Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

externalauth ldap search forest » All other Modules

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

All other Modules /

Discuss all other Modules here.

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

externalauth ldap search forest

Go to End


898 Views

Avatar
pigmi

Community Member, 2 Posts

6 March 2012 at 12:11pm

Hey,

I'm using the externalauth module (ldap) with silverstripe 2.4.7 (new install) and am attempting to search across the entire forest
I have done this with other ldap modules so i think my settings are fine.

settings are as follows

ExternalAuthenticator::createSource('AD','LDAP','User Directory');
ExternalAuthenticator::setAuthSSLock('AD',false);
ExternalAuthenticator::setAuthServer('AD','domain1');
ExternalAuthenticator::setAuthPort('AD', 3268);
ExternalAuthenticator::setOption('AD', 'basedn', array('basedn1doamin1','basedn2domain2'));
ExternalAuthenticator::setOption('AD', 'ldapversion', 3);
ExternalAuthenticator::setOption('AD', 'attribute', 'sAMAccountName');
ExternalAuthenticator::setAutoAdd('AD', Users);
ExternalAuthenticator::setOption('AD', 'firstname_attr', 'givenName');
ExternalAuthenticator::setOption('AD', 'surname_attr', 'sn');
ExternalAuthenticator::setOption('AD', 'email_attr', 'mail');
ExternalAuthenticator::setOption('AD', 'bind_as',"cn=bind accountondomain1");
ExternalAuthenticator::setOption('AD', 'bind_pw','password');

with these settings i can login with domain1 accounts
if i change ExternalAuthenticator::setAuthServer('AD','domain1'); to ExternalAuthenticator::setAuthServer('AD','domain2'); keeping all the same other settings i can login with accounts on domain 2

log outputs as follows

Mon, 05 Mar 12 16:33:44 +1100 - Starting process for user TESTTESTTEST
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - User with source AD found in database
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - Password locking is disabled
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - loading driver LDAP
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - executing authentication driver
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Connecting to ldap://domain1 port 3268 LDAP version 3
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - If process stops here, check PHP LDAP module
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Connect succeeded
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - LDAP set to protocol version 3
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - TLS not set
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Bind success
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - LDAP filter set to (samaccountname=TESTTESTTEST)
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Searching in tree basedn1doamin1
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Search succeeded
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matching results
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Searching in tree basedn2doamin2
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - Search succeeded
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matching results
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST.ldap - No matches found
Mon, 05 Mar 12 16:33:44 +1100 - TESTTESTTEST - authentication driver LDAP failed

the user exist in basedn2domain2 but will not find it unless i change the ExternalAuthenticator::setAuthServer('AD','domain1'); to ExternalAuthenticator::setAuthServer('AD','domain2');

log as follows

Tue, 06 Mar 12 10:08:32 +1100 - Starting process for user testtesttest
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - User with source AD found in database
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - Password locking is disabled
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - loading driver LDAP
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest - executing authentication driver
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - Connecting to ldap://doamin2 port 3268 LDAP version 3
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - If process stops here, check PHP LDAP module
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - Connect succeeded
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - LDAP set to protocol version 3
Tue, 06 Mar 12 10:08:32 +1100 - testtesttest.ldap - TLS not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Bind success
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP filter set to (sAMAccountName=testtesttest)
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Searching in tree basedn1doamin1
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Search failed
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Searching in tree basedn2doamin2
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Search succeeded
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Found 1 results
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - DN CN=testtesttest testtesttest,basedn2doamin2 matches criteria
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Binding to LDAP as CN=testtesttest testtesttest,basedn2doamin2
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP accepted password for CN=testtesttest testtesttest,basedn2doamin2
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Reading details of DN CN=testtesttest testtesttest,basedn2doamin2
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Lookup of details succeeded
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowlastchange
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowlastchange not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowmin
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowmin not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowmax
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowmax not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up shadowwarning
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Attribute shadowwarning not set
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up givenname
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - givenname set to testtesttest
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up sn
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - sn set to testtesttest
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Looking up mail
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - mail set to TESTTESTTEST@email.com
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - Password expiry not enabled
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest.ldap - LDAP Authentication success
Tue, 06 Mar 12 10:08:33 +1100 - testtesttest - authentication success
Tue, 06 Mar 12 10:08:33 +1100 - Process for user testtesttest ended

has anyone else got this to work?

or does this just not work with global catalog searches?

Go to Top
Go to TopReturn to top