Hi, I had successfully configured LDAP authentication for 2.2 RC2. LDAP authenticates users but it seems to ommit the memberof attribute in config. To be able to enable ldap login i had to apply a little patch:
modify backend/identity/methode/ldap.php lines :
$f1_value=$_SESSION['OCS']['details'][$f1_name]; $f2_value=$_SESSION['OCS']['details'][$f2_name]; to: $f1_value=$config['LDAP_CHECK_FIELD1_VALUE']; $f2_value=$config['LDAP_CHECK_FIELD2_VALUE'];
With above all AD users are able to login but all of them are given sadmin role. Looks like memberOf attribute is not checked.
My LDAP config is:
CONEX_LDAP_SERVEUR:IP of domain controller (MS AD 2008r2)
CONEX_ROOT_DN: DN of user who is used to query AD
CONEX_ROOT_PW: pass for above
CONEX_LDAP_PORT: 389
CONEX_DN_BASE_LDAP: OU=it,OU=OurUsers,DC=domain,DC=name
CONEX_LOGIN_FIELD: SAMAccountName
CONEX_LDAP_PROTOCOL_VERSION: 3
CONEX_LDAP_CHECK_FIELD1_NAME: memberOf
CONEX_LDAP_CHECK_FIELD1_VALUE: CN=grp.ocs.admin,OU=OurGroups,DC=domain,DC=name
CONEX_LDAP_CHECK_FIELD1_ROLE: Super Administrators
FIELD 2 and rest are unconfigured.
Above config works perfectly on version 2.1.2 of OCS server.
EDIT:
I think I have found a possible bug in ldap:
when I have uncommented debug in in /usr/share/ocsinventory-reports/ocsreports/backend/identity/methode/ldap.php it appeared:
field1: memberOf value=CN=grp.ocs.admin,OU=OurGroups,DC=domain,DC=name condition: CN=grp.ocs.admin,OU=OurGroups,DC=domain,DC=name role=sadmin level=
field2: value= condition: role=admin level=
user: jan.kos will have level= and role=sadmin
Above user doesn't belong to ldap group: grp.ocs.admin. Seems to me, that
condition is copied to value somewhere. Am I right?