LDAP Sync Not working Correctly
- Status
- Open
- Subject
- LDAP Sync Not working Correctly
- Version
- 12.x Regression
15.x - Category
- Regression
- Feature
- External Authentication (LDAP, AD, PAM, CAS, etc)
- Resolution status
- New
- Submitted by
- jcarter
- Volunteered to solve
- Lastmod by
- RadoS
- Rating
- Description
Behavior for ldap should be as follows:
- if user added to group in AD, added to group in tiki when log in
- if user removed from group in AD, removed from group in tiki when log in
1 is working fine, but 2 is broken. This is hard to demonstrate, as I can't really hook my AD up to a demonstration instance, but I have it set up in my tiki 11 install, and it works perfectly, but is not working on the latest 12.x pulled from svn (r49012 atm).Another, problem that can cause the same symptoms, but is not the cause of the behavior above, is that when you edit an external group via
tiki-admingroups.php?group=<group>the isExternal flag in
the users_groups table gets set to "n" for that group. This means that if you change the description of an external group in tiki, or set that group to inherit, or even don't change anything but click "Save" on the group options page, the group will no longer be treated as external, and you will see 2 break again. I submitted item4398 about this a while ago, but I figured I'd dump it here as well.- Solution
I believe I have found the solution.
What I believe the issue is can be found here, line 1310 in
lib/userslib.php.Copy to clipboard// Sync Tiki groups with LDAP groups data function ldap_sync_group_data($user, $ldapgroups) { global $prefs; global $logslib; if (!count($ldapgroups)) { return; }
When a user is removed from groups in the AD, and is no longer in any AD group, when they log in, their ldapgroups are passed to ldap_sync_group_data(). However, because they are in no groups in the AD, ldapgroups is empty, and the function returns without attempting a sync, and therefore without removing the user from any groups in tiki.Removing the condition and return
Copy to clipboardif (!count($ldapgroups)) { return; }solves the issue, and ldap works fine again.
However, this condition and return appear in tiki 11 as well, but tiki 11 does not have the same problem, so I don't know what to think about it.
- Importance
- 8
- Easy to solve?
- 5
- Priority
- 40
- Demonstrate Bug on Tiki 19+
-
This bug has been demonstrated on show2.tiki.org
Please demonstrate your bug on show2.tiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show2.tiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Demonstrate Bug (older Tiki versions)
-
This bug has been demonstrated on show.tikiwiki.org
Please demonstrate your bug on show.tikiwiki.org
Show.tiki.org is not configured properlyThe public/private keys configured to connect to show.tikiwiki.org were not accepted. Please make sure you are using RSA keys. Thanks.
- Ticket ID
- 5036
- Created
- Friday 06 December, 2013 17:53:39 UTC
by jcarter - LastModif
- Tuesday 27 December, 2016 16:22:33 UTC