Trouble with LDAP Auth in 1.9.7
I have recently upgraded a site from v1.9.5 to v1.9.7. This site has been using LDAP auth since early 1.8.x with a few modifications that have allowed user attributes in the LDAP directory to pass to tiki and join users to tiki groups that match their attributes. (e.g. A user belonging to "staff" in LDAP gets added to a group called "staff" in tiki. If such a group doesn't exist, it is created).
In the upgrade to 1.9.7, I have lost some LDAP auth functionality. I am able to log in as a user that belongs to the ldap directory without errors, but it appears that I am somehow immediately logged out. The evidence that I am temporarily logged in comes from the page that I am redirected to after logging in and the tiki user that gets created and assigned to appropriate groups (as viewed by admin). The evidence that the user is not logged in comes from the user only getting the default anonymous modules and the login-src.php not showing a logged in user. Also, if I log in elsewhere as admin and look at currently logged in users, I can see that no one else is logged in.
If anyone has thoughts on where these mods have gone wrong in 1.9.7 or how to accomplish the same thing by other means, it'd be greatly appreciated.
-Thanks
My upgrade path went something like this...
Create dir of new files over the top of the current files
- Create new directory to hold new tiki files (e.g. tikwiki-1.9.7)
- Copy current tiki directory to new tiki directory
- E.g: cp –r tikiwiki-1.9.5 tikiwiki-1.9.7
- Copy new unzipped tiki upgrade dir (downloaded from sourceforge) over newly created tiki dir
- E,g: File transfer \\local\tikiwiki-1.9.7 over \\srv\www\htdocs\tikiwiki-1.9.7
- Copy current tiki directory to new tiki directory
Run setup.sh on new tiki dir (e.g.: tikwiki-1.9.5)
- CHMOD the file setup.sh to 755.
- chmod 755 setup.sh
- Run setup
- su -c './setup.sh wwwrun'
Run htaccess.sh
- CHMOD the file htaccess.sh to 755.
- chmod 755 htaccess.sh
- Run htaccess
- Su ./htaccess
Check php files with customization and redo customization or copy back file from previous tiki version if timestamp is the same.
- See “System Modifications??? in Modifications.xls
- Pay special attention to userlib.php and ldap.php (If logins don’t work after upgrade these are likely the culprits)
Check for changes in the style that was the parent of the customized style in use
- (e.g. moreneat.css is the parent of hd2.css)
- (Check the changelog at http://tikiwiki.org/tiki-index.php?page=changelog.txt to see if the style has been modified since the version currently in use.
Check to see that customized templates (tpl files) still work in the new version.
- They all sit in \templates\styles\<css style in use>\
- As long as there were no databases changes, you can view the new installation before making it live by directing your browser to the new directory e.g. http://helpdesk.luther.edu/tikiwiki-1.9.7/
Point \\srv\www\htdocs\tiki to the new install directory.
- E.g.: ln -s tikiwiki-1.9.7 tiki
My mods for LDAP look like this..
IN LDAP.PHP
Near line 552 in make search filter the code below replaced $filter= in previous tiki versions. LDAP logins did not work at all in v1.9.7 until I removed that customization.
// custom filter that we apparently no longer need as of v1.9.7
// $filter = sprintf('(No value assigneds)',
// $this->options'userattr', $username);
// end custom
Near line 645 after
// try binding as this user with the supplied password
if (@ldap_bind($this->conn_id, $user_dn, $password)) {
$this->_debug('Bind successful', LINE);
Added the following to grab attributes from LDAP...
//Custom information pull
$attrs = array('cn','eduPersonPrimaryAffiliation','mail','studentYearInSchool','studentResidenceHallBldg','departmentName');
$func_params = array($this->conn_id, $search_basedn, $filter, $attrs);
if $result_id = @call_user_func_array($func_name, $func_params == false) {
return false;
}
$entry_id = ldap_first_entry($this->conn_id, $result_id);
foreach($attrs as $attr){
$pulled_values$attr = @ldap_get_values($this->conn_id, $entry_id, $attr);
$pulled_values$attr = $pulled_values$attr0;
}
$this->pulled_values = $pulled_values;
// End custom information pull
IN LIB\USERSLIB.PHP
Find the validate_user_auth() function
Add -
// Custom LDAP line
$this->pulled_values = $a->storage->pulled_values;
To-
case AUTH_LOGIN_OK:
find the add_user() function
Add after 'Registered'-
// Custom LDAP section
$tikilib->set_user_preference($user, 'realName',$this->pulled_values'cn');
$user_fields'email'=$this->pulled_values'mail';
$user_fields'login'=$user;
$this->set_user_fields($user_fields);
// Create and add a user to a group for their departmentName
$join_groups = array('eduPersonPrimaryAffiliation','departmentName','studentYearInSchool','studentResidenceHallBldg');
foreach($join_groups as $group){
if $group" class="wiki wikinew text-danger tips strlen">$this->pulled_values$group {
if (!$this->group_exists($this->pulled_values$group)){
$this->add_group($this->pulled_values$group, "", '');
}
$this->assign_user_to_group($user, $this->pulled_values$group);
}
}
if 'eduPersonPrimaryAffiliation'" class="wiki wikinew text-danger tips strlen">$this->pulled_values'eduPersonPrimaryAffiliation' {
$this->assign_user_to_group($user, $this->pulled_values'eduPersonPrimaryAffiliation');
$this->set_default_group($user,$this->pulled_values'eduPersonPrimaryAffiliation');
}
// End custom LDAP section