Loading...
 
LDAP / Active directory

LDAP / Active directory


How to get groups from LDAP/ADS [patch]

If you want to get the user's groups from LDAP/ADS, here is a patch that will do it for you. It will add the user to the groups but it will not create the groups for you, this you'll have to do yourself.
On my AD server groups defined as attributes called "memberOf" and the data looks like:
"CN=groupname, ...., ...., ..."

Two files needs to be patched (v3.0)
LDAP.php:

LDAP.php.diff
580a581 > $searchAttributes[] = 'memberOf';


userslib.php:

userslib.php.diff
608a609 > $this->assign_user_to_groups($user, $user_ldap_attributes['auth_ldap_groups']); 646a648 > $this->assign_user_to_groups($user, $user_ldap_attributes['auth_ldap_groups']); 668c670,671 < elseif ($userAuth && $userTikiPresent) --- > elseif ($userAuth && $userTikiPresent) { > $this->assign_user_to_groups($user, $user_ldap_attributes['auth_ldap_groups']); 669a673 > } 780a785,796 > $memberships = $a->getAuthData('memberOf'); > $groups = array("Registered"); > foreach($memberships as $membership) { > $parts = explode(',', $membership); > foreach($parts as $part) { > $values = explode('=', $part); > if((count($values) == 2) && in_array($values[0], array('CN', 'cn'))) { > $groups[] = $values[1]; > } > } > } > $user_ldap_attributes['auth_ldap_groups'] = $groups;


The list of groups will be updated with every login (so you'll better disable the "remember me" option) and the default group "Registered" will also be added.
Thats it biggrin




Thanks, Al, for this solution!

It's good enough as long as you can manage your groups/permissions according to groups you get from Active Directory. If you need groups in TikiWiki which don't map to AD groups you have a problem because on each login the user is taken out of all his/her groups.

I'd like to propose a solution.

Sorry, I don't know how to write a diff file so I'll just explain the changes; they're not complicated.

userslib.php - line 786
//$groups = array("Registered");

i.e. comment out that line; it's not necessary because of the following change

userslib.php - line 1929
// in case resetting group list, do not remove Registered or persistent groups with names beginning * $query = "delete from `users_usergroups` where `userId`=? and `groupName` != 'Registered' and `groupName` not like '*%'";

i.e. add the comment and add "`groupName` != 'Registered' and `groupName` not like '*%'" to the query

Once you have done this you can create groups with names starting with * and the users will never be removed automatically from those groups.

Hope this helps someone!