Loading...
 
Skip to main content

LDAP Sync Not working Correctly

Status
Open
Subject
LDAP Sync Not working Correctly
Version
12.x Regression
15.x
Category
  • Regression
Feature
External Authentication (LDAP, AD, PAM, CAS, etc)
Resolution status
New
Submitted by
jcarter
Volunteered to solve
Lastmod by
RadoS
Rating
(0)
Description

Behavior for ldap should be as follows:

  1. if user added to group in AD, added to group in tiki when log in
  2. if user removed from group in AD, removed from group in tiki when log in


1 is working fine, but 2 is broken. This is hard to demonstrate, as I can't really hook my AD up to a demonstration instance, but I have it set up in my tiki 11 install, and it works perfectly, but is not working on the latest 12.x pulled from svn (r49012 atm).

Another, problem that can cause the same symptoms, but is not the cause of the behavior above, is that when you edit an external group via tiki-admingroups.php?group=<group> the isExternal flag in
the users_groups table gets set to "n" for that group. This means that if you change the description of an external group in tiki, or set that group to inherit, or even don't change anything but click "Save" on the group options page, the group will no longer be treated as external, and you will see 2 break again. I submitted item4398 about this a while ago, but I figured I'd dump it here as well.

Solution

I believe I have found the solution.

What I believe the issue is can be found here, line 1310 in lib/userslib.php.

Copy to clipboard
// Sync Tiki groups with LDAP groups data function ldap_sync_group_data($user, $ldapgroups) { global $prefs; global $logslib; if (!count($ldapgroups)) { return; }


When a user is removed from groups in the AD, and is no longer in any AD group, when they log in, their ldapgroups are passed to ldap_sync_group_data(). However, because they are in no groups in the AD, ldapgroups is empty, and the function returns without attempting a sync, and therefore without removing the user from any groups in tiki.

Removing the condition and return

Copy to clipboard
if (!count($ldapgroups)) { return; }

solves the issue, and ldap works fine again.

However, this condition and return appear in tiki 11 as well, but tiki 11 does not have the same problem, so I don't know what to think about it.

Importance
8
Easy to solve?
5
Priority
40
Demonstrate Bug on Tiki 19+
Demonstrate Bug (older Tiki versions)
Ticket ID
5036
Created
Friday 06 December, 2013 17:53:39 UTC
by jcarter
LastModif
Tuesday 27 December, 2016 16:22:33 UTC


Show PHP error messages