This question about LDAP: Closed unanswered

LDAP group access control problem

Hi,

I have a problem with the LDAP group mapping funciotnalities...even if all seems to be ok (user authentication, mapping between groups and users, etc...) I cannot use the LDAP group for managing the access control (ALLOWWEBCHANGE, etc..)

I have already checked the FINALPREFERENCES around foswiki but all seems to be ok...

Thanks in advance

-- LorenzoNicolodi - 02 Nov 2009

Can you provide a little bit more details, please?

Where did you set ALLOWWEBCHANGE? How does the setting exactly look like?

-- MichaelDaum - 03 Nov 2009

I have set ALLOWWEBCHANGE in the WebPreferences of the web I want to manage...

Here are the access management settings of the web:

  • Set DENYWEBVIEW =
  • Set ALLOWWEBVIEW =
  • Set DENYWEBCHANGE =
  • Set ALLOWWEBCHANGE = SupportGruppe
  • Set DENYWEBRENAME =
  • Set ALLOWWEBRENAME = AdminUser,SupportGruppe
Do you need other info?

Thanks a lot!

-- LorenzoNicolodi - 05 Nov 2009

Where is SupportGruppe defined: in LDAP or in the Main web of your Foswiki?

Try %USERINFO{"SupportGruppe"}% to see what it knows about it. Also check your Main.WikiGroups.

-- MichaelDaum - 05 Nov 2009

The SupportGruppe is defined in the AD ... the groups are retrieved in the right way from the AD and the association group <--> users is ok (in Main.WikiGroups I see, for example, SupportGruppe on the left and the right users' name in camel-case e.g. NameSurname on the right)...

Anyway, using %USERINFO{"SupportGruppe"}%, it retrieves the users in the format name@mycompany.com ... which is quite strange....isn't it?

-- LorenzoNicolodi - 05 Nov 2009

At the bottom of the Main.WikiGroups page I have seen this sentence:

Note: A group topic name must be a WikiWord and must end in ...Group. New topics are based on GroupTemplate

Does the fact that my group names end with Grouppe instead of Group matter?

-- LorenzoNicolodi - 05 Nov 2009

This sentence is irrelevant as all of your groups come from LDAP. Please check the {GroupAttribute} and {MemberIndirection} settings and your apache error.log for anything related.

-- MichaelDaum - 05 Nov 2009

I have double checked these values...the GroupAttribute is correct, I suppose, because the names of the groups in the groups' table are right and the name of the users are right too..and I have already put the flag on MemberIndirection...

-- LorenzoNicolodi - 05 Nov 2009

Any new suggestion? smile

-- LorenzoNicolodi - 10 Nov 2009

I have discovered something new..

I have my user which belongs to the SupportGruppe described above and for troubleshooting purpose I have inserted in a page two macros, getting the following results:

%USERINFO{"SupportGruppe"}% --> in this case I get the something line "unknown, SupportGruppe, user1@mycompany.com, user2@mycompany.com, myname@mycompany.com"

%USERINFO{ format="EMAIL $emails USERNAME $username WIKINAME $wikiname WIKIUSERNAME $wikiusername GROUPS $groups" }% --> In this case I get all the information apart from the $groups (nothing is displayed after the word "GROUPS")

Are these info useful?

Thanks a lot!

-- LorenzoNicolodi - 13 Nov 2009

QuestionForm edit

Subject LDAP
Extension LdapContrib
Version Foswiki 1.0.7
Status Closed unanswered
Topic revision: r12 - 05 Feb 2010, OliverKrueger
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy