[phpGroupWare-users] Problems with LDAP account import - Can't log in!

[Stephen Weiss]

So I'm trying to set up phpgroupware.  Here are my specs:

Version from tarball phpgroupware-0.9.16.011.tar.bz2
OS: Mac OS X Server 10.4.8
MySQL: 4.1.13a-log
PHP: 5.1.4 (with ini_set('zend.ze1_compatibility_mode', '1'); in header.inc.php 
, same problem without though)
Apache: Server version: Apache/1.3.33 (Darwin)

In essense, I'm using the stock MySQL, PHP, and Apache that come with Mac OS X 
Server 10.4.

I need to set this up to authenticate off of LDAP (we use apple's Open 
Directory for single sign-on), but store user accounts in SQL (so as not to 
screw with Apple's schema).  This seems to be quite possible, but it doesn't 
actually work so far.

There are some weird things that happen as I go through the configuration 
procedure.  I have tried a few things but I always end up with the same result.

Setting up the header file?  Fine.  Reads the LDAP with no problems.  I can 
demonstrate that this must be the case later on.

Setting up the tables?  Fine.  Server can read and write to the database 
without difficulty.

Then, I go to Step 2: Configuration.  Here is what I enter in under 
Authentication / Accounts:

Select which type of authentication you are using: LDAP
Select where you want to store/retrieve user accounts: SQL      
Minimum account id (e.g. 500 or 1000, etc.)*:   1000
Maximum account id (e.g. 65535 or 1000000):      65536
Minimum group id (e.g. 100 or 500, etc.) - should not overlap with account 
ids*}: 500   
Maximum group id (e.g. 499 or 999) - should not overlap with account ids*: 1000 
Auto create account records for authenticated users:    yes
Auto-created user accounts expire:      never
Add auto-created users to this group ('Default' will be attempted if this is 
empty.):   
If no ACL records for user or any group the user is a member of:        
 
If using LDAP:
Do you want to manage homedirectory and loginshell attributes?: 
LDAP Default homedirectory prefix (e.g. /home for /home/username): /Users       
LDAP Default shell (e.g. /bin/bash):    /bin/bash
LDAP host:      <server hostname>
LDAP accounts context:  cn=users,dc=(hostname)....
LDAP groups context:    cn=groups, dc=(hostname)...
LDAP rootdn:    uid=root,cn=users,dc=....
LDAP root password:      <password>
LDAP encryption type: DES


Now, I've used settings just like these in other such applications with no 
difficulty.  I have PhpLDAPadmin installed using the exact same credentials and 
it can read and write to LDAP perfectly.

That goes ok, and I get the LDAP setup screen.  I choose:

Import accounts from LDAP to the phpGroupWare accounts table (for a new install 
using SQL accounts) 

I select the users I want to import (all between 1000 and 65536), the admin 
users, NO groups (because we don't have any meaningful groups set up, and Mac 
OS X Server intermixes the group and user ids, so I wouldn't want any conflicts 
- for the record, I did try once with importing the groups and I had the same 
problem anyway).  When I click import, I get two PHP errors:

Warning: Invalid argument supplied for foreach() in 
/Library/WebServer/Documents/phpgroupware/setup/ldapimport.php on line 165

Warning: Variable passed to each() is not an array or object in 
/Library/WebServer/Documents/phpgroupware/setup/ldapimport.php on line 389

Which look like someone forgot to check if there were items in some array 
before running a loop (I know it's in BETA, but seriously?)

But at the bottom of that page, I also see: Import has been completed! Click 
here to return to setup.

So it seems like things go ok anyway.  Then, I go to log in as my own personal 
user account (which was given admin permissions).

If I log in with a bad password, it rejects the log in as it should.  If I log 
in with the correct password, I get:

You are required to change your password during your first login
Click here

(Which will SERIOUSLY piss off my users, we *already have* an LDAP policy which 
makes them change their passwords - I didn't set this option, is that really 
the default setting?)

So, we know that the LDAP authentication went ok.  But, I "click here" to 
change the password, and I get:

Access not permitted

With the standard layout (I guess), a logout link and a welcome link - no 
applications, no interface to speak of, basically a program that can 
authenticate with LDAP and fall on its face.

I really like the concept and if I can get it installed I will make so many 
people happy, but this seems...  extremely buggy.  Is this a PHP5 issue?  Some 
other your-software-is-too-recent-or-too-old thing?  Or is this software just 
that buggy?  I can't really go back to PHP4, I have programs that are settled 
now on PHP5.  If it's not that, any idea what it is?  Would be so grateful for 
any help or advice.  Thank you!!!!

--
SteveSent from the phpGroupWare forums @ http://forums.phpGroupWare.org