View Issue Details

IDProjectCategoryView StatusLast Update
1225RackTablesdefaultpublic2014-05-10 01:54
ReporterJimDuff Assigned Toinfrastation  
Status assignedResolutionopen 
Product Version0.20.7 
Summary1225: auth.php LDAP group membership pull based on non-blank displayname_attrs
DescriptionWhen configuring LDAP group based authentication, the documentation at indicates displayname_attrs is not required. Looking in auth.php, there is no default value for this option. The secret.php as created in a new installation, creates the LDAP_options array with this option set to an empty string. Therefore, an admin could assume that this setup will "just work".

However, in function queryLDAPServer, there is a test to see if displayname_attrs is a non-zero length string, and to assemble the display name if so. Unfortunately, it appears that this if statement is not closed, and the section of code that pulls the group membership information will not execute unless displayname_attrs is a non-zero length string.
Additional InformationTrivial fix is to close this if statement:

                isset ($LDAP_options['displayname_attrs']) and
                strlen ($LDAP_options['displayname_attrs']) and
                isset ($LDAP_options['search_dn']) and
                strlen ($LDAP_options['search_dn']) and
                isset ($LDAP_options['search_attr']) and
                strlen ($LDAP_options['search_attr'])

before the code that pulls group membership information.
TagsNo tags attached.




2014-05-08 15:20

administrator   ~0002295

I don't get the meaning of the "if" statement being closed, but do you mean the test for the displayname_attrs should be moved to the nested level to enable search_dn and search_attr work without displayname_attrs?


2014-05-09 00:46

reporter   ~0002299

Getting group membership information is conditional on displayname_attrs being set to something other than the blank string that racktables sets it up with "out of the box". Because displayname_attrs is documented as "not required", I didn't change it. It took me hours to figure out why the group information was not being returned.

If you could either change the installation script to set displayname_attrs to a non-blank string, or move the group membership lookup so it's not dependent on displayname_attrs, that would be far clearer. Does that make sense?


2014-05-09 09:04

administrator   ~0002303

Yes, both of these things. I will work on that.


2014-05-10 01:54

reporter   ~0002305

Thanks for your great support.

Issue History

Date Modified Username Field Change
2014-05-02 07:30 JimDuff New Issue
2014-05-06 19:58 infrastation Assigned To => infrastation
2014-05-06 19:58 infrastation Status new => assigned
2014-05-08 15:20 infrastation Note Added: 0002295
2014-05-09 00:46 JimDuff Note Added: 0002299
2014-05-09 09:04 infrastation Note Added: 0002303
2014-05-10 01:54 JimDuff Note Added: 0002305