-
-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LizMap LDAP integration #637
Comments
hi @vherreros you can see the documentation here: |
Hello, I've finally read the documentation and there are still two questions regarding LDAP validation. Question 1: Queston 2: Thanks. |
hi @vherreros
when you use ldap authentication, after the first login of a user the user's data (including the group if so defined in authldap.coord.ini.php) will be imported to your local database. then you should define policies for these (new) groups.
you can have local users and ldap users but with different names because the ldap users override the local users. am i wrong or can you be more explicit @mdouchin @laurentj ? |
We really should improve documentation on this. If I understand correctly, there is 2 way to use the LDAP brige in Lizmap:
One of the options inside the configuration file can let you decide which behaviour is used @laurentj you confirm ? |
Well, no success. I've followed this steps (according to the documentation). Every action is performed with root permissions (sudo command), and my LizMap install directory is /var/www/lizmap/):
3.2. /var/www/lizmap/lizmap/var/config/admin/config.ini.php and /var/www/lizmap/lizmap/var/config/index/config.ini.php: In the section [coordplugins], changing the default value 'auth="index/auth.coord.ini.php"' to 'auth="authldap.coord.ini.php"'.
Installation finishes sucessfully, but now I can't validate in LizMap via web plugin (even after restarting Apache2 service). When trying to log in (either with LizMap local or LDAP users), the web browser just shows 'Error 500. A technical error has occured. Sorry for this trouble.'. Apache doesn't show any error in its log. LizMap error log (/var/www/lizmap/lizmap/var/log/error.log) shows:
Where do I have to specify the LDAP profile name missing? Thanks... |
hi @vherreros you must configure your authldap.coord.ini.php file according to the parameters of your ldap server ...
... https://github.com/jelix/ldapdao-module/blob/master/ldapdao/install/authldap.coord.ini.php |
Great, we keep on progressing. Now the local user validation is up and running. Let's focus on LDAP user login. Next failure point: When using ldapsearch for testing my connection, I've seen that
doesn't work, but
alows me to query the LDAP server. In /var/www/lizmap/lizmap/var/config/profiles.ini.php, section [ldap:myldapdao], I have:
I'm using the secure port (I'm not allowed to use the non secure port 389), but the validation through LizMap web client hangs after 1 minute more or less. The web browser displays something like 'Login failure' or 'Validation failure' (sorry but I'm using the Spanish locales), and LizMap error log shows:
It seems LizMap LDAPDAO profile is not using ldaps but ldap protocol, so the connection doesn't succeed. Is there a way to force LizMap LDAP module to use ldaps secure protocol? Thanks again... P.S.: I've opend an issue on LDAPDAO thread asking for a way to force LDAPDAO to use ldaps connections. If I get a response, I'll publish it here too. |
Hi @vherreros , To connect to ldap with ssl, try |
Hi @josemvm and @vherreros, I'm interested to use LDAP with Active Directory (windows) configuration in order to connect my lizmap installed on a linux system. If I correctly understand, I have configured the authldap.coord.ini.php adding ldapprofile = "myldapdao", which I read in the profiles.ini.php file where I defined
but it do not work. Perhaps it is not correct the syntax of adminUserDn? Perhaps it is need to modify uid /sAMAccountName in the authldap.coord.ini.php file? Many thanks for your help |
Sorry, Roberto, but I've still not deployed LDAP validation in my LizMap system, so I can't help you... Anyway, any comment on this issue will be welcome under this thread. |
