Re: Configuring LDAP - I can write documentation

View: New views

1 Messages — Rating Filter: Alert me

Re: Configuring LDAP - I can write documentation

by Bharat Mediratta :: Rate this Message:

| View Threaded | Show Only this Message

Hi, Juergen -

Now it's my turn to apologize for taking so long to reply. I haven't had any time to work on the LDAP plugin and I'm not an LDAP expert but I'll do my best to answer your questions below.

On Sat, Apr 7, 2012 at 9:59 AM, <juergen@...> wrote:

Hello Bharat,

I'm terribly sorry to reply so late to your private message on the Gallery forums. I've had some stressful things happen (new job, big move and so on) and did not have much time for programming. So your reply was forgotten, unfortunately.

I had contacted you on the Gallery forums and offered to write documentation in exchange for your help with making Gallery 3's LDAP authentication work. I try to use https://github.com/gallery/gallery3-contrib/tree/master/3.0/modules/ldap, and the post with my problem description is at http://gallery.menalto.com/node/104811 .

Usually, when working with an LDAP server, you've got the following values:

- Server name / IP Address
- Administrative DN
- Password
- A root DN
- Attribute names for POSIX attributes (UID number, GID number and so on)

I would expect the config files for an LDAP module to contain a place to enter those values. But whe I look at identity.php, it seems that it mixes terminology from the Gallery world and from the LDAP world. Could you please describe (in a bit more detail compared to the file's comments) what values I have to enter there? For example, how do "group_domain" and "user_domain" map onto a POSIX-style LDAP user directory?

So basically when I did this I didn't have a lot of LDAP test beds to work against. I work at Google so I used the Google internal corporate LDAP setup, did my best to get it working there and basically stopped when it worked. The way that PHP does LDAP support is that you call ldap_connect() then ldap_bind().

http://php.net/manual/en/function.ldap-connect.php

http://us.php.net/manual/en/function.ldap-bind.php

ldap_connect is pretty straightforard, it's using the url param from the config file. Once you have the connection, ldap_bind expects a root DN and password, which are the bind_rdn and bind_password fields in the config file.

After that, everything basically just worked for me. There are a few extra params in the config file:

groups: this is the set of LDAP groups that we intend to map over into Gallery 3 groups - I do this because Google internally has a ton of groups and I don't want to try to map them all

everybody_group: this is the LDAP group that maps to a non-authenticated user - eg a guest.

registered_users_group: this is the LDAP group that contains every single user (but not guests)

admins: this is an array of LDAP users who have admin access in Gallery 3

group_domain and user_domain: these are the search paths that ldap_search uses to do lookups. For users, when looking up by name we look for "uid=<name>". When looking up by id we look for "uidNumber=<id>". For groups we use gidNumber and cn.

That's essentially all I know. The code is all here: https://github.com/gallery/gallery3-contrib/blob/master/3.0/modules/ldap/libraries/drivers/IdentityProvider/Ldap.php

I can answer any specific questions...

Many thanks in advance

Jürgen

----------
From: bharat
To: jstarek
Subject: Re: Configuring LDAP - I can write documentation
Date: Tue, 2012-01-24 04:38

Happy to try to help you out in return for some docs. But be warned, I am not an LDAP expert! Email me at

bharat@...
and I'll help, but also be warned that my time is very limited so it may take several days between replies.

jstarek wrote:
Dear Bharat,
in 2010, on several threads, you helped people out with getting Gallery 3's LDAP module to run. I, too, have the problems that were discussed back then, but could not solve them yet. Since I currently have some time, but do not have experience with PHP and debugging web applications, I'd like to ask you if you could assist me this one time in getting the module to work, so that I can create the wiki page for it and also put in some in-code comments about the meaning of the config options.

Please let me know what you think.

Best regards,

Jürgen

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
__[ g a l l e r y - d e v e l ]_________________________

[ list info/archive --> http://gallery.sf.net/lists.php ]
[ gallery info/FAQ/download --> http://gallery.sf.net ]