You are here: Foswiki>Tasks Web>Components>LdapContrib>Item5474 (27 Apr 2009, MichaelDaum)Edit Attach

Item5474: nested groups don't work with Active Directory server

pencil
Priority: Normal
Current State: Closed
Released In:
Target Release: n/a
Applies To: Extension
Component: LdapContrib
Branches:
Reported By: TWiki:Main.AivoJurgenson
Waiting For:
Last Change By: MichaelDaum
Hi,

It seems that the twiki 4.2.0 and LdapContrib v2.99.4 doesn't work with hierarchical groups or nested groups in my environment. I'm running Microsoft AD LDAP server and I have groups like

objectClass: groups

dn:CN=EL_FIN,OU=Org,...

cn: EL_FIN

member: CN=EL_FIN_DIR,OU=Org,....

I'm using

GroupAttribute = 'cn'

MemberAttribute = 'member'

MemberIndirection = 1

It seems that the cacheGroupFromEntry function iterates over all groups found from the LDAP search and adds those members of the current group $groupName, which have $data->{"DN2U::$member_DN"} defined. Because groups are not user accounts, they don't have this data defined and they are skipped with the error message "oops, $member_DN not found, but member of $groupName".

Therefore the relationship between for example EL_FIN and EL_FIN_DIR is never established and the nested groups do not work for authorizations.

The patch has a bug with international group names. I didn't convert from the UTF to twiki charset and the correct lines should be 
if ($memberGroupName) {
   $memberGroupName = from_utf8(-string=>$memberGroupName, -charset=>$TWiki::cfg{Site}{CharSet}) 
      unless $TWiki::cfg{Site}{CharSet} =~ /^utf-?8$/i;

-- TWiki:Main.AivoJurgenson - 29 Apr 2008

This might be related to Item5118. TWiki's 4.2.0 code is pretty buggy currently.

-- TWiki:Main.MichaelDaum - 02 Jun 2008

No I've found the bug. Being worked on.

-- TWiki:Main.MichaelDaum - 11 Jun 2008

The provided patch has another bug itself. When normalizeGroupName is used, the patch doesn't follow normalized group names and therefore breaks the indirection. The correct way is to add 

if ($this->{normalizeGroupName}) {
   $memberGroupName = $this->normalizeWikiName($memberGroupName);
}

code snippet to if ($memberGroupName) { branch.

-- TWiki:Main.AivoJurgenson - 29 Jul 2008

The latest version has got rudimentary support for nested groups. Please test.

-- MichaelDaum - 07 Jan 2009

ItemTemplate edit

Summary nested groups don't work with Active Directory server
ReportedBy TWiki:Main.AivoJurgenson
Codebase
SVN Range TWiki-5.0.0, Sun, 09 Mar 2008, build 16496
AppliesTo Extension
Component LdapContrib
Priority Normal
CurrentState Closed
WaitingFor
Checkins LdapContrib:5ac3d24b507e
TargetRelease n/a
ReleasedIn
I Attachment Action Size Date Who Comment
LdapContrib.patchpatch LdapContrib.patch manage 1 K 25 Mar 2008 - 17:34 AivoJurgenson quick and dirty patch to lib/TWiki/Contrib/LdapContrib.pm
Edit  | Attach | Print version | History: r8 < r7 < r6 < r5 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 27 Apr 2009, MichaelDaum
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy