Forums / Install & configuration / LDAP default group

LDAP default group

Author Message

Samuel Sauder

Monday 09 January 2006 11:21:20 am

I am having some struggles understanding how LDAPUserGroup configuration works. Please help me sort this out. Or if it is a developer question and I should post it in that forum, let me know.

1) Does this particular group name have to exist on the LDAP server as well? I know it needs to exist on the EZp side.

2) What is the purpose of making this configuration item an array? If I use the ldap cron job that synchronizes any changes in a persons group definitions, what is this group listing for? I can see the logic that if you specify one group it behaves as an LDAP specific guest group (if you want to keep regular guests separate).

3) Does the order of groups coming from the LDAP server have any correlation to the logic being used in ldapuser classes and cronjob? Or in the configuration of my default group?

My experience so far...
I have attempted to use the default group idea but I am running into a strange issue where things start to misbehave if my first group listed from LDAP is not yet setup in EZp.

EZpublish 3.7.2

Samuel Sauder

Wednesday 11 January 2006 10:38:00 am

I finally got it to work. I will attempt to answer my own questions.

1. no

2. still don't know why this could be an array...

3. no and no.

What I did find that worked is that my default LDAP group needs to be inside another User Group. If it is at the root of the Users object, things may fail.

j jevack

Thursday 02 February 2006 4:04:01 am

Samuel,

Regarding the LDAPUserGroup configuration, did you find the following to be an accurate explanation of how things worked (this is a part of another ldap forum post):
<i>
If the LDAPUserGroup is an array, then the first one will be the default placement of ldap users. If it's not, then all ldap users are stored in the same eZ publish user group.

LDAPUserGroupAttributeType and LDAPUserGroupAttribute are used to specify which attribute of the ldap user object eZ publish should use when deciding where to place the users.

So, an example:
LDAPUserGroupType=name
LDAPUserGroup[]=Default
LDAPUserGroup[]=Secretary
LDAPUserGroup[]=Clerk
LDAPUserGroup[]=Boss
LDAPUserGroupAttributeType=name
LDAPUserGroupAttribute=employeetype

Now, when logging in, eZ publish looks at the LDAP object, and finds the attribute whose name is employeetype, and reads its value. Then, eZ publish searches for an eZ publish user group whose name equals the given value. If it is found, then the user is stored there. If not, it is stored in Default.
</i>

I'm having trouble getting users stored in appropriate ezp groups. At this point, ezp is putting a user in every group specified in the LDAPUserGroup array regardless of the values in the LDAPUserGroupAttributeType/LDAPUserGroupAttribute variables.

Thanks

Jason

Daniel Sippel

Monday 