You must set correctly all configuration parameters into authldap.coord.ini.php, according to you ldap architecture. Since it is specific to each organization, we cannot really help you. In comments in this file, there are some examples for Active Directory, but it may not exactly what you should indicate. Ask to your LDAP administrator. |
I have exactly the same problem I think I set the correct parameters into authldap.coord.ini.php accordingly to my architecture but surely there is something wrong. In the error log of lizmap i have the following error: 2018-01-17 19:26:01 192.168.23.171 warning 2018-01-17 19:26:01 [2] ldap_search(): Search: Operations error /opt/www/ldapdao-module-master/ldapdao/plugins/auth/ldapdao/ldapdao.auth.php 253 Is there anyone that have successfully configured lizmap with Active Directory Authentication and can help me to retrieve the necessary correct parameters from my Active Directory infrastructure and can help me to know where and how to put them into configuration files? Thanks in advance. |
hi @quelo1972 i'm using OpenLDAP, not Active Directory, but i think your ldap module it's not at the right place... see here: https://github.com/jelix/ldapdao-module/blob/master/README.md#install-files-with-jelix-16 the structure should look something like this:
and inside you should have:
|
Ok I've just followed the instructions in that link, in fact there is a following instruction "Install files with Jelix 1.6. Copy the ldapdao directory into the modules/ directory of your application" so I've putted the ldapdao directory in my_app_lizmap/lizmap/modules/ldapdao in which I have drwxr-xr-x 5 root root 4096 dic 10 21:10 . when I execute the installer the module ldapdao is correctly installed root@SRVLNXWINTRA01:/opt/www/lizmap/lizmap/modules# php ../../lizmap/install/installer.php && ../../lizmap/install/set_rights.sh |
Ok I'moved it in the right place re-executed the installer.php but when I try to login with an active directory user I have the same error: 2018-01-18 12:36:31 192.168.23.171 warning 2018-01-18 12:36:31 [2] ldap_search(): Search: Operations error /opt/www/ldapdao-module-master/ldapdao/plugins/auth/ldapdao/ldapdao.auth.php 253 |
It seems searchUserFilter and/or searchUserBaseDN are not set correctly. Be sure you have the tag Edit: verify also searchAttributes, which indicate the mapping between LDAP attributes and user properties of Lizmap |
This is my authldap.coord.ini.php
|
can you check your lizmap error.log ? |
when I login with an active directory user I have this error in the lizmap error.log: 2018-01-18 12:36:31 192.168.23.171 warning 2018-01-18 12:36:31 [2] ldap_search(): Search: Operations error /opt/www/ldapdao-module-master/ldapdao/plugins/auth/ldapdao/ldapdao.auth.php 253 |
I have the same error but I am not the administrator of LDAP server and I think I do some mistakes in the authldap.coord.ini.php file |
yes, i think so... |
Is there anyone that have successfully configured lizmap with Active Directory Authentication and can help me to retrieve the necessary correct parameters from my Active Directory infrastructure and can help me to know where and how to put them into configuration files? |
Have you @quelo1972 if you are on linux, you should try the command line tool
Some websites with how-to on ldapsearch command line: |
I really did more! in addition to successfully execute the command line below
I also wrote a small PHP script al follow:
Running this script from the command line it WORKS!
based on these 2 positive test results I have compiled the authldap.coord.ini.php file and profile.ini.php as below, but in the lizmap error log I obtain the same error.
