Hi Jerry,

Unfortunatelly the ldap library doesn't have a way to dump the connection data. Having said, wireshark is a good way to do it.

From the configuration you're sending I think that:

• groupname should be cn instead of sn.
• the group filter is restricting the groups to the ones which the name starts with mygroup. Is that really your intention?
• the memberid should be dn and not uid.
  With membership on the group class the plugin should do, for each user, a search for groups with an attribute member equal to the user's DistinguishedName - dn.
  (eg, member = uid=surname.name,ou=people).

If you're having trouble to determine which attributes you should use for the plugin, have a look at the examples I've set on the readme.rdoc. You can also try to connect to explore your ldap with a browser (eg, http://jxplorer.org/).

from redmine_ldap_sync.

Hi Thorin,

I had your plugin doing what I really want befor by hacking your code and using an user attribut filter.

since you change sligthly the code :

18e5229#lib/redmine_ldap_sync/redmine_ext/auth_source_ldap_patch.rb

before you declared user_filter , group_filter and object filter with the string 'objectclass' . I did change it to the name of the attribute I wanted to use for filter and it was doing the right filter.
user_filter = Net::LDAP::Filter.eq( 'objectClass', settings[:class_group] )

user_filter = Net::LDAP::Filter.eq( :objectclass, settings[:class_group]
Now your using :objectclass where the value of :objectclass is declared ?

When I launch the script is doing undred of searchRequest to the ldap server .
how could it be possible to stop it first with the search result from the information filled in the plugin form
then validate it !
And finaly leave it perform the search inside the dn declare in the ldap authentification form

I hope you'll get what I mean.

I've try several distinct way to access to my ldap fom your plugin I'm getting the message skipping user '' it already on a different auth_source.

from the code it mean if user.auth_source_id != self.id and not user.auth_source_id.blank?

and it's performing on every user of the ldap server ...

To explore my ldap server I use ldap search and with it I et my result without a problem .

from wireshark the search filter don't seem right

Filter(objectclass=person)
should be (cn=group*)
shouldn't be ?

thanks for your time anyway..

from redmine_ldap_sync.

Have you tried using 'dn' instead of 'uid' on the memberid?

I believe you won't need to hack the code.

On Fri, Feb 10, 2012 at 11:12 AM, lutinwood <
[email protected]

wrote:

Hi Thorin,

I had your plugin doing what I really want befor by hacking your code and
using an user attribut filter.

since you change sligthly the code :

18e5229#lib/redmine_ldap_sync/redmine_ext/auth_source_ldap_patch.rb

before you declared user_filter , group_filter and object filter with the
string 'objectclass' . I did change it to the name of the attribute I
wanted to use for filter and it was doing the right filter.
user_filter = Net::LDAP::Filter.eq( 'objectClass', settings[:class_group] )

user_filter = Net::LDAP::Filter.eq( :objectclass, settings[:class_group]
Now your using :objectclass where the value of :objectclass is declared ?

When I launch the script is doing undred of searchRequest to the ldap
server .
how could it be possible to stop it first with the search result from the
information filled in the plugin form
then validate it !
And finaly leave it perform the search inside the dn declare in the ldap
authentification form

I hope you'll get what I mean.

I've try several distinct way to access to my ldap fom your plugin I'm
getting the message skipping user '' it already on a different auth_source.

from the code it mean if user.auth_source_id != self.id and not
user.auth_source_id.blank?

and it's performing on every user of the ldap server ...

To explore my ldap server I use ldap search and with it I et my result
without a problem .

from wireshark the search filter don't seem right

Filter(objectclass=person)
should be (cn=group*)
shouldn't be ?

thanks for your time anyway..

---

Reply to this email directly or view it on GitHub:
#24 (comment)

from redmine_ldap_sync.

I trully believe that the problem is misconfiguration since the plugin is prepared to work with openldap

For the filter :objectclass is the same as 'objectclass'.

The error you're seing means that the users where previously or are configured to a different AuthSource.

If they really should be connected to this authsource what you can do is to update the authsource_id on the database to match the one you've configured with the plugin.

Not searching for groups by filtering them by the objectclass is a bit strange. You might get other objects that aren't groups.

The group object class should be "groupOfNames" (plural). But you should have a look on a group with the ldap browser to ensure that you have the correct objectclass.

If you need an extra filter you should use the groupsearch filter (eg, (&(objectClass=person)(|(givenName=John)(mail=john*)))).

You're seeing those queries because it first does a run to find all the available user on the LDAP server and then single requests to get the users's memberid.

What you should see when you run the synchronization is:

• A single request to find all the users (objectclass=person).
• For each user a single request to the user memberid (objectclass=person).
• For each user a single request to get all the user's groups (& (objectclass=groupOfNames) ...).

from redmine_ldap_sync.

Hi thorin,

I succeed to have your script doing what I need it to do ... But I had to hack inside to change some value ..

I've sorted my error message "Skipping user ... " it came through because I had a filter on the ldap authentification (like the chiliproject one)

I found a variable called :object_class it is the same as :objectclass did you want it different for a peculiar reason ?

I only modified inside (redmine_ldap_sync/lib/redmine_ldap_sync/redmine_ext/auth_source_ldap_patch.rb)

259 : group_filter = Net::LDAP::Filter.eq( 'cn', settings[:class_group] ) # cn

271: user_filter = Net::LDAP::Filter.eq( 'user_attribut', settings[:class_user] ) #user_attribut

283:user_filter = Net::LDAP::Filter.eq( 'user_attribut', settings[:class_user] ) #user_attribut

---form inside redmine

User objectclass : mywishvalue*
Group : mywhishgroup

group name : cn
memberusers :members
Memberid: dn

from wireshark

Ldap searchRequest "ou=people...
Filter: (user_attribute=mywishvalue*)

Ldap searchRequest "ou=groups,...
Filter (&(cn=mywishgroup)(member=uid=whateveruser...)

I had to get my users into the system quickly so I've modified to get it working fast .. .but I'll be interested to follow the end of the story ..

I certainly have to make it more clean on some stage so I wil have to understand better how the LDAP request is made from the database info.

I'll get back to you as soon as I get something new.

Thanks

Jerry

from redmine_ldap_sync.

Good to hear you found a way to make it work.
But I have to say that it seems like you're using some rather strange rules to get the users and the groups you want.

The :objectclass is a symbol in ruby, it's not a variable.
The filter intreperts it the same way as the strings.

In the end what the following line does is to had (objectClass=groupOfNames) to the ldap search filter:
Net::LDAP::Filter.eq( :objectclass, settings[:class_group])

For example in your changes you could have used 'Net::LDAP::Filter.eq( :cn, settings[:class_group] )' and you would have gotten the same result.

I'm not aware of how the ldap filters in the ChilliProject work but I'll definitely have a look.

from redmine_ldap_sync.