Forums | Mahara Community

Support /
LDAP Institution


Oronzo Lezzi's profile picture
Posts: 13

22 September 2016, 21:33

Hello, I have tried to configure LDAP authentication in Mahara, but I have this kind of error.

Mahara version 15.10.2 on my virtual server bitnami

It is my configuration error?

What should I check ?

 

Thu Sep 22 10:55:37.779687 2016] [proxy_fcgi:error] [pid 1952:tid 140307580413696] [client 10.0.98.133:51743] AH01071: Got error 'PHP message: [WAR] bc (auth/lib.php:2105) Invalid argument supplied for foreach()\nPHP message: Call stack (most recent first):\nPHP message:   * log_message("Invalid argument supplied for foreach()", 8, true, true, "/opt/bitnami/apps/mahara/htdocs/auth/lib.php", 2105) at /opt/bitnami/apps/mahara/htdocs/lib/errors.php:441\nPHP message:   * error(2, "Invalid argument supplied for foreach()", "/opt/bitnami/apps/mahara/htdocs/auth/lib.php", 2105, array(size 9)) at /opt/bitnami/apps/mahara/htdocs/auth/lib.php:2105\nPHP message:   * auth_generate_registration_form("register", "internal", "/register.php") at /opt/bitnami/apps/mahara/htdocs/register.php:200\nPHP message: \nPHP message: [WAR] bc (lib/pieforms/pieform.php:1314) Select elements should have at least one option\nPHP message: Call stack (most recent first):\nPHP message:   * log_message("Select elements should have at least one option", 8, true, true, "/opt/bitnami/apps/mahara/htdocs/lib/pieforms/piefo...", 1314) at /opt/bitnami/apps/mahara/htdocs/lib/errors.php:441\nPHP message:   * error(1024, "Select elements should have at least one option", "/opt/bitnami/apps/mahara/htdocs/lib/pieforms/piefo...", 1314, array(size 2)) at Unknown:0\nPHP message:   * trigger_error("Select elements should have at least one option", 1024) at /opt/bitnami/apps/mahara/htdocs/lib/pieforms/pieform.php:1314\nPHP message:   * Pieform::info("Select elements should have at least one option") at /opt/bitnami/apps/mahara/htdocs/lib/pieforms/pieform/elements/select.php:90\nPHP message:   * pieform_element_select(object(Pieform), array(size 9)) at /opt/bitnami/apps/mahara/htdocs/lib/pieforms/pieform.php:1480\nPHP message:   * Pieform->build_element_html(array(size 9)) at /opt/bitnami/apps/mahara/htdocs/lib/pieforms/pieform.php:714\nPHP message:   * Pieform->build() at /opt/bitnami/apps/mahara/htdocs/auth/lib.php:2218\nPHP message:   * auth_generate_registration_form_js(array(size 11), array(size 0)) at /opt/bitnami/apps/mahara/htdocs/register.php:204\nPHP message: \n', referer: http://10.0.98.117/
[Thu Sep 22 11:03:52.332582 2016] [proxy_fcgi:error] [pid 1391:tid 140307572020992] [client 10.0.98.133:51923] AH01071: Got error 'PHP message: [WAR] 8b (auth/ldap/lib.php:322) ldap_search(): Search: Operations error\nPHP message: Call stack (most recent first):\nPHP message:   * log_message("ldap_search(): Search: Operations error", 8, true, true, "/opt/bitnami/apps/mahara/htdocs/auth/ldap/lib.php", 322) at /opt/bitnami/apps/mahara/htdocs/lib/errors.php:441\nPHP message:   * error(2, "ldap_search(): Search: Operations error", "/opt/bitnami/apps/mahara/htdocs/auth/ldap/lib.php", 322, array(size 5)) at Unknown:0\nPHP message:   * ldap_search(resource(#4), "OU=_Liste Distribuzione", "(CN=Users,DC=links,DC=it=links\\5clezzio)", array(size 1)) at /opt/bitnami/apps/mahara/htdocs/auth/ldap/lib.php:322\nPHP message:   * AuthLdap->ldap_find_userdn(resource(#4), "********") at /opt/bitnami/apps/mahara/htdocs/auth/ldap/lib.php:141\nPHP message:   * AuthLdap->authenticate_user_account(object(LiveUser), "********") at /opt/bitnami/apps/mahara/htdocs/auth/lib.php:1500\nPHP message:   * login_submit(object(Pieform), array(size 6)) at Unknown:0\nPHP message:   * call_user_func_array("login_submit", array(size 2)) at /opt/bitnami/apps/mahara/htdocs/lib/pieforms/pieform.php:537\nPHP message:   * Pieform->__construct(array(size 9)) at /opt/bitnami/apps/mahara/htdocs/auth/lib.php:505\nPHP message:   * auth_setup() at /opt/bitnami/apps/mahara/htdocs/init.php:379\nPHP message:   * require("/opt/bitnami/apps/mahara/htdocs/init.php") at /opt/bitnami/apps/mahara/htdocs/index.php:16\nPHP message: \n', referer: http://10.0.98.117/
~

Ghada El-Zoghbi's profile picture
Posts: 122

23 September 2016, 11:07

Hi Oronzo,

You have two errors below:

1. [Thu Sep 22 11:03:52.332582 2016] - which is the LDAP error raised during the ldap_search() for the user trying to log in.

You actually establish a connection with the ldap server (on line 139 in auth/ldap/lib.php). Then, a call is made to find the user in your directory (on line 141 of auth/ldap/lb.php).

It's during the user search (ldap_search) made with your 'Contexts' and 'User attribute' you supplied in the configuration that it fails on.

So, you will need to review those two fields: 'Contexts' and 'User attribute' .

 

2. [Thu Sep 22 10:55:37.779687 2016] - which is to do with a user trying to register on your site but there are no institutions set up with registration enabled.

 

Cheers,

Ghada

 

Oronzo Lezzi's profile picture
Posts: 13

23 September 2016, 19:33

Thanks for your answer,

I'm also trying to use the script

 

auth/ldap/cli/sync_users.php -i='institution'

The script find the users but there are many errors and no users are added in Mahara

 

INF] fa (auth/ldap/lib.php:2081) ---------- started institution user sync for institution "institution" at Fri, 23 Sep 2016 09:27:55 +0200 ----------
[INF] fa (auth/ldap/lib.php:1087) ---------- started usersync for instance 3 at Fri, 23 Sep 2016 09:27:55 +0200 ----------
[INF] fa (auth/ldap/lib.php:924) retrieving these fields: sAMAccountName,sAMAccountName,cn
[INF] fa (auth/ldap/lib.php:924)
..
[INF] fa (auth/ldap/lib.php:1139) LDAP users found : 274
[INF] fa (auth/ldap/lib.php:1156) user auto-update disabled
[INF] fa (auth/ldap/lib.php:1233) user auto-suspend/delete disabled
[INF] fa (auth/ldap/lib.php:1280) user auto-creation disabled
[INF] fa (auth/ldap/lib.php:1347) LDAP (users:0) (updated:0) (unsuspended:0) (created:0) (suspended:0) (deleted:0) (ignored:0) (errors:0)
[INF] fa (auth/ldap/lib.php:1348) ---------- ended at Fri, 23 Sep 2016 09:27:56 +0200 ----------
[INF] fa (auth/ldap/lib.php:2122) ---------- finished institutino user sync at Fri, 23 Sep 2016 09:27:56 +0200 ----------
[WAR] fa (lib/web.php:1898) Cannot modify header information - headers already sent by (output started at /var/www/html/mahara-16.04.3/htdocs/auth/ldap/lib.php:978)
Call stack (most recent first):
  * log_message(string(size 136), integer, true, true, string(size 47), integer) at /var/www/html/mahara-16.04.3/htdocs/lib/errors.php:513
  * error(integer, string(size 136), string(size 47), integer, array(size 6)) at Unknown:0
  * setcookie(string(size 15), string(size 6), string(size 10), string(size 23), string(size 10), false, true) at /var/www/html/mahara-16.04.3/htdocs/lib/web.php:1898
  * set_cookie(string(size 15), string(size 6), string(size 10), true) at /var/www/html/mahara-16.04.3/htdocs/auth/user.php:1532
  * LiveUser->logout() at /var/www/html/mahara-16.04.3/htdocs/auth/ldap/cli/sync_users.php:183

Ghada El-Zoghbi's profile picture
Posts: 122

23 September 2016, 20:26

Hi Oronzo,

From the logs, I can see that you have auto user update and create disabled. 

You will need to update the institution's LDAP auth settings to allow user sync on. You can do this from the GUI. You can also select to create the users.

If you also want users deleted, I recommend that you select to suspend users instead of delete. It's just a safe guard. Otherwise, it will delete users along with their portfolios and files.

I hope this helps. Please let me know if you need anything else. 

Cheers, 

Ghada 

 

Oronzo Lezzi's profile picture
Posts: 13

23 September 2016, 21:29

Hello where I must to change LDAP auth seetings?

 

In attachment my configuration with data obscured

 

Thanks

 

OronzoImmagine.png

Ghada El-Zoghbi's profile picture
Posts: 122

23 September 2016, 22:25

Hi Oronzo, 

If you scroll down that page, there is a section about user sync. If you expand it, you can enable the cron user sync.

Cheers, 

Ghada 

Oronzo Lezzi's profile picture
Posts: 13

24 September 2016, 0:14

Hi,

thanks for your answer you have right.

how can I implement this LDAP query to filter the users in Additional LDAP filter for sync?

I have obscured some data

(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberof=CN=D****,OU=_Liste Dis****one,DC=****,DC=it)(memberof=CN=som****,OU=_Li****,DC=****,,DC=it)(memberof=CN=Coll****i,OU=_Liste ****,DC=****,DC=it)))

 

The only filter that seems to work are only

memberof=CN=D****,OU=_Liste Dis****one,DC=****,DC=it       or

memberof=CN=som****,OU=_Li****,DC=****,,DC=it                  or

 

memberof=CN=Coll****i,OU=_Liste ****,DC=****,DC=it

 

 

can I have this filters in and condition (&) ? If  I use this filter I see an error running the script

 

/auth/ldap/cli/sync_users.php

 

 

ldap_search(): Search: Bad search filter

 

 

thanks

 

 

Oronzo

 

 

 

 

 

Ghada El-Zoghbi's profile picture
Posts: 122

24 September 2016, 9:28

Hi Oronzo, 

I'm afraid I don't really know much about LDAP filters. Perhaps someone else who knows can help. 

Good luck. 

Cheers, 

Ghada 

Iñaki Arenaza's profile picture
Posts: 253

25 September 2016, 22:20

Hi,

I've had a look at the code, and both ldap_get_users() and ldap_get_users_scalable(() (see auth/ldap/lib.php) have the following piece of code:

        $filter = "(" . $this->config['user_attribute'] . "=*)";
        if (!empty($this->config['objectclass'])) {
            $filter .= "&(" . $this->config['objectclass'] . "))";
        }
        if ($extrafilter) {
            $filter = "(&$filter($extrafilter))";
        }

This code has two issues:

  • It tries to deal with $this->config['objectclass'] to use it in the filter, but:
    • $this->config['objectclass'] is not set anywhere, as far as I can see (this is probably a left over from older code),
    • the syntax used to build the extender filter is wrong. LDAP filters use prefix notation[1] to combine "sub-filters". So if you want to use two (sub)filters to build a new one combining them (e.g., to impose an AND condition), you need to put the combining operation first, and then the "sub" fitlers. I.e., if you have a filter for the user_attribute condition that is "(cn=*)", and a filter for the objectclass condition that is "(objectClass=inetOrgPerson)", and you want to combine them with an AND condition, you must write "(&(cn=*)(objectClass=inetOrgPerson))". The current code creates a combined filter with invalid syntax, as it creates the following filter: "(cn=*)&(objectClass=inetOrgPerson))". It's invalid because the '&' operator is not at the right place (is used as in-fix notation, instead of prefix notation), and there's a missing opening parenthesis at the beginning of the filter.
  • When dealing with $extrafilter, it might build an invalid filter depending on the value of $extrafilter[2]. Assuming $this->config['objectclass'] is 'cn' and that $extrafilter is '(sn=Arenaza)', it builds the filter "(&(cn=*)((sn=Arenaza)))". This filter is invalid because there are two parenthesis in a row, which is not permitted by the syntax rules.

[1] See https://tools.ietf.org/search/rfc4515#section-3 for String Search Filter Definition

When processing $extrafilter we need to check whether the filter specified by the user starts with a '(' or not (after trimming all the leading and trailing white space, of course). If it does, we use it as is. If it doesn't, we need to put additional parenthesis around it to produce a valid filter.

[2] This is what is happening to Oronzo.  In this case, while the code is fixed, Oronzo would just need to remove the outer-most parenthesis of the filter (as the code will add them unconditionally). This should work:

&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(memberof=CN=D****,OU=_Liste Dis****one,DC=****,DC=it)(memberof=CN=som****,OU=_Li****,DC=****,,DC=it)(memberof=CN=Coll****i,OU=_Liste ****,DC=****,DC=it))

Saludos.

Iñaki.

 

 

 

 

 

 

 

Oronzo Lezzi's profile picture
Posts: 13

26 September 2016, 20:15

Thank you Inaki, the filter works correctly.

I'm trying to use sync_user_group.php and I have problem with user without mail

 

Failed to get a recordset: mysqli error: [1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?  LIMIT 2' at line 1] in EXECUTE("SELECT * FROM "usr"  WHERE "email" = ?  LIMIT 2")

 

Is there a workaround for this problem ?

 

I can sync users anyway?

 

Thanks

 

Oronzo

13 results