Forums / General / Still with ldap

Still with ldap

Author Message

Franck T.

Friday 06 August 2004 2:13:17 am

Hello everybody. My question is about how to save LDAP users in a specific group in ezPublish ?
In the ldap.ini file, the comment about LDAPUserGroupAttribute says: "...If specified, LDAP users will be saved under the same group as in LDAP server." So in my LDAP, if I set the attribute employeeType to "Group-A" for my user "John" , why is this employee not stored in "Group-A" in EzPublish ?
Also what the difference between LDAPUserGroupAttribute and LDAPUserGroup (default place to store LDAP users) ?
Will LDAP users be saved in the group I gave in employeeType or in this defautl place ?
It seems I miss something but what ?
This is my ldap.ini:

# Could be id or name
LDAPUserGroupType= name
# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
LDAPUserGroup= ??????????? Don't know what to put here ??????????????????????
# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=employeetype

Daniel Beyer

Friday 06 August 2004 4:13:45 am

Hi there,

# Could be id or name
LDAPUserGroupType=id
# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
LDAPUserGroup=

You have to set the default place for new LDAP-Users. eZ publish need this information in case you have different or new user groups in your LDAP-dir than in our eZp installation. You have to choose, wether you type the name of the default user group or the id of it. I suggest you set LDAPUserGroupType to id and LDAPUserGroup to the a ObejctID of a new user group in our eZ publish, which as limited rights in the system.

# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=employeetype

As the comments say LDAPUserGroupAttribute compares the LDAP-attribute employeetype with the name of existing user groups in your eZ publish. You need to create each user group in your eZ publish manually - they won't be created auotmaticly by eZ publish! Just create the same user groups like you have in your LDAP-directory - if you forgot one user group the users of the forgotten group will be stored in the place you defined in LDAPUserGroup above.
This workes for the name of the usergroups or with IDs. But since it would be pretty hard to create the same ContentObejctIDs in your eZ publish like you have in your LDAP-directory, I suggest to set LDAPUserGroupAttributeType to name and not to ID.

Daniel Beyer
_________________________________
YMC AG
Kreuzlingen, Switzerland
web: www.ymc.ch
____________________________________

Franck T.

Sunday 08 August 2004 2:44:45 pm

OK Daniel thanks for your explanations (one more time...) but I've found my error.
In my firts attempt I had employeeType and not employeetype, with a litte 't'.
My LDAP attribute is employeeType but it seems that the script is case sensitive. Thats's odd but now it works.
4 hours for a little 't'...

Kristof Coomans

Thursday 20 March 2008 6:51:29 am

Specifying LDAPUserGroupAttributeType=id actually does not make the LDAP login handler use object or node ID's. Instead, it searches for an object of which the name matches a concatenation of "LDAP " and the value coming from the LDAP field specified by ldap.ini [LDAPSettings] LDAPUserGroupAttribute.

independent eZ Publish developer and service provider | http://blog.coomanskristof.be | http://ezpedia.org

viraj hoober

Monday 14 June 2010 12:18:01 am

Hi everyone, i am new to ezpublish and i got to use LDAP for authentication. I read on the net but couldn't find a good documentation on how to do it. I setup my active directory and created new group and user. I am using ez publish 4.2 and my ldap.ini is as follows:

# Enable tracing the the ldap login, outputs extensive debug info for use during setup
# NOTE: Do not keep this enabled on production setup as login name and passwords will be
# logged to logfiles or outputted if DebugOutput settings are enabled.
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=2
# Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not.
# set to 1 to enable
LDAPFollowReferrals=0
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=192.168.0.137
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--noudomain,DC--orinux,DC--lan
# If the server does not allow anonymous bind, specify the user name for the bind here.
[email protected]
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=Pwd321$
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]
# LDAP attribute for login. Normally, uid
#LDAPLoginAttribute=sAMAccountName
LDAPLoginAttribute=cn
# Could be id or name
LDAPUserGroupType=id
# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
LDAPUserGroup[]=4
# Group mapping settings:
# Root node id where LDAP groups are created, node id: 5 is used if blank
LDAPGroupRootNodeId=5
# Possible values: UseGroupAttribute (old style group assignig using LDAPUserGroupAttribute setting),
# SimpleMapping (using LDAPUserGroupMap array for name-to-name group mapping) or GetGroupsTree
LDAPGroupMappingType=SimpleMapping
# Base LDAP dn which should be used to fetch user group objects from LDAP
LDAPGroupBaseDN=
# LDAP user group class
LDAPGroupClass=exampleGroupDAClassName
# Attribute which should be used to obtain name of an LDAP group
# Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping'
LDAPGroupNameAttribute=uid
# Attribute of LDAP user which should be used to obtain groups which user(group) belongs to.
# Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping'
LDAPGroupMemberAttribute=member
# Attribute which contain description of LDAP group, optional
LDAPGroupDescriptionAttribute=
# Group names map (from LDAP to ezpublish user-groups),
# used then 'LDAPGroupMappingType' is set to 'SimpleMapping'
LDAPUserGroupMap[ezmember]=ezmember
# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=ezmember
# LDAP attribute for First name. Normally, givenname
LDAPFirstNameAttribute=givenname
# If cn (common name) is used for first name, sn (Last name) will be removed from first name
LDAPFirstNameIsCommonName=false
# LDAP attribute for Last name. Normally, sn
LDAPLastNameAttribute=sn
# LDAP attribute for email. Normally, mail
LDAPEmailAttribute=mail
# For use if LDAP does not return mail, creates one using login name + email suffix, like '@ez.no'
LDAPEmailEmptyAttributeSuffix=
# LDAP encoding is utf-8 or not
Utf8Encoding=false
# if 'enabled' you can move LDAP users to a different group and they will not
# be automatically moved back (to the group they are configured to be placed in)
# when the user logs in again.
KeepGroupAssignment=disabled

I enabled ezDebug to chek the errors and i get it stops at stage 2/5 with the error message: "User DN was not found!"

Can anybody tell me what is the error and/or is there something i must add or have i missed something. Some step-by-step help would be greatly appreciated

Gunnstein Lye

Monday 05 July 2010 7:21:58 am

"

Hi everyone, i am new to ezpublish and i got to use LDAP for authentication. I read on the net but couldn't find a good documentation on how to do it. I setup my active directory and created new group and user. I am using ez publish 4.2 and my ldap.ini is as follows:

(cut...)

I enabled ezDebug to chek the errors and i get it stops at stage 2/5 with the error message: "User DN was not found!"

Can anybody tell me what is the error and/or is there something i must add or have i missed something. Some step-by-step help would be greatly appreciated

"

Viraj,
I got your PM. For documentation on ldap.ini, please see
http://ez.no/doc/ez_publish/technical_manual/4_x/reference/configuration_files/ldap_ini
or the comments within the file itself.

For a better understanding of how the LDAP login works, please see
http://ez.no/doc/ez_publish/technical_manual/4_x/features/ldap_login_handler
and also the three sub pages:
http://ez.no/doc/ez_publish/technical_manual/4_x/features/ldap_login_handler/ldap_group_mapping_type
http://ez.no/doc/ez_publish/technical_manual/4_x/features/ldap_login_handler/roles_and_settings
http://ez.no/doc/ez_publish/technical_manual/4_x/features/ldap_login_handler/enhancements
I know it is a lot to read, but it is a complex subject, and every LDAP server is different.

Your login stops at stage 2/5 with the error message: "User DN was not found!". This means that the login handler has queried the LDAP server for the user you want to login as, but the server has not returned any matching result. Some things to check:
- The username could be wrong
- The ldap.ini settings could be wrong, meaning that you are searching with the wrong parameters or searching the wrong server
- The LDAP server may not be configured to give eZ Publish read access