This question about LDAP: Answered
How to config LDAP Group query
Note: I am authenticating against AD
I have gotten apache to work using the following LDAP config
<Directory "/sa001/ldaptest" >
AuthBasicProvider ldap
AuthzLDAPAuthoritative On
AuthLDAPURL ldap://181.175.171.93:389/ou=users,ou=usa,ou=noram,dc=fss,dc=pykie,dc=com?userPrincipalName?sub?(objectClass=person)
AuthLDAPGroupAttributeIsDN on
Require ldap-group CN=UNIX_G,OU=Users,OU=USA,OU=NORAM,DC=fss,DC=pykie,DC=com
AuthLDAPBindDN "cn=svc_apacheldap,cn=Users,dc=fss,dc=pykie,dc=COM"
AuthLDAPBindPassword jswertpoi
AuthType Basic
AuthName "Authorization required"
AuthzLDAPLogLevel debug
</Directory>
I can log in to the foswiki with these settings
$Foswiki::cfg{Ldap}{UserBase} = [
'ou=users,ou=usa,ou=noram,dc=fss,dc=pykie,dc=com'
];
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=person';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'userPrincipalName';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {};
but I can not for the life of me figure out how to config the Groups in foswiki.
I found this doc online -
_Membership::
LDAP servers follow different schemata to define "membership". They store the information either using a set of unique ids in the group object (posixGroup) or the full DNs of the user objects (groupOfNames). In the latter case the user objects' unique ids have to be fetched separately based on their distinguished name. This mode has to be switched on using the
MemberIndirection setting._
The reverse relation, where the user objects hold membership information (for example using a memberOf attribute) is maintained by some LDAP servers automatically.
Those that encode membership this way only are not supported by the LdapContrib yet.
If what I am trying to do is not possible - I would gladly give up - but I can see a AD entry like this
objectClass: top
group
cn: UNIX_G
description: UNIX DOCS
member: CN=Smith\, John J.,OU=Users,OU=USA,OU=NORAM,DC=fss,DC=pykie,DC=com
so the group membership is not
only in the user.
The docs also say:
Furthermore, user objects may have one primary group attribute. This is a simple value that stores the id of a default group that user is member of. This attribute is defined by specifying the PrimaryGroupAttribute setting.
LdapContrib reads membership information as they are stored in the group objects, and may map the member object indirectly to the login name. In addition any "primary group" setting stored in the user objects is consulted as well.
Online I have found references to
In AD (Active Directory) it is not obvious or straight-forward to understand how to find out the Primary Group that a user belongs to which may be part of my problem. but again it is not obvious that I am defintely SOL and should give up.
I have this setting - because that seems the sanest, but my LDAP dump of UNIX_G shows no field primaryGroupID. Dump of my (the user) entry in LDAP does.
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'primaryGroupID';
Can anyone give me direction. I will happily supply more info - I just have to sanitize it first.
April 5, 2017
Anyone out there? I think this question pertains to my question as well (Support.Question1869)
--
VickiBrown
- ldap.txt: Aug 2018 here is the config as I use it today