FAQ

From phpLDAPadmin

Jump to: navigation, search

Contents

General FAQs

How does PLA authenticate a user?

All LDAP authentication is performed by providing a DN (Distinguished Name) and a password. A DN is in the form of "attr=Value,attr=Value...", for example cn=Bart Simpson,ou=People,o=My Org,c=AU

In config.php, you can specify that the login screen either prompts for the DN (the default), or an attribute (see server:login:attr).

If:

  • A DN is used in the login, then PLA will take the DN and password that the user has filled in and give that to the LDAP server. If it accepts that combination, we stored the details in a SESSION variable or COOKIE and later form submissions will use those details (cause we know they are good). If the LDAP server rejects that DN and Password, PLA shows a login failure message and forgets everything.
  • If an ATTRIBUTE is configured in server:login:attr as the login attribute, then the login form will ask the user for that VALUE (eg: UID). PLA will then take that value and SEARCH the ldap server for the DN that corresponds to that value (thus it MUST be unique).
If a DN is found, that DN will be used with the password on the login form, and given to the LDAP server as described above. If all is good, the details are stored in a SESSION variable or COOKIE. If the details are no good, then a login failure is displayed.

When the search is made to the LDAP server (to find the DN for an ATTRIBUTE login), you can specify in config.php, that a special DN (see server:login:bind_id) be used to perform the search (that DN must have access to read the attributes and the branches in your tree to return any results). If you do not specify a DN, then an anonymous search is performed (thus ACL's must authorise anonymous to search your tree with that attribute).

How does PLA work out the BASE DN?

To automatically determine the Base DN, PLA will perform a query to the RootDSE (Null DN '') and look at the value for the namingcontexts. This query will be done as the effective logged in user, ie: Anonymous if it is an anonymous connection, or as the user, after the user has successfully logged in.

For OpenLDAP (and possibly other LDAP Servers), you can check the value of the namingcontexts attribute by using this query for anonymous users:

ldapsearch -xb '' -s base '(objectclass=*)' namingcontexts

or, for a specific user, whose DN is "cn=User DN,o=Org..."

ldapsearch -xb '' -s base -WD 'cn=Users DN,o=Org...' '(objectclass=*)' namingcontexts

If PLA cannot work out the Base DN (perhaps because your LDAP ACL's prohibit queries to the RootDSE (by the effective user)), you can specify the base that PLA should use. See the server:server:base.

I cannot view the schema, or I get the message "Our attempts to find your SCHEMA for 'objectclasses' have FAILED."

Related to a problem with php-ldap and /etc/openldap/ldap.conf

There is a known problem with PHP, that when we attempt to get the schema with a blank dn, php-ldap replaces the blank dn with the BASE entry in /etc/openldap/ldap.conf

Edit /etc/openldap/ldap.conf and comment out the BASE entry, then restart your webserver.

Your schema doesnt provide anonymous read access

PLA relies heavily on being able to read the LDAP server schema as anonymous. For those LDAP servers that provide ACL's (Access Control Lists), you must ensure that anonymous READ access to your schema is available.

This configuration between LDAP servers varies, for OpenLDAP, make sure you have this in your schema, if you use strict ACL's:

access to dn="cn=subschema"
   by * read

To test if anonymous has access to your schema, try these commands (these commands work for OpenLDAP, and should work for other LDAP servers too).

  • 1st find out where your LDAP server stores it schema.
ldapsearch -xh HOST -b '' -s base subschemaSubentry
  • 2nd retrieve the schema
ldapsearch -xh HOST -b 'OUTPUT_FROM_PREVIOUS_COMMAND' -s base '(objectClass=subschema)' attributetypes

where: HOST = your ldap ip address OUTPUT_FROM_PREVIOUS_COMMAND = the dn returned from the first command.

EG:

#> ldapsearch -xh 127.0.0.1 -b '' -s base subschemaSubentry
..
subschemaSubentry: cn=Subschema
..
#> ldapsearch -xh 127.0.0.1 -b 'cn=Subschema' -s base '(objectClass=subschema)' attributetypes

Does phpLDAPadmin create home directories?

No.

Often LDAP servers are accessed by many LDAP clients, and while those LDAP clients may actually be a server for your users, there is no way of automatically creating home directories when the LDAP server has had a new user added. Also, the LDAP server may be on a different machine to where your user home directories are.

Some admins have written scripts that run on the LDAP client systems, that check the LDAP server at regular intervals to see if new users were created, and creates the home directory.

With Linux (and possibly others), you could use the PAM pam_mkhomedir module to auto create home directories when the user logs in for the first time.

Sometimes the tree display, shows a few entries quiet happily, however, when you expand a branch, the new page is blank, why?

Take a look in your web server error logs - php may be running out of memory.

Increase the value of memory_limit in your php.ini, restart your webserver and see if that fixes your problem.

Searching sometimes works when the result is a few entries, however, if a search brings a lot of entries, a blank or browser error page is displayed.

Take a look in your web server error logs - php may be running out of memory.

Increase the value of memory_limit in your php.ini, restart your webserver and see if that fixes your problem.

I've created or modified the template XML files, but I dont see the changes I've made when I refresh the browser.

For PLA 1.2.x+

PLA caches creation and modification templates as well as the query template for config:cache:template_time and config:cache:query_time seconds respectively. If your session has read the templates, and any changes to templates wont be recognised until that time has elapsed. You can either:

For PLA < 1.2.x

The template XML files are cached in your PHP session, so changes wont be seen unless you:

Does phpLDAPadmin supports LDAP referrals ?

Yes. You can control the referrals in config.php


Ive installed PLA, tried to use the User Account (posixAccount) template and have noticed that the GID number field is blank, yet it is mandatory. I cannot submit the account creation because I cannot select a value for this field.

In the default User Account (posixAccount) template, the GID number field is populated by doing a search on your LDAP tree, looking for objects that are using the filter (objectClass=posixAccount).

Create a Group Object (using the PosixGroup? template), first, and then you'll be able to create a posixAccount entry.

What is Call to undefined function _()

This error results when you do not have gettext support enabled. Please add gettext support to PHP - you may need to refer to your distro instructions if gettext is not included with the base php.

Template FAQs

Why does my template show "This template has been disabled, possibly due to missing schema or missing template XML fields."

Templates are automatically disabled when the template_engine cannot confirm that one of the objectclasses is a structural object class.

This could be because, the schema hasnt been loaded in your LDAP server, or PLA is having trouble reading your schema.

(To test your schema is working, use the schema link under your server name to view the objectclasses, and if you can, then double check that your XML file is using a structural objectClass).

Is there any special tag for base-64 encoding in xml template file?

No.

Why do i get Automatically removed objectClass from template when creating or editing?

This message is generated when you have a template that defines an objectClass, however, your LDAP schema does not know about the objectClass.

The 2nd line of this message will give you a hint as to which template, and which objectClass is the offending entry.

You can either:

  • Remove the template,
  • Remove the offending objectClass (shown in bold) from the template (if you are not sure which template, the template description is displayed on the 2nd line - look for a template that has a <description> tag with that description), OR
  • Define the missing objectClass to your LDAP server's schema (you'll need to follow your LDAP server's instructions for this), OR
  • set config:appearance:hide_template_warning (PLA 1.2.0.3+) to suppress these warnings

Why do i get Automatically removed attribute from template when creating or editing?

This message is generated when you have a template that defines an attribute, however, non of the objectClasses in your template include that attribute as a MUST or MAY attribute.

The 2nd line of this message will give you a hint as to which template, and which attribute is the offending entry.

You can either:

  • Remove the offending attribute (shown in bold) from the template (if you are not sure which template, the template description is displayed on the 2nd line - look for a template that has a <description> tag with that description), OR
  • Define the an objectClass to your template that has that attribute (use the schema browser to show which objectClasses provide that attribute), OR
  • set config:appearance:hide_template_warning (PLA 1.2.0.3+) to suppress these warnings

Why does PLA 1.2.x+ now generate template warnings when creating/editing entries

The supplied templates are provided as examples. Your LDAP server's schema may not have the objectClasses or attributes to support those that are defined in the sample templates.

You can either:

Personal tools