AD Typo3 V8 and V9, group membership checks dont work

[Flashdown]

Hello together,

for me the group lookup on FE user login does not work, so membership is not detected, also when importing users manually, no groups will be assigned to the user in typo3, same when I import the target groups manually where the user is a direct member of. Apache2(Linux), T3 9.5.4 on PHP 7.2 with plugin config against Active Directory, in the plugin I can successfully import groups and users. So only user authentication against AD is currenty working for me but the AD group memberships remain unknown for Typo3. I've also tested on Typo3 8.7.24, last time I've tried with Typo3 V8.7.4 just to test if it might work with an older V8, but still no luck.

My Test ENV is:

• Webserver Apache 2.4.25-3+deb9u7
• PHP Version 7.2.16-1+0~20190307202415.17+stretch~1.gbpa7be82
• Database MySQL 5.7.25
• OS: Linux

Right now I am just trying FE Auth, without SSO, but since I was unable to get it running, I did not yet test BE Authentication.

Short Config Insight:

Tab LDAP: 
Bind DN: cn=MySpecialUser,cn=Users,dc=domain,dc=com
Relation between groups and users : user contains the list of its associated groups

TAB FE_Users:
Base DN: ou=Users,ou=ATREE,dc=sub,dc=domain,dc=com
Filter: (&(sAMAccountName={USERNAME})(objectClass=user)(objectCategory=person))
Mapping:
pid = 3
email = <mail>
name = <cn>
first_name = <givenName>
last_name = <sn>
title = <title>
address = <streetAddress>
zip = <postalCode>
city = <l>
telephone = <telephoneNumber>
lastlogin = {DATE}
usergroup = <memberof>

TAB FE_Groups
Base DN: ou=Groups,ou=ATREE,dc=sub,dc=domain,dc=com
Filter: (&(sAMAccountName={USERNAME})(objectClass=group))
Mapping:
pid = 3
title = <cn>

Am I am doing something wrong in my configuration?

One suggested trying the following:

1. Relation between groups and users: Group contains the list of its members
2. Remove the usergroup property mapping.

But this just leaded to many groups beeing imported, but my test user was still no member of these AD groups in Typo3, but is a member of them in AD. AD Role memberships are also not reflected in Typo3, like group a is member of group b. If I configure the plugin to require a group membership of an AD Group, then logins do not work as well while the user is a direct member of that AD Role.

Any suggestions or information of tested Typo3 Versions that were used during the plugins development for V8 and V9 would be highly a appreciated.

Last idea is to install a clean v8 or v9 instead of testing on the upgraded typo3, just to get to know if it then at least would work. Update: Tried with a fresh Typo3 8.7.24 install and I've got exactly the same results, to bad :/ but at least I know that my upgraded Typo3 install is not the issue. Any help is highly appreciated even the information about the Typo3 V8 and 9 Versions where this plugin is working for you against Active Directory would be helpful.

In the meanwhile I've also tested BE Authentication with the same results, I can login successfully, my user gets greated but no groups are created/imported, even if I import those groups manually prior login, my users membership of those groups is not reflected in typo3.

If I follow what one once suggested, to change the relation in the ldap conf to "groups contains the list of its members" and removing the usergroup mapping, then I got as expected a bunch of groups beeing imported, but my users membership for any of those groups is not reflected in Typo3 and I got a Typo3 Exception during login attempts, same as on the frontend with these settings:

Core: Exception handler (WEB): Uncaught TYPO3 Exception: An exception occurred while executing 'UPDATEbe_usersSETuid= ?,pid= ?,tstamp= ?,username= ?,description= ?,avatar= ?,password= ?,admin= ?,usergroup= ?,disable= ?,starttime= ?,endtime= ?,lang= ?,email= ?,db_mountpoints= ?,options= ?,crdate= ?,cruser_id= ?,realName= ?,userMods= ?,allowed_languages= ?,uc= ?,file_mountpoints= ?,file_permissions= ?,workspace_perms= ?,lockToDomain= ?,disableIPlock= ?,deleted= ?,TSconfig= ?,lastlogin= ?,createdByAction= ?,usergroup_cached_list= ?,workspace_id= ?,workspace_preview= ?,category_perms= ?,tx_igldapssoauth_dn= ?,tx_igldapssoauth_id= ? WHEREuid= ?' with params [2, 0, 1558945920, "mytestuser", "", 0, "$pbkdf2-sha256$25000$y6jmac3C3gW20\/2rii04rg$TJtEy4R5Njc8\/6KiV14M6XeSy7fEGxT17EyPtBtfB\/8", 0, "7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,5,4,40,6,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103", "0", 0, 0, "", "", null, 3, 1558945681, 0, "test user", null, "", "a:14:{s:14:\"interfaceSetup\";s:7:\"backend\";s:10:\"moduleData\";a:0:{}s:19:\"thumbnailsByDefault\";i:1;s:14:\"emailMeAtLogin\";i:0;s:11:\"startModule\";s:22:\"help_AboutAboutmodules\";s:8:\"titleLen\";i:50;s:8:\"edit_RTE\";s:1:\"1\";s:20:\"edit_docModuleUpload\";s:1:\"1\";s:15:\"resizeTextareas\";i:1;s:25:\"resizeTextareas_MaxHeight\";i:500;s:24:\"resizeTextareas_Flexible\";i:0;s:4:\"lang\";s:0:\"\";s:19:\"firstLoginTimeStamp\";i:1558945696;s:17:\"BackendComponents\";a:1:{s:6:\"States\";a:1:{s:17:\"typo3-module-menu\";a:1:{s:9:\"collapsed\";s:4:\"true\";}}}}", null, "readFolder,writeFolder,addFolder,renameFolder,moveFolder,deleteFolder,readFile,writeFile,addFile,renameFile,replaceFile,moveFile,copyFile,deleteFile", 1, "", 0, 0, null, 1558945777, 0, null, 0, 1, null, "CN=test user,OU=Users,OU=ATREE,DC=sub,DC=domain,DC=com", 1, 2]: Data too long for column 'usergroup' at row 1 | Doctrine\DBAL\Exception\DriverException thrown in file /var/www/typo3/vendor/doctrine/dbal/lib/Doctrine/DBAL/Driver/AbstractMySQLDriver.php in line 115. Requested URL: https://testtypo3.sub.domain.com/typo3/index.php?loginProvider=1433416747

And I got the same error message when my test user in my AD is just a member of 2 groups without any deeper linked roles and permissions. So the ERROR MSG makes me believe the plugin wants to make my user a member of any group the plugin could find in AD regardless of my users group memberships which is what makes the data column to long. So I am falling back to my normal settings mentioned on top of this post as I am pretty sure they were already fine.

Best regards Flashdown

[Flashdown]

Finally, I found out what the problem is, I will report it back soon.

[Flashdown]

So, the issue is, that in /Classes/Library/LdapGroup.php on Line 52 a check happens for cases where $groupDn does not match the required baseDn for LDAP Groups. As the configuration examples from the plugin are all lowercase instead of uppercase, my config failed because the check is case sensitiv and therefore no groups where ever returned. So I've made it case insensitiv to kill this burden once and for everyone :) A pull request is on it's way

[ulrike-cosmoblonde]

Hi, the suggested fix from Flashdown has worked for me! Thank you!