LDAP Group Filter
Posted: Tue Oct 03, 2023 6:28 pm
by Thorsten
Hi,
sadly I have no example configuration as this code was provided by a user.
Which version do you use?
bye
Thorsten
Re: LDAP Group Filter
Posted: Wed Oct 04, 2023 8:54 am
by tdellanna
hi,
i use two different vesion, the lastest version 3.2.1 and 3.1.12, i have the same error for all vesrion.
Thomas
Re: LDAP Group Filter
Posted: Wed Oct 04, 2023 9:27 am
by Thorsten
Hi Thomas,
tdellanna wrote: Tue Oct 03, 2023 9:23 am
$PMF_LDAP['ldap_group_filter'] = '(&(objectClass=group)(cn=faq_PdL))';
$PMF_LDAP['ldap_user_filter'] = '(&(objectClass=user)(memberOf=cn=faq_PdL,ou=groups,dc=cittadellasalute,dc=to,dc=it))';
where did you add this information? In the admin configuration?
bye
Thorsten
Re: LDAP Group Filter
Posted: Thu Oct 05, 2023 3:58 pm
by tdellanna
Hi Thorsten,
i have add this line into a file in a install directory config/ldap.php.
Byem
Thomas
Re: LDAP Group Filter
Posted: Thu Oct 05, 2023 7:23 pm
by Thorsten
Hi,
that won’t work, you have to change the values in the admin configuration for LDAP.
bye
Thorsten
Re: LDAP Group Filter
Posted: Fri Oct 06, 2023 7:54 am
by tdellanna
Hi Thrstenm,
i have tried to config /admin/configuration.php
I have add this line:
==
ldapServer = 'ldap://myldap'; // Indirizzo del server LDAP
$ldapPort = 389; // Porta del server LDAP
$ldapConn = ldap_connect($ldapServer, $ldapPort);
$ldapUser = 'CN=myuser,CN=Users,DC=mydc,DC=to,DC=it'; // DN dell'utente LDAP
$ldapPassword = 'mypassword'; // Password dell'utente LDAP
$ldapGroup = 'cn=mygroup,ou=groups,DC=mydc,DC=to,DC=it'; // DN del gruppo LDAP
$ldapFilter = "(member=$ldapUser)"; // Filtra per il membro dell'utente
$searchResult = ldap_search($ldapConn, $ldapGroup, $ldapFilter);
if ($searchResult !== false) {
$entries = ldap_get_entries($ldapConn, $searchResult);
if ($entries['count'] > 0) {
// L'utente è un membro del gruppo LDAP
// Puoi concedere l'accesso o le autorizzazioni
} else {
// L'utente non è un membro del gruppo LDAP
// Puoi negare l'accesso o le autorizzazioni
}
} else {
// Errore nella ricerca LDAP
die("Errore nella ricerca LDAP");
}
==
but i have the same result. All user can access. Do you have a solution for my problem? or you have a similar configuration?
My target is to deny access at all user ldap, except a member of a determinate group.
Thank's.
Thomas
Re: LDAP Group Filter
Posted: Fri Oct 06, 2023 7:56 am
by Thorsten
Hi,
you don't have to do that in the PHP files. Use the admin configuration user interface via your browser.
All LDAP configuration can be configured via your browser.
bye
Thorsten
Re: LDAP Group Filter
Posted: Fri Oct 06, 2023 9:09 am
by tdellanna
hi,
i don't have all configuration LDAP on web admin:
LDAP mapping for name, "cn" when using an ADS
LDAP mapping for username, "samAccountName" when using an ADS
LDAP mapping for email, "mail" when using an ADS
LDAP mapping for "member of" when using LDAP groups
LDAP domain prefix, e.g. "DOMAIN\username"
LDAP protocol version (default: 3)
LDAP referrals (default: 0)
Enable LDAP group support, e.g. "DOMAIN\username"
Enable LDAP SASL support
Enable multiple LDAP servers support
Enable anonymous LDAP connections
Enable LDAP dynamic user binding
LDAP attribute for dynamic user binding, "uid" when using an ADS
How to configure for my target? i cant' specify the member group.
bye,
Thomas
Re: LDAP Group Filter
Posted: Fri Oct 06, 2023 11:28 am
by Thorsten
Hi,
it's "LDAP mapping for "member of" when using LDAP groups"
bye
Thorsten
Re: LDAP Group Filter
Posted: Tue Oct 10, 2023 4:36 pm
by tdellanna
hi Thorsten,
i have configurate web admin page, with correct mebmer of. But not work.
I don't find a log, for determinate the errore.
Do you have an idea?
Bye
Thomas
Re: LDAP Group Filter
Posted: Tue Oct 10, 2023 4:38 pm
by Thorsten
Hi,
you can enable the debug mode in src/Bootstrap.php
bye
Thorsten
Re: LDAP Group Filter
Posted: Fri Oct 13, 2023 1:52 pm
by tdellanna
Hi,
I don't find any problem.
I don't undertand the problem.
For Recap:
I have configurate dhe ldap.php with this line:
==
PMF_LDAP['ldap_server'] = 'ldap://myldap';
$PMF_LDAP['ldap_port'] = 389;
$PMF_LDAP['ldap_user'] = 'CN=myuser,CN=Users,DC=myldap,DC=to,DC=it';
$PMF_LDAP['ldap_password'] = 'mypassword';
$PMF_LDAP['ldap_base'] = 'dc=myldap,dc=to,dc=it';
==
an the web admin console meber of "mygroup".
Where is my error?
Thomas