Howto filter member of group? LDAP Address book + AD

[maxdata]

Hello!
I'm using LDAP form active directory (win2k3). I have user TEST1 in ou=IT and is member of group MAILIT. I have user TEST2 in another organization unit ou=IT2 and is member of group MAILIT (security group in cn=Users). How can i filter members of group MAILIT?

Bellow is not working, it found 0. Thanks for any help.

Code: [Select]

$rcmail_config['ldap_public']['somedomain.cz'] = array(
'name'                  => 'somedomain.cz',
'hosts'                 => array('192.168.x.x'),
'port'                  => 389,
'base_dn'               => 'dc=somedomain,dc=cz',
'bind_dn'               => 'ldap@somedomain.cz',
'bind_pass'             => '******',
'writable'              => false,
'ldap_version'          => 3,
'encoding'              => 'utf8',
'search_fields'         => array('Email', 'Name'),
'name_field'            => 'cn', // this field represents the contact's name
'email_field'           => 'mail', // this field represents the contact's e-mail
'firstname_field'       => 'givenName',
'surname_field'         => 'sn',
'sort'                  => 'cn',
'scope'                 => 'sub', // search mode: sub|base|list
[B]'filter'                => 'memberof=MAILIT',[/B]
'fuzzy_search'          => true); // server allows wildcard search


[maxdata]

Some workaround. I figure out howto set filter, but I cannot search on whole domain (begin base_dn with dc=...) with scope sub and scope list. With scope base - everythink is ok, but i need sub. ldap_search in my testing php script is working on base dc. It's look like bug in roundcube, please somebody try it.  

configuration and test:
This is ok:

Code: [Select]

$rcmail_config['ldap_public']['somedomain.cz'] = array(
'name'                  => 'somedomain.cz',
'hosts'                 => array('192.168.x.x'),
'port'                  => 389,
'base_dn'               => 'ou=IT,dc=somedomain,dc=cz',
'bind_dn'               => 'ldap@somedomain.cz',
'bind_pass'             => '******',
'writable'              => false,
'ldap_version'          => 3,
'encoding'              => 'utf8',
'search_fields'         => array('Email', 'Name'),
'name_field'            => 'cn', // this field represents the contact's name
'email_field'           => 'mail', // this field represents the contact's e-mail
'firstname_field'       => 'givenName',
'surname_field'         => 'sn',
'sort'                  => 'cn',
'scope'                 => 'sub', // search mode: sub|base|list
'filter'                => 'memberOf=CN=MAILIT,CN=USERS,DC=SOMEDOMAIN,DC=CZ',
'fuzzy_search'          => true); // server allows wildcard search
This is not ok (search on whole domain without cn or ou):

Code: [Select]

$rcmail_config['ldap_public']['somedomain.cz'] = array(
'name'                  => 'somedomain.cz',
'hosts'                 => array('192.168.x.x'),
'port'                  => 389,
'base_dn'               => 'dc=somedomain,dc=cz',
'bind_dn'               => 'ldap@somedomain.cz',
'bind_pass'             => '******',
'writable'              => false,
'ldap_version'          => 3,
'encoding'              => 'utf8',
'search_fields'         => array('Email', 'Name'),
'name_field'            => 'cn', // this field represents the contact's name
'email_field'           => 'mail', // this field represents the contact's e-mail
'firstname_field'       => 'givenName',
'surname_field'         => 'sn',
'sort'                  => 'cn',
'scope'                 => 'sub', // search mode: sub|base|list
'filter'                => 'memberOf=CN=MAILIT,CN=USERS,DC=SOMEDOMAIN,DC=CZ',
'fuzzy_search'          => true); // server allows wildcard search

Error in ldap_debug log "roundcube/logs/ldap":

Code: [Select]

[date time]: C: Search [MAILIT,CN=USERS,DC=SOMEDOMAIN,DC=CZ]
[date time]: S: Operations error

It works in ldp.exe on Windows Domain server:

Code: [Select]

BaseDn:
DC=SOMEDOMAIN,DC=CZ
Filter:
memberOf=CN=MAILIT,CN=USERS,DC=SOMEDOMAIN,DC=CZ

OUTPUT:

Code: [Select]

***Searching...
ldap_search_s(ld, "DC=SOMEDOMAIN,DC=CZ", 2, "memberOf=CN=MAILIT,CN=Users,DC=SOMEDOMAIN,DC=CZ", attrList,  0, &msg)
Result <0>: (null)
Matched DNs:
Getting 2 entries:
>> Dn: CN=Martin XY,OU=IT,DC=SOMEDOMAIN,DC=CZ
4> objectClass: top; person; organizationalPerson; user;
1> cn: Martin XY;
1> distinguishedName: Martin XY,OU=IT,DC=SOMEDOMAIN,DC=CZ;
1> name: Martin XY;
1> canonicalName: SOMEDOMAIN/OIT/Martin XY;
>> Dn: CN=test2 test2,CN=Users,DC=SOMEDOMAIN,DC=CZ
4> objectClass: top; person; organizationalPerson; user;
1> cn: test2 test2;
1> distinguishedName: CN=test2 test2,CN=Users,DC=SOMEDOMIAN,DC=CZ;
1> name: test2 test2;
1> canonicalName: SOMEDOMAIN/Users/test2 test2;



Server:
Debian stable Lenny: Linux roundcube 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686 GNU/Linux
php5: PHP Version 5.2.6-1+lenny8
Active directory Win2k3
Roundcube 0.3 stable.

[futurecis]

I also had several LDAP issues in RC0.3. I ended up pulling some LDAP patches from the trunk and it fixed my search issues. Can you download a copy of .4 and see if your issue is resolved? If not, we can explore it further.

[maxdata]

I also had several LDAP issues in RC0.3. I ended up pulling some LDAP patches from the trunk and it fixed my search issues. Can you download a copy of .4 and see if your issue is resolved? If not, we can explore it further.

Ok, upgraded to 0.4 beta and same problem.
Error

Code: [Select]

'base_dn' => 'DC=SOMEDOMAIN,DC=CZ')

Code: [Select]


[26-May-2010 08:32:40 +0200]: C: Connect [192.168.x.x:389]
[26-May-2010 08:32:40 +0200]: S: OK
[26-May-2010 08:32:40 +0200]: C: Bind [dn: technik1@somedomain.cz] [pass: *****]
[26-May-2010 08:32:40 +0200]: S: OK
[26-May-2010 08:32:40 +0200]: C: Search [memberOf=CN=TESTGROUP,CN=Users,DC=SOMEDOMAIN,DC=CZ]
[26-May-2010 08:32:40 +0200]: S: Operations error
[26-May-2010 08:32:40 +0200]: C: Search [memberOf=CN=TESTGROUP,CN=Users,DC=SOMEDOMAIN,DC=CZ]
[26-May-2010 08:32:40 +0200]: S: Operations error

OK  

Code: [Select]

'base_dn' => 'OU=IT,DC=SOMEDOMAIN,DC=CZ'

Code: [Select]


[26-May-2010 08:30:26 +0200]: C: Connect [192.168.*.*:389]
[26-May-2010 08:30:26 +0200]: S: OK
[26-May-2010 08:30:26 +0200]: C: Bind [dn: technik1@somedomain.cz] [pass: ******]
[26-May-2010 08:30:26 +0200]: S: OK
[26-May-2010 08:30:26 +0200]: C: Search [memberOf=CN=TESTGROUP,CN=Users,DC=SOMEDOMAIN,DC=CZ]
[26-May-2010 08:30:26 +0200]: S: 1 record(s)


[allywilson]

I've got the same problem.

I have to specify a sub-OU for LDAP to correctly search. If I just give the base DN as "DC=local,DC=net" for example it fails. If I specify "OU=whatever,DC=local,dc=net" it works fine. It's a pain, as my OU structure is based on region (UK, FR, ES, DE, etc). I can obviously work around it, but it would be good if this could be resolved.

I now need to go create 16 different address books :-(

[sea_owl]

Hi!
I'v got a stub too.
After some Active Directory investigations, solution was found. Now searching whole domain tree is working. You just need to use port 3268 (global catalog port) on Active Directory server. Here is a working example:

$rcmail_config['ldap_public']['ldap.nashdoctor.org'] = array(
  'name'          => 'nashdoctor.org',
  'encoding'              => 'utf8',
  'hosts'         => array('ldap.nashdoctor.org'),
// --------------------------
  'port'          => 3268,
// --------------------------
  'use_tls'         => false,
  'user_specific' => false,

  'base_dn'       => 'dc=nashdoctor,dc=org',
  'bind_dn'       => 'cn=sea_owl,ou=dept-it,dc=nashdoctor,dc=org',
  'bind_pass'     => '***',
  'writable'      => false, 
  'LDAP_Object_Classes' => array("top", "inetOrgPerson"),
  'required_fields'     => array("cn", "sn", "mail"),
  'LDAP_rdn'      => 'mail', 
  'ldap_version'  => 3, 
  'search_fields' => array('mail', 'cn', 'displayName'),
  'name_field'    => 'displayName',    
  'email_field'   => 'mail', 
  'surname_field' => 'sn', 
  'firstname_field' => 'givenName',
  'sort'          => 'cn',    
  'scope'         => 'sub',   
  'filter'        => 'mail=*',     
   'fuzzy_search'  => true,   
  'sizelimit'     => '0',  
  'timelimit'     => '0', 
);
// ----------------- nashdoctor.org -----------------------

have a nice day with roundcube