 |
|
You are here: Foswiki>Support Web>SupportQuestions>Question589 (17 Sep 2010, RasmusPraestholm)Edit Attach
This question about LDAP: Asked
LDAP ALLOW/DENIE for Groups dont work(Users work)
Hello, i hope someone can help me, here are some Infos. * Ldap Userlogin works * System/Wikigroups shows group and user * db_dump -p shows groups and members * UserMappingManager is set to LdapUserMapping. * no Errors in Apache Logs * ALLOW/DENY for Webs work with username but not for groups. LocalSite.cfg$Foswiki::cfg{UserMappingManager} = 'Foswiki::Users::LdapUserMapping';
$Foswiki::cfg{PasswordManager} = 'Foswiki::Users::LdapPasswdUser';
$Foswiki::cfg{Plugins}{LdapNgPlugin}{Module} = 'Foswiki::Plugins::LdapNgPlugin';
$Foswiki::cfg{Ldap}{Host} = 'SERVER.DOMAIN.de';
$Foswiki::cfg{Ldap}{Port} = 389;
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{Base} = 'dc=DOMAIN,dc=de';
$Foswiki::cfg{Ldap}{BindDN} = 'cn=LDAPUSER,ou=Administration,dc=Domain,dc=de';
$Foswiki::cfg{Ldap}{BindPassword} = 'MyPassword';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'optional';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{Debug} = 0;
$Foswiki::cfg{Ldap}{UserBase} = 'ou=Firmen,dc=DOMAIN,dc=de';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=person';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$Foswiki::cfg{Ldap}{WikiNameAttribute} = 'mailNickname';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';
$Foswiki::cfg{Ldap}{GroupBase} = 'ou=Firmen,dc=DOMAIN,dc=de';
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'primaryGroupID';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'member';
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'memberOf';
$Foswiki::cfg{Ldap}{MemberIndirection} = 1;
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 1;
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {};
$Foswiki::cfg{Ldap}{MergeGroups} = 1;
$Foswiki::cfg{Ldap}{MaxCacheAge} = 0;
$Foswiki::cfg{Ldap}{Precache} = 1;
$Foswiki::cfg{Ldap}{PageSize} = 0;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup';
$Foswiki::cfg{Plugins}{LdapNgPlugin}{Enabled} = 1;
-- MarcusPockrandt - 23 Jul 2010
Hey Marcus
I had a similar situation, although at first my WikiGroups page only populated with the group names, not their members. I played around with the group related LDAP settings and although I'm not sure what ultimately fixed it, I thought I'd list mine here in case they help inspire you or others - the main thing that sticks out as different is that I also have "member" for InnerGroupAttribute where you've got "memberOf". I thought of trying that, but figured it didn't make sense since that's what groups that group is part of, not what members are in the group. The configure screen suggests that it may be the same value as MemberAttribute which may be what fixed it for me.
{Ldap}{GroupBase} = ou=_Groups,dc=sub,dc=domain,dc=com
{Ldap}{GroupFilter} = objectClass=group
{Ldap}{GroupScope} = sub
{Ldap}{GroupAttribute} = name
{Ldap}{PrimaryGroupAttribute} = primaryGroupID
{Ldap}{MemberAttribute} = member
{Ldap}{InnerGroupAttribute} member
{Ldap}{MemberIndirection} = checked
{Ldap}{WikiGroupsBackoff} = checked
{Ldap}{NormalizeGroupNames} = checked
{Ldap}{MapGroups} = checked
You may want to enable LDAP debug and uncomment all the #writeDebug statements in /var/www/html/foswiki/lib/Foswiki/Contrib/LdapContrib.pm and then review your web server logs. That helped me some - the key thing I eventually caught was the isGroup log statement that finally showed me that the group lookup was working. I just wish I knew what I did that round that actually fixed it! 
-- RasmusPraestholm - 17 Sep 2010
QuestionForm edit
| Subject | LDAP |
| Extension | LdapContrib |
| Version | Foswiki 1.0.9 |
| Status | Asked |
Edit | Attach | Print version | History: r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r2 - 17 Sep 2010, RasmusPraestholm
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy