Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

All other Modules /

Discuss all other Modules here.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

externalauth ldap search forest


Reply


522 Views

Avatar
pigmi

Community Member, 2 Posts

6 March 2012 at 12:11pm

Hey,

I'm using the externalauth module (ldap) with silverstripe 2.4.7 (new install) and am attempting to search across the entire forest
I have done this with other ldap modules so i think my settings are fine.

settings are as follows

ExternalAuthenticator::createSource('AD','LDAP','User Directory');
ExternalAuthenticator::setAuthSSLock('AD',false);
ExternalAuthenticator::setAuthServer('AD','domain1');
ExternalAuthenticator::setAuthPort('AD', 3268);
ExternalAuthenticator::setOption('AD', 'basedn', array('basedn1doamin1','basedn2domain2'));
ExternalAuthenticator::setOption('AD', 'ldapversion', 3);
ExternalAuthenticator::setOption('AD', 'attribute', 'sAMAccountName');
ExternalAuthenticator::setAutoAdd('AD', Users);
ExternalAuthenticator::setOption('AD', 'firstname_attr', 'givenName');
ExternalAuthenticator::setOption('AD', 'surname_attr', 'sn');
ExternalAuthenticator::setOption('AD', 'email_attr', 'mail');
ExternalAuthenticator::setOption('AD', 'bind_as',"cn=bind accountondomain1");
ExternalAuthenticator::setOption('AD', 'bind_pw','password');

with these settings i can login with domain1 accounts
if i change ExternalAuthenticator::setAuthServer('AD','domain1'); to ExternalAuthenticator::setAuthServer('AD','domain2'); keeping all the same other settings i can login with accounts on domain 2

log outputs as follows

Mon, 05 Mar 12 16:33:44 +1100 - Starting process for user TESTTESTTEST
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - User with source AD found in database
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - Password locking is disabled
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - loading driver LDAP
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - executing authentication driver
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Connecting to ldap://domain1 port 3268 LDAP version 3
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - If process stops here, check PHP LDAP module
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Connect succeeded
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - LDAP set to protocol version 3
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - TLS not set
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Bind success
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - LDAP filter set to (samaccountname=TESTTESTTEST)
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Searching in tree basedn1doamin1
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Search succeeded
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matching results
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Searching in tree basedn2doamin2
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Search succeeded
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matching results
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matches found
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - authentication driver LDAP failed

the user exist in basedn2domain2 but will not find it unless i change the ExternalAuthenticator::setAuthServer('AD','domain1'); to ExternalAuthenticator::setAuthServer('AD','domain2');

log as follows

Tue, 06 Mar 12 10:08:32 +1100 - Starting process for user testtesttest
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - User with source AD found in database
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - Password locking is disabled
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - loading driver LDAP
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - executing authentication driver
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - Connecting to ldap://doamin2 port 3268 LDAP version 3
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - If process stops here, check PHP LDAP module
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - Connect succeeded
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - LDAP set to protocol version 3
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - TLS not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Bind success
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP filter set to (sAMAccountName=testtesttest)
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Searching in tree basedn1doamin1
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Search failed
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Searching in tree basedn2doamin2
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Search succeeded
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Found 1 results
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - DN CN=testtesttest testtesttest,basedn2doamin2 matches criteria
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Binding to LDAP as CN=testtesttest testtesttest,basedn2doamin2
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP accepted password for CN=testtesttest testtesttest,basedn2doamin2
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Reading details of DN CN=testtesttest testtesttest,basedn2doamin2
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Lookup of details succeeded
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowlastchange
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowlastchange not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowmin
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowmin not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowmax
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowmax not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowwarning
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowwarning not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up givenname
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - givenname set to testtesttest
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up sn
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - sn set to testtesttest
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up mail
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - mail set to TESTTESTTEST@email.com
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Password expiry not enabled
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP Authentication success
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest - authentication success
Tue, 06 Mar 12 10:08:33 +1100 - Process for user testtesttest ended

has anyone else got this to work?

or does this just not work with global catalog searches?