TOPIC:

Hi,
We are planning to upgrade to 2.0. We have 2.0(svn r995) installed on a server and LDAP is set up as the same to our existing Xerte system. I had the problem:
- Authentic users from LDAP are able to log onto the new Xerte site, but the user's Firstname and Surname are not written into the logindetails table, therefore it will not show the user's full name on the xerte pages (e.g., user properties).
- If I log in with a non-existing username but with an existing user password, it allows me to log onto the Xerte site, and it's no Firstname and Surname in the logindetails table too.
- Then I give a Firstname/Surname to the user and save it. It's in the database. After I click the login button to log on, the Firstname/Surname are empty again.

Here is the LDAP settings:
Host: the university ldap host name
Port: 389
Password:
Base:
Blind:
Filter: objectClass=person
Second filter: cn=

I have checked the codes from Index.php, Login_library.php, user_libery.php to ldap.php. I don't understand why the "GetFirstname" and "GetSurname" didn't work? Why it allows a non-existing username access? I wonder if anybody could give advice?

Thank you very much.

Hi,

Sorry for the delay in getting back to you. I have passed this around our panel of experts to see if anyone can assist.

Kind regards,

John

Many thanks, John. I have asked our server support team and people who understand PHP to check if I have missed anything in upgrading. Now I am working with our LDAP team to test it further. I do not know PHP too much. Hopefully, I will have a clue soon.

BTW, just to let you know that we found that
(1) we need to set up "LDAP Second filter" as "cn" rather thatn "cn=" as the "=" has been defined in the code, but this won't solve the problem.
(2) Through management.php, if we set up "The LDAP main filter is: objectClass=person", "The LDAP second filter is: cn", it will save into the LDAP table in the database as "ldap_filter:cn", "ldap_filter_attr: objectClass=person". This seems not right. So we have to set up "The LDAP main filter is: cn", "The LDAP second filter is: objectClass=person" in management.php.

It used to fail if a user wasn't returned - I am not sure now how the code works - suspect you are connecting ok - but not getting user details back?

Hi Pat, I think the LDAP is connected, otherwise it won't let any username+password log in. It seems that when it can't find a user who tries to log in, instead of stopping it tries to bind with an empty value, it assumes is an anonymous bind and allows it log in.

Continuing to my previous findings, we also found that
(3) If we have more than two records in the LDAP table, when we edit the LDAP settings from the Management.php, it will edit all records in the LDAP table. So all records in the LDAP table become the same apart from its ldap_id.

Furthermore, I have tried the suggestions from the xerte discussion list like Xerte LDAP behaviour and LDAP configuration for XOT 2.0 . Although it didn't work for us, I appreciate people posted their solutions.

We finally found a way to make our LDAP work with Xerte 2.0 on our test site. Here is a brief summary.

Problems:
We set up LDAP settings following the xerte guidance. However after logged on, the user's Firstname and Surname were not displayed. I wondered why this happened and tested all sorts of username/password. I found it even allowed nonsense usernames to log in.

Solution:
In regard to our LDAP server, it runs LDAP search filter to find an username (e.g., cn=***), however, if it's a non-existing user, the result is returned as NULL. The xerte then tries to log in with NULL as a username, which the LDAP server assumes is an anonymous bind, which is allowed in our case, so the authentication is technically successful. That is, viewing the ldap.php codes, as the bind_pwd is blank, it will always go to get $userBaseDn, which in our case it's blank. It then will pass NULL to LDAP server for binding. It then tries to get username again and allows it to log in without getting their firstname and surname.

Therefore, we changed the codes in the ldap.php file and it works now.
After Line 172, we added codes to stop an anonymous bind:
if (! $userBaseDn or ! $userBaseDn[0]) {
return false;
}
else {
if ($ldapConnection) {
.....
}
}
We commented out Line 183 and added codes to return users fullname from LDAP search:
$this->_record = array('firstname' => $entry[0][0], 'surname' => $entry[0][0], 'username' => $xot_username);

Tips:
- You need to manually add a record into the LDAP table. It will not add information into this table if you set up LDAP settings through management.php after you upgrade an existing installation.
- If you have more than one record in the LDAP table, be careful to change the LDAP settings through management.php as it will change all your LDAP settings in the LDAP table.
- If you have a problem of LDAP behaviour, check the "_authenticate_to_host" function in the ldap.php file and debug it to see how it responds on the LDAP server. This will save your time.


Thanks. Hope it's useful.