Ldap User not getting advance Permissions
smehra
12-06-2011 04:24:39
Greetings,
I am a new user of open net admin. I like it a lot especially with the plugins. I am able to use the ldap (Active directory) userid and password but inspite of giving admin rites to the user both individually and groupwise to the user. It (user) does not get the advance permissions to edit anything , Also the menu is restricted to ONA.
Here the summary of what i tried
1) created same user in ONA gave individual rights.
2) gave it admin group which has all the rights.
3) Created a new group ldapadmin with all rights and assigned to the user.
4) manually added entries in permission_allocation table in ona db.
No luck so far. Any help would be highly appreicated Thanks in advance.
Following are the logs,
I havechanged domain, IP and username.
Jun 12 11:00:12 ona.example.com [email protected]: [DEFAULT] DEBUG => webwin_submit() Window: edit_domain Function: editor Form:
Jun 12 11:00:12 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:12 ona.example.com [email protected]: [DEFAULT] DEBUG => db_insert_record($dbh, sessions, $insert) called
Jun 12 11:00:12 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => db_get_record($dbh, $where, sessions, ) called
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => webwin_submit() Window: menu_control Function: Form: FALSE
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the subnet_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the host_modify permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the host_modify permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the dns_record_del permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the vlan_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the vlan_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the subnet_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the location_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the host_del permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the dns_record_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the dns_record_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => db_insert_record($dbh, sessions, $insert) called
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => db_get_record($dbh, $where, sessions, ) called
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => webwin_submit() Window: edit_domain Function: editor Form:
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => db_insert_record($dbh, sessions, $insert) called
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:42 ona.example.com [email protected]: [DEFAULT] DEBUG => db_get_record($dbh, $where, sessions, ) called
Jun 12 11:00:42 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:42 ona.example.com [email protected]: [DEFAULT] INFO => [Desktop] user1 has logged out
I am a new user of open net admin. I like it a lot especially with the plugins. I am able to use the ldap (Active directory) userid and password but inspite of giving admin rites to the user both individually and groupwise to the user. It (user) does not get the advance permissions to edit anything , Also the menu is restricted to ONA.
Here the summary of what i tried
1) created same user in ONA gave individual rights.
2) gave it admin group which has all the rights.
3) Created a new group ldapadmin with all rights and assigned to the user.
4) manually added entries in permission_allocation table in ona db.
No luck so far. Any help would be highly appreicated Thanks in advance.
Following are the logs,
I havechanged domain, IP and username.
Jun 12 11:00:12 ona.example.com [email protected]: [DEFAULT] DEBUG => webwin_submit() Window: edit_domain Function: editor Form:
Jun 12 11:00:12 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:12 ona.example.com [email protected]: [DEFAULT] DEBUG => db_insert_record($dbh, sessions, $insert) called
Jun 12 11:00:12 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => db_get_record($dbh, $where, sessions, ) called
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => webwin_submit() Window: menu_control Function: Form: FALSE
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the subnet_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the host_modify permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the host_modify permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the dns_record_del permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the vlan_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the vlan_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the subnet_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the location_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the host_del permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the dns_record_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the dns_record_add permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => db_insert_record($dbh, sessions, $insert) called
Jun 12 11:00:21 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => db_get_record($dbh, $where, sessions, ) called
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => webwin_submit() Window: edit_domain Function: editor Form:
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => auth() User[user1] does not have the advanced permission
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => db_insert_record($dbh, sessions, $insert) called
Jun 12 11:00:22 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:42 ona.example.com [email protected]: [DEFAULT] DEBUG => db_get_record($dbh, $where, sessions, ) called
Jun 12 11:00:42 ona.example.com [email protected]: [DEFAULT] DEBUG => db_update_record($dbh, sessions, $where, $insert) called
Jun 12 11:00:42 ona.example.com [email protected]: [DEFAULT] INFO => [Desktop] user1 has logged out
Matt
13-06-2011 14:09:48
Great I'm glad you like it so far!
First off lets take a look at what the system has pulled up for groups/access from LDAP. To do this, simply log in and then click on the little person icon just to the left of the logout button (top right of the screen)
This will show you the groups and permissions you have currently assigned from your LDAP server. You then must have a group defined in ONA that is named exactly like whichever group you have listed in this list that you wish to assign rights to. Once that group is created and set up with permissions you can log back in again and click the user info button again.. it should show you the permissions from the group.
That should get you what you need.
Thanks.
First off lets take a look at what the system has pulled up for groups/access from LDAP. To do this, simply log in and then click on the little person icon just to the left of the logout button (top right of the screen)
This will show you the groups and permissions you have currently assigned from your LDAP server. You then must have a group defined in ONA that is named exactly like whichever group you have listed in this list that you wish to assign rights to. Once that group is created and set up with permissions you can log back in again and click the user info button again.. it should show you the permissions from the group.
That should get you what you need.
Thanks.
smehra
19-06-2011 00:39:27
Thanks a Lot for responding Matt.
I have seen the part that you asked me too below are the details
username :: <mydomain username>
Groups :: <Groups That i belong to in MY Active Directory>
Permissions :: <Blank>
I have seen the part that you asked me too below are the details
username :: <mydomain username>
Groups :: <Groups That i belong to in MY Active Directory>
Permissions :: <Blank>
Matt
20-06-2011 22:14:53
Well it sounds like the LDAP is working fine and pulling out your groups.
you simply need to go to admin->manage groups.. then add a new group.. The group name should match one of the ones in the list of groups pulled from LDAP and is case sensitive. Then once you have saved that, grant that group the appropriate permissions by clicking the little picture of a Key next to its name.
Now log in again and you should have permissions listed.
you simply need to go to admin->manage groups.. then add a new group.. The group name should match one of the ones in the list of groups pulled from LDAP and is case sensitive. Then once you have saved that, grant that group the appropriate permissions by clicking the little picture of a Key next to its name.
Now log in again and you should have permissions listed.
cmorgan
06-12-2011 13:53:42
I'm really struggling with LDAP authentication in ONA. Firstly I'm unclear as to whether or not there is in fact a plugin or if this functionality was installed with the main ONA installation file.
I found that file auth_ldap.config.php and have edited it as shown below
>>>>>>>
$conf['authtype'] = 'ldap'
// Common settings and debugging
$conf['auth']['ldap']['debug'] = 'true';
$conf['auth']['ldap']['version'] = '3';
$conf['auth']['ldap']['server'] = 'ldap://sx.net';
// Active Directory DN bind as user example
//$conf['auth']['ldap']['binddn'] = '%{user}@example.local';
$conf['auth']['ldap']['usertree'] = 'OU=Employees,DC=sx,DC=net';
$conf['auth']['ldap']['userfilter'] = '(sAMAccountName=%{user})';
$conf['auth']['ldap']['grouptree'] = 'OU=Groups,DC=sx,DC=net';
$conf['auth']['ldap']['groupfilter'] = '(&(cn=*)(Member=%{dn})(objectClass=group))';
//$conf['auth']['ldap']['mapping']['grps'] = array('memberOf'=>'/cn=(.+?),/i');
//$conf['auth']['ldap']['referrals'] = '0';
<<<<<<<
I've been trying to followalong with instructions given at http://www.dokuwiki.org/auth:ldap but I'm not certain what's going on after a certain point. More specifically
>>>>>>
Authentication is done in these steps:
First see if we need to do an anonymous bind by looking in the usertree for a %{user}:
If found: Set usertree as DN.
If not: Try to find a DN for the given login doing a search in the usertree with the given userfilter - there have to be exact one result
Try to bind with the found DN and the given password - if this succeeds access is granted
For getting the groups a user is in, the groupfilter is used to search the grouptree.
<<<<<<
I'm sure that the php-ldap extension has been installed and is enabled. Nothing's happening here though, and I really would like to get this working. Please help if you can ...any help would be greatly appreciated.
Thank you.
I found that file auth_ldap.config.php and have edited it as shown below
>>>>>>>
$conf['authtype'] = 'ldap'
// Common settings and debugging
$conf['auth']['ldap']['debug'] = 'true';
$conf['auth']['ldap']['version'] = '3';
$conf['auth']['ldap']['server'] = 'ldap://sx.net';
// Active Directory DN bind as user example
//$conf['auth']['ldap']['binddn'] = '%{user}@example.local';
$conf['auth']['ldap']['usertree'] = 'OU=Employees,DC=sx,DC=net';
$conf['auth']['ldap']['userfilter'] = '(sAMAccountName=%{user})';
$conf['auth']['ldap']['grouptree'] = 'OU=Groups,DC=sx,DC=net';
$conf['auth']['ldap']['groupfilter'] = '(&(cn=*)(Member=%{dn})(objectClass=group))';
//$conf['auth']['ldap']['mapping']['grps'] = array('memberOf'=>'/cn=(.+?),/i');
//$conf['auth']['ldap']['referrals'] = '0';
<<<<<<<
I've been trying to followalong with instructions given at http://www.dokuwiki.org/auth:ldap but I'm not certain what's going on after a certain point. More specifically
>>>>>>
Authentication is done in these steps:
First see if we need to do an anonymous bind by looking in the usertree for a %{user}:
If found: Set usertree as DN.
If not: Try to find a DN for the given login doing a search in the usertree with the given userfilter - there have to be exact one result
Try to bind with the found DN and the given password - if this succeeds access is granted
For getting the groups a user is in, the groupfilter is used to search the grouptree.
<<<<<<
I'm sure that the php-ldap extension has been installed and is enabled. Nothing's happening here though, and I really would like to get this working. Please help if you can ...any help would be greatly appreciated.
Thank you.
Matt
07-12-2011 09:28:46
The authentication is plugin based, in the sense that other authentication plugins can be written as needed. The latest version of ONA includes the default auth and the LDAP auth modules.
You must first turn on the LDAP module by logging into the GUI as admin and navigating to menu->admin->manage system config. Find the 'authtype' entry and set it to 'ldap'.
Then you must configure the auth_ldap.config.php file for your environment. You should first copy the example file to the local config directory as follows:
cp /opt/ona/www/config/auth_ldap.config.php /opt/ona/www/local/config/auth_ldap.config.php
Then edit /opt/ona/www/local/config/auth_ldap.config.php
A few comments about your config settings.
1. setting $conf['authtype'] = 'ldap' in this file will likely not work as it must be set so it knows to even look at your ldap config file. It should be set through the GUI which updates a database table. This very well could be the issue as to why its not working for you?
2. although there are ways to configur the ldap auth to work without the binddn, it is really the most simple way, I would strongly suggest you do not comment out that line. based on the other config settings you show here, it should read '${user}@sx.net'
3. the mapping groups option is how it determines which groups a user is a part of. believe you will want that line uncommented as well
4. Active directory does not work properly with referrals turned on. For this reason you must uncomment the referrals line and set it to 0.
I "think" you are close. At this point I'm suspecting that you may not have enabled the ldap auth module in the system config settings dialog which may be the root of your issues? And lastly they debug output in /var/log/ona.log should be logging SOMETHING about the authtype used (either default or ldap) and would also be logging some level of ldap information. You might turn on debug and then log in/out of the GUI. then search for a message like the following:
[DEFAULT] INFO => [Desktop] USERNAME has logged in via authtype: (something like ldap or default)
Hope that helps.
You must first turn on the LDAP module by logging into the GUI as admin and navigating to menu->admin->manage system config. Find the 'authtype' entry and set it to 'ldap'.
Then you must configure the auth_ldap.config.php file for your environment. You should first copy the example file to the local config directory as follows:
cp /opt/ona/www/config/auth_ldap.config.php /opt/ona/www/local/config/auth_ldap.config.php
Then edit /opt/ona/www/local/config/auth_ldap.config.php
A few comments about your config settings.
1. setting $conf['authtype'] = 'ldap' in this file will likely not work as it must be set so it knows to even look at your ldap config file. It should be set through the GUI which updates a database table. This very well could be the issue as to why its not working for you?
2. although there are ways to configur the ldap auth to work without the binddn, it is really the most simple way, I would strongly suggest you do not comment out that line. based on the other config settings you show here, it should read '${user}@sx.net'
3. the mapping groups option is how it determines which groups a user is a part of. believe you will want that line uncommented as well
4. Active directory does not work properly with referrals turned on. For this reason you must uncomment the referrals line and set it to 0.
I "think" you are close. At this point I'm suspecting that you may not have enabled the ldap auth module in the system config settings dialog which may be the root of your issues? And lastly they debug output in /var/log/ona.log should be logging SOMETHING about the authtype used (either default or ldap) and would also be logging some level of ldap information. You might turn on debug and then log in/out of the GUI. then search for a message like the following:
[DEFAULT] INFO => [Desktop] USERNAME has logged in via authtype: (something like ldap or default)
Hope that helps.
cmorgan
07-12-2011 14:08:25
Yup ...turning on LDAP through the GUI was the fundamental problem for me. If we end up adopting this tool at my company I'll have to do a write up of how to install and configure everything ...if/when I do that write up I'll post it here so future newbies to ONA won't have it quite so hard as I have.
Thanks for all your help Matt.
Also one tid bit that I thought was very strange I saw this error in the /var/logs/httpd/error_log
>>>>>
PHP Parse error: syntax error, unexpected T_VARIABLE in /opt/ona/www/config/auth_ldap.config.php on line 20
<<<<<
Basically it refused to work until I got rid of the line "$conf['auth']['ldap']['debug'] = 'true';"
Thanks for all your help Matt.
Also one tid bit that I thought was very strange I saw this error in the /var/logs/httpd/error_log
>>>>>
PHP Parse error: syntax error, unexpected T_VARIABLE in /opt/ona/www/config/auth_ldap.config.php on line 20
<<<<<
Basically it refused to work until I got rid of the line "$conf['auth']['ldap']['debug'] = 'true';"
Matt
07-12-2011 17:21:06
Awesome, glad you got it working!
And yep.. I'll take any documentation you want to provide..
The php parse error thing is interesting..I'll test that on my side too.. it should work fine as I recall using it when I developed the code.. maybe I changed something after the fact that broke it again.
And yep.. I'll take any documentation you want to provide..
The php parse error thing is interesting..I'll test that on my side too.. it should work fine as I recall using it when I developed the code.. maybe I changed something after the fact that broke it again.