search

meeting-room-booking-system / mrbs-code

MRBS application code
Other
127 stars 63 forks source link

LDAP / admin user #2460

Open jberanek opened 5 years ago

jberanek commented 5 years ago

We have been using db auth for a while, but want to switch to ldap.

I have been able to get ldap working correctly as far as allowing users to login. However, I lose access to the admin/user list funtions (ever user seems to have "user" rights rather than "admin" rights.

Should db and ldap auth be used simultaniously, with the db users as admins? Or, is there some way to give ldap users admin access?

Thank you.

Reported by: *anonymous

Original Ticket: mrbs/support-requests/1758

jberanek commented 5 years ago

Here are the releveant settings in config.inc.php. I tried adding the "ldap_admin_group_dn", for all groups as a test to see if all ldap users would gain admin access. While I am still able to login, no user has admin access.

$auth["type"] = "ldap";

$ldap_host = "freeipa.server.domain.com"; $ldap_port = 389; $ldap_v3 = true; $ldap_tls = false; $ldap_base_dn = "cn=users,cn=accounts,dc=server,dc=domain,dc=com"; $ldap_user_attrib = "uid"; $ldap_admin_group_dn = "cn=groups,cn=accounts,dc=server,dc=domain,dc=com";

Original comment by: *anonymous

jberanek commented 5 years ago

Should db and ldap auth be used simultaniously, with the db users as admins?

No, they can't be used simultaneously. You have to set $auth['type'] to either 'ldap' or 'db'. Assuming you want to use LDAP, you set it to 'ldap', as you have done. There are then two ways of specifying admins:

(1) If $ldap_admin_group_dn is not set then MRBS looks in the config file for admins specified by $auth['admin'], eg

$auth['admin'] = array('user1', 'user2', 'user3');

(2) If $ldap_admin_group_dn is set then MRBS looks to see whether the user is a member of that group. Note that it is used in conjunction with $ldap_group_member_attrib which by default is 'memberof'.

Original comment by: campbell-m

jberanek commented 5 years ago

Ok, I had disabled db, but I wanted to be sure.

I must be settign somethign incorrectly in either $ldap_admin_group_dn or $ldap_group_member_attrib. If I set the admin in config.inc.php with auth['admin'][] = 'username'; then it works.

So, what is the proper way to get $ldap_admin_group_dn and $ldap_group_member_attrib interacting with a freeipa backend? Do I need to use the "compat" flag in the cn?

Original comment by: *anonymous