|
Hi, I did an attempt to fix this issue. Please, everybody, either you use Active Directory or not, retrieve the new ldapdao.auth.php file and replace the old one in the module you installed, and tell me if the issue is fixed (for Active Directory users) or if it still works for other ldap directory. |
hi @laurentj it still works for OpenLDAP Directory Services |
@quelo1972 you should copy paste this content into ldap-module/plugins/auth/ldapdao.auth.php ! (replace all previous content of course) |
I added the requested log lines:
|
@laurentj
but the user andrea.rossetti has not yet been associated with the GeoPortaleSITEL group |
@laurentj |
id_aclgrp of course. |
Now I have a question... I'll have to keep the modified file ldapdao.auth.php or it will be inserted into the distribution .tar.gz package? |
@quelo1972 I just released a new version 2.0.1. Thank you for your feedback and for your help to fix some issues. |
@quelo1972 this could be very useful in lizmap documentation, if you want to contribute for this purpose 3liz/lizmap-documentation#48
& log database https://github.com/3liz/lizmap-documentation thanks |
@laurentj
and the following error is reported in the error.log
|
How should I do to collaborate with the lizmap documentation? |
@laurentj I do not know if you read my previous posts but unfortunately you have to reopen the issue because it only works for the first login of a user, the next login there is an error on a query and returns error 500 in the browser, it seems that the script tries to write a duplicate record in the log_detail table. Let's take a little last effort! Thank you. |
Excuse me, unfortunately not being an expert programmer in php, I am not able to contribute by modifying the code, I am confident that your silence is due to the fact that you are still finding a solution for my two problems, the most urgent of which is that linked to the module ldapdao-module, until I haven't a solution I can not put into production the geo-portal lizmap for my organization. Thank you very much for the work done up to now. |
I see that the error is in the script |
Concerning "How to use Postgres as user database" I can also give my contribute to the documentation.. how? using Transifex or github? Concerning LDAP integration I will follow the discussion hope @quelo1972 will solve also the latest errors.. Unfortunately I am not expert of LDAP |
About the use of PostgreSQL as the database to store the auth and acl tables (users, groups and rights), there is already some information here I think we should move this part outside the "Windows" install manual, as it concerns both Linux and Windows. About the error of @quelo1972 , please be patient, as this project is open-source, and developers may not be available to answer as quickly as expected depending on their workload and the period of time. |
In the meantime, if it can serve, I have done other tests. I tried to go over to sqlite3 for jdb and trying to login as andrea.rossetti the user is created in jlx_user and the association is created in jacl2_user_group. All work very well, also for subsequent logins! |
@quelo1972 you mean that you have reinstalled completely Lizmap from scratch, keeping the sqlite2 for jdb instead of PostgreSQL, and everything works well this way ? If so, please add your full Lizmap acl configuration here as an example for other users. For PostgreSQL, please try to reinstall completely Lizmap by using a new empty DB created before the new Lizmap install (just to be sure nothing has been corrupted with your many tries). Cheers |
Nothing is corrupted, I simply reconfigured profiles.ini.php to work with sqlite3, and it works, but if I reconfigure profiles.ini.php to work with postgresql only the fist login of every user work, and for the subsequent login I have the errors described before. |
The problem seems to be the following: when I configure lizmap to use the db postgres, at the first login of every user everything works fine, in fact the user is authenticated with Active Directory, the user is correctly created in the jlx_user table and is associated with the correct group inside the jacl2_user_group table. At subsequent login attempts the user is properly authenticated by Active Directory but at this point the program tries to rewrite the same record in jacl2_user_group violating the primary key constraint. This does not seem to happen if you set sqlite3 as jdb. |
hi @quelo1972 your error in error.log it seems to me that you have same structure or content problem in your i migrated all my tables (users, groups, rights and logs) from sqlite to postgresql and everything works as expected! |
@josemvm can you export your db schema in sql create text format ? Thanks. Maybe I've done some mistakes replicating the sqlite3 structure to postgresql. |
@josemvm I tried to execute the query in the error.log from pgsql and it works: |
@quelo1972 a stupid answer: |
In summary: CRETE SCRIPT
profiles.ini.php
authldap.coord.ini.php
|
Yes. |
Hi sorry @quelo1972 to not respond quickly : First, i'm not working at full time on Jelix or Lizmap. I'm just a contributor. Unfortunately, I have projects for customers (not related to Jelix or Lizmap) that have priorities over your bugs. Second, you post several bugs in a single Github issue. It is then very difficult to follow your problems. Please, post only one problem per Github issues. For me, your latest problems are not related to LDAP. So I close this issue. Open a new issue for each of your problem. And if you have other problems with LDAP, please open a new github issue. One problem, one github issue. Thank you ;-) |
Ok excuse me... I will open two new issue. |
Hello,
Several LizMap versions ago I knew there were plans to allow user validation to rely on external LDAP server instead of the internal LizMap user database.
What about this topic? Is it possible with the new version?
TIA.
The text was updated successfully, but these errors were encountered: