LDAP Bad Search Filter - ldap

I'm using an open source software called LDAP Account Manager to manage ldap users, groups, and hosts for my company. I'm having a weird problem though, and I was hoping someone could give me an idea what's happening on the LDAP side of things as opposed to the actual software.
So here's the problem in a nutshell.
The software can find all users at the following suffix:
ou=Users,ou=Accounts,dc=xxxx,dc=com
When I try to view the details of one of these users, I get an error that says:
Bad search filter
Here's the weird part. When I add a new user, the entry appears with the other users at the same suffix.
ou=Users,ou=Accounts,dc=xxxx,dc=com
In other words, all of the users (the old ones that were already in the LDAP tree, and the new one I added, exist in the same place).
I can navigate to the new user at:
CN=User, Test,ou=Users,ou=Accounts,dc=xxxxx,dc=com
But I can't navigate to any of the existing users at this location (I get the Bad Search Filter error):
CN=Fakename, John,ou=Users,ou=Accounts,dc=xxxxx,dc=com
This seems inconsistent, and I'm trying to brainstorm what could be happening. The users exist in the same location, but I get an error when accessing some, but not others. Could this be a permissions issue, or is there something I am missing?

It sounds very much like your software has troubles encoding the , (comma) separating the name and the surname in the create command or in the search filter.

Related

How do you add a user to a group using Apache Directory Studio

I am using Apache Directory Studio to set up an initial user on an LDAP partition. I have added the user, and I have a group (Administrators) that I am trying to add that user to.
Users are ou=users and groups are ou=groups and where copied from ou=system. The user was created by adding an inetOrgPerson class entry.
How do I add a user to a group? What kind of class would I use and what attributes are required?
I feel I am missing a lot of information with LDAP. I got this far by ghacking (googling and hacking - the least efficient thing you can do). So, where do I go that will tell me what to do and how to get it done in a cook-book style guide, or at least some sort of detailed reference on the classes and schemas that would define what each is used for
Any help is highly appreciated!
Select your group
Right Click on the right side and select "new attribute"
Type member and/or select from list
Hit the browse button and search for your user or enter the path
Hit OK button
Using Apache Directory Studio you can interactively add a user to e.g. a groupOfNames entry by adding a value (Ctrl++) to the multivalued attribute member. Studio comes with a DN value editor which allows you to browse the Directory Information Tree for the user to add.
As for the objectClass to use for groups and users, you should consult the relevant RFC's (e.g. 4519). For a more prosaic lecture there are a couple of good books (e.g. Howe: Understanding and Deploying LDAP Directory Services).

LDAP different passwords for different applications

So as far as I found out it is possible to assign multiple passwords to a LDAP-user. However what I'm trying to figure out is if one could limit one password to a specific application.
As far as I'm concerned this looks like the opposite of what one would like to achieve with using LDAP, however this is my task and I'm trying to go with it.
I explicitly do no want to create seperate users but just two passwords where one logs me into let's say my homepage backend and the other into my email but not the other way around!
Is this doable? I did not find any solutions so far.

Mediawiki creates custom group

I have a very confusing problem with my mediawiki at the moment. I was about to set up some new permissions in the localsettings.php and included the Namespace Protection plugin. But for some reason, I now have a new group where I can give permissions to the users which is called "Benutzer". It's the german translation for Users but i have no clue why it was created. Here a link to my actual localsettings.php: Link
When I look at the userrighs list, I also have to groups named "Benutzer". One is created by mediawiki and the other one I don't know...
Well, that wasn't the problem, but I fixed it now. In the localsettings.php, I wrote "$wgGroupPermissions['User']" instead of "$wgGroupPermissions['user']" so mediawiki thought i wanted to create a new group, and the big problem was, it localized it also, so I didn't saw my mistake.
But thanks for trying to help me :)
When displayed on special pages, the names of user groups are localized, so if your language i German, and the user group is called Benutzer, then everything is working as it should.
User group message documentation

Api URI Design Preference

A quick api uri design question. We have resources that belong to our clients. These resources can be edited / viewed / deleted by the client who entered them into our system. The resources can be searched by all clients but access is only granted if certain criteria is met (client has level 3 access etc).
Choice 1: include the client who owns the resource in the uri.
client/:clientname/widgets
client/:clientname/widgets/:id
Choice 2: ditch the whole "client/:clientname" since this part of the uri has to be verified and checked against the credentials of the user accessing the information.
/widgets
/widgets:id
We have other resources other than widgets that also belong to clients.
Which way is the more preferred way and why? Cheers.
The only advantage that Choice 1 gives it that it allows you to effectively namespace widgets/whatever by the user that uploaded them. Similar to Github, how different users can have projects with the same name. If Github were to exclude the username, no two users could have a project with the same name. If the widgets are all unique, I would go with option two and you will have a 1:1 mapping from a widget the the user that created it, thus supplying it is just extra work for whoever is calling it.
If you can have the same widget name for different users, use an approach which includes the username. You may not need to actually use the 'client' word in your url though; using a path like '/:clientname/widget/:widgetid' instead.
Note that this is kind of an opinion based question, so you may get different answers. You'll have to weigh the information provided and in the end make your own decision.

How can I integrate users' logins from my site into phpBB?

I need some help with what is probably a newbie question in terms of modifying phpBB.
I have a whole system developed in PHP, and I would like to integrate phpBB so that people can navigate into the forums and post seamlessly, without logging in again.
Now, using the phpBB users table as the users table for my system (and having people register in phpBB instead of in my website) is not possible unfortunately (it'd take more work to redo our system than to build our own basic forum).
I'm assuming I can hack my way into making phpBB believe that a certain user ID has logged in, however, that user won't exist in phpBB's users table (which I'm assuming will cause it to error out pretty much everywhere).
All the tutorials and forum posts I could find implied having phpBB as the primary. I couldn't find anything to do it the other way around.
I'm guessing the only possible way to solve this is by having both tables relatively synchronized.
Now, provided that I can have both users table synchronized, what is the best way to integrate both sites, keeping my site's login and users table as the "primary" ones?
Also, is there anything in particular I should keep in mind when creating records in phpBB's users table? Or is it relatively straightforward to figure out? What tables should I be writing to, if there is more than one?
This is an old question so I'm sure you've worked something out by now, but if you need to refactor things in the future, this is entirely possible with authentication plugins in phpBB3:
http://wiki.phpbb.com/Authentication_plugins
I'm working on one now where phpBB is the "secondary" system, and it's going pretty well.
I just worked on this task today, after some investigation implemented an Authentication plugin Here is a good example Getting phpBB to accept Django sessions
I have integrated phpBB with a site before, however I used phpBB's login system/users table as the primary one as you said. Since phpBB is a pretty advanced forum software, it would be a pretty time consuming project to change its user and login system completely.
When I had to use the site's login as the primary one, I used PunBB. It was way simpler to modify PunBB.
If you absolutely have to use your own login as primary, and phpBB, then I agree with you in that the easiest way would be to keep the tables synchronized, and call both the login scripts when somebody logs in.
When you're inserting data into phpBB, the users table is pretty straightforward. Each entry has the basic info for a user, and if you have custom fields for the user profiles, they go into the profile_fields and profile_fields_data tables.
One tricky thing is how phpBB encrypts user passwords. I think you have to use phpBB's function called phpbb_hash($password) to do that. It's declared in the file
phpbb/includes/functions.php
For the phpBB login code, see funciton login_box in file phpbb/includes/functions.php
You can use the below to login into phpBB:
$result=$auth->login($username, $password);
if ($result['status'] == LOGIN_SUCCESS) {
echo "You're logged in";
} else {
echo $user->lang[$result['error_msg']];
}