View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|1225||RackTables||default||public||2014-05-02 07:30||2014-05-10 01:54|
|Summary||1225: auth.php LDAP group membership pull based on non-blank displayname_attrs|
|Description||When configuring LDAP group based authentication, the documentation at http://wiki.racktables.org/index.php/LDAP indicates displayname_attrs is not required. Looking in auth.php, there is no default value for this option. The secret.php as created in a new installation, creates the LDAP_options array with this option set to an empty string. Therefore, an admin could assume that this setup will "just work".|
However, in function queryLDAPServer, there is a test to see if displayname_attrs is a non-zero length string, and to assemble the display name if so. Unfortunately, it appears that this if statement is not closed, and the section of code that pulls the group membership information will not execute unless displayname_attrs is a non-zero length string.
|Additional Information||Trivial fix is to close this if statement:|
isset ($LDAP_options['displayname_attrs']) and
strlen ($LDAP_options['displayname_attrs']) and
isset ($LDAP_options['search_dn']) and
strlen ($LDAP_options['search_dn']) and
isset ($LDAP_options['search_attr']) and
before the code that pulls group membership information.
|Tags||No tags attached.|
|I don't get the meaning of the "if" statement being closed, but do you mean the test for the displayname_attrs should be moved to the nested level to enable search_dn and search_attr work without displayname_attrs?|
Getting group membership information is conditional on displayname_attrs being set to something other than the blank string that racktables sets it up with "out of the box". Because displayname_attrs is documented as "not required", I didn't change it. It took me hours to figure out why the group information was not being returned.
If you could either change the installation script to set displayname_attrs to a non-blank string, or move the group membership lookup so it's not dependent on displayname_attrs, that would be far clearer. Does that make sense?
|Yes, both of these things. I will work on that.|
|Thanks for your great support.|
|2014-05-02 07:30||JimDuff||New Issue|
|2014-05-06 19:58||infrastation||Assigned To||=> infrastation|
|2014-05-06 19:58||infrastation||Status||new => assigned|
|2014-05-08 15:20||infrastation||Note Added: 0002295|
|2014-05-09 00:46||JimDuff||Note Added: 0002299|
|2014-05-09 09:04||infrastation||Note Added: 0002303|
|2014-05-10 01:54||JimDuff||Note Added: 0002305|