Jump to:

11003 Posts in 2735 Topics by 1824 members

All other Modules

SilverStripe Forums » All other Modules » externalauth ldap search forest

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1
Go to End
Author Topic: 459 Views
  • pigmi
    Avatar
    Community Member
    2 Posts

    externalauth ldap search forest Link to this post

    Hey,

    I'm using the externalauth module (ldap) with silverstripe 2.4.7 (new install) and am attempting to search across the entire forest
    I have done this with other ldap modules so i think my settings are fine.

    settings are as follows

    ExternalAuthenticator::createSource('AD','LDAP','User Directory');
    ExternalAuthenticator::setAuthSSLock('AD',false);
    ExternalAuthenticator::setAuthServer('AD','domain1');
    ExternalAuthenticator::setAuthPort('AD', 3268);
    ExternalAuthenticator::setOption('AD', 'basedn', array('basedn1doamin1','basedn2domain2'));
    ExternalAuthenticator::setOption('AD', 'ldapversion', 3);
    ExternalAuthenticator::setOption('AD', 'attribute', 'sAMAccountName');
    ExternalAuthenticator::setAutoAdd('AD', Users);
    ExternalAuthenticator::setOption('AD', 'firstname_attr', 'givenName');
    ExternalAuthenticator::setOption('AD', 'surname_attr', 'sn');
    ExternalAuthenticator::setOption('AD', 'email_attr', 'mail');
    ExternalAuthenticator::setOption('AD', 'bind_as',"cn=bind accountondomain1");
    ExternalAuthenticator::setOption('AD', 'bind_pw','password');

    with these settings i can login with domain1 accounts
    if i change ExternalAuthenticator::setAuthServer('AD','domain1'); to ExternalAuthenticator::setAuthServer('AD','domain2'); keeping all the same other settings i can login with accounts on domain 2

    log outputs as follows

    Mon, 05 Mar 12 16:33:44 +1100 - Starting process for user TESTTESTTEST
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - User with source AD found in database
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - Password locking is disabled
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - loading driver LDAP
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - executing authentication driver
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Connecting to ldap://domain1 port 3268 LDAP version 3
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - If process stops here, check PHP LDAP module
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Connect succeeded
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - LDAP set to protocol version 3
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - TLS not set
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Bind success
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - LDAP filter set to (samaccountname=TESTTESTTEST)
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Searching in tree basedn1doamin1
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Search succeeded
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matching results
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Searching in tree basedn2doamin2
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Search succeeded
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matching results
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matches found
    Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - authentication driver LDAP failed

    the user exist in basedn2domain2 but will not find it unless i change the ExternalAuthenticator::setAuthServer('AD','domain1'); to ExternalAuthenticator::setAuthServer('AD','domain2');

    log as follows

    Tue, 06 Mar 12 10:08:32 +1100 - Starting process for user testtesttest
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - User with source AD found in database
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - Password locking is disabled
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - loading driver LDAP
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - executing authentication driver
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - Connecting to ldap://doamin2 port 3268 LDAP version 3
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - If process stops here, check PHP LDAP module
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - Connect succeeded
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - LDAP set to protocol version 3
    Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - TLS not set
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Bind success
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP filter set to (sAMAccountName=testtesttest)
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Searching in tree basedn1doamin1
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Search failed
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Searching in tree basedn2doamin2
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Search succeeded
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Found 1 results
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - DN CN=testtesttest testtesttest,basedn2doamin2 matches criteria
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Binding to LDAP as CN=testtesttest testtesttest,basedn2doamin2
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP accepted password for CN=testtesttest testtesttest,basedn2doamin2
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Reading details of DN CN=testtesttest testtesttest,basedn2doamin2
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Lookup of details succeeded
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowlastchange
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowlastchange not set
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowmin
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowmin not set
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowmax
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowmax not set
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowwarning
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowwarning not set
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up givenname
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - givenname set to testtesttest
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up sn
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - sn set to testtesttest
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up mail
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - mail set to TESTTESTTEST@email.com
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Password expiry not enabled
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP Authentication success
    Tue, 06 Mar 12 10:08:33 +1100 - testtesttest - authentication success
    Tue, 06 Mar 12 10:08:33 +1100 - Process for user testtesttest ended

    has anyone else got this to work?

    or does this just not work with global catalog searches?

    459 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.