Problem with Zentyal LDAP and Schooltool (on other server) [SOLVED]

[astana]

I'd love some feedback with this as well!

I'm trying to integrate SchoolTool with LDAP. I'm running SchoolTool on a separate server (learning lessons about putting too many services on one server) and LDAP fails. When SchoolTool is installed on the zentyal server it works fine, but uses ldapi:// instead of ldap:// but that is only usable on the same machine.

URL looks like this: ldapi://%2fvar%2frun%2fslapd%2fldapi
And Replace it with ldap://192.168.1.X:389 or 390
And copy all the other details over SchoolTool fails. As it only does basic auth as far as I can tell this might explain why.

However if I run LdapAdmin.exe I can connect just fine on port 389 with basic auth, so I'm really confused now.

I'm also seeing failure with ampache ldap authorisation, I should be able to debug that one slightly more easily than SchoolTool.

I'd love to use the ldap for external services without having to bundle everything onto the same server

This is running 3.1, but had exactly the same experience on 3.0.

/mod edit by robb: Topic split off from http://forum.zentyal.org/index.php/topic,14113.0.html

[christian]

you should perhaps open a new dedicated thread 

Anyway, I gave a try and indeed it doesn't work for me but it looks like poor LDAP plugin implementation.
I got an error while configuring using web interface after my first try returns 'wrong ldap filter"
Since I can't modify anything.

I tried configuring schootool.conf.
From ldap standpoint, your ldap section should look like this:

Code: [Select]

<ldap_authentication>
allow_web_config no
#  autodetect_from /etc/ldap.conf
uri ldap://192.168.20.1:390
#  default_login_attr uid
#  default_login_filter objectclass=posixaccount
query_users uid ou=Users,dc=zentyal-domain,dc=lan?one?(objectClass=posixaccount)
query_groups ou=groups,dc=zentyal-domain,dc=lan?one?(objectClass=posixGroup)
#bind_group teachers 7001
#bind_group 2011-2012 students 6024
bind_dn cn=zentyalro,dc=zentyal-domain,dc=lan
bind_password your_password_here
</ldap_authentication>

but I can't test further and don't know how to reset conf.
BTW, for some reason, I never had good experience with Zope and LDAP... there is no obvious reason but so far..

EDIT: fixed copy/paste error with "groups"

[christian]

A bit upset with this error, I decided to purge schooltool, reinstall schooltool and ldap plugin, directly configure as described above and.... it works out of the box, meaning application reports "5 users in LDAP"

then, as I don't know this application I even can't find where to look at these users 

I hope this helps 

[christian]

Some extra comments, in case it helps further:

LDAP server is Zentyal 3.1
Schooltool installed on my workstation.

When adding user in Zentyal (although there is a bug here with 3.1), one more account is seen in Schooltool.
Still I can't authenticate yet with these accounts but my filters may require some refinement.
I'm working at understanding Schooltool better.

One point to notice: if I understand well, accounts are not created in Schooltool until students (or teachers) authenticate in Schooltool.

[robb]

One point to notice: if I understand well, accounts are not created in Schooltool until students (or teachers) authenticate in Schooltool.

Exactly: Schooltool also (like Chamilo does) copies users from LDAP to the local Schooltool userdb.

[Sam Graf]

Given the course of the conversation (my fault), let's move this to a better spot (with apologies to Christian) ...

[christian]

reason why I suggested to open a new thread 
Because answer to the initial question is "yes accessing Zentyal 3.1 LDAP does work"

[Sam Graf]

Well, it at least works on a 3.0 machine upgraded to 3.1.

[christian]

back to Schooltool (please Astana, feel free to open this new thread in case you want to discuss this further):
- access to LDAP does work
- Schooltool is able to find all "user" entries
- while trying to authenticate using LDAP account, it doesn't work however (at least with schooltool version I test that is perhaps not the last one 2.4.0). The only LDAP request is to bind with provided bind_dn. This bind works but nothing else is performed.
- I notice however "whoami" extended operation request 

When Schooltool connects to LDAP (when connected with manager account and when looking at server settings), ldap filter configured in schooltool.conf is used. So far so good.
but then it looks like there is no other access to LDAP except bind with provided bind_dn.

odd isn't it?

And if you try to modify LDAP config using Schooltool application, then you hit this error

Code: [Select]

Exception: typeError: must be string or read-only buffer, not none
and you can't access application anymore 

Well, perhaps not yet ready for LDAP 

[astana]

Thanks again for the help you've given (both this thread and others)!

My solution at the moment is to bypass the problem and install SchoolTool on a backup domain controller virtual machine. This does work out of the box and should give me better login server capabilities as a side benefit.

I'd love to track this down, but as you suggested it might be a problem with SchoolTool ldap implementation.

I couldn't get your results though Christian following your SchoolTool setup.

I'd love to be able to spend more time trying to resolve this correctly but simply need to get these services running in an acceptable configuration

[robb]

Just for clearity: Are you installing Schooltool in /var/www/ (default website) of in a vhost under /srv/www/ (location of Zentyal vhosts)?

[astana]

As far as I know SchoolTool serves its own pages on a non standard port (7080) and isn't served by apache.
I can stop the apache server and SchoolTool still serves pages.

[christian]

indeed tests I made were using port 7080.

I like your:

I couldn't get your results though Christian following your SchoolTool setup.

It doesn't really tell what works and what doesn't neither problem or error message you get 
So I can't really help.

[robb]

Astana: Default schooltool installation comes with its own webserver. However, Zentyal already uses Apache as a webserver, so it makes sense to use that to serve Schooltool webpages.
http://book.schooltool.org/apache.html
At least if you have other websites or webapplications that you host on the Zentyal server, it would be preferable to have schooltool in a vhost.

[christian]

Robb,

You're right but, assuming I understood correctly, initial goal and question was: "how to access Zentyal LDAP from outside?" because idea was, for some reason, not to install SchoolTool on Zentyal server, therefore use of dedicated server on port 7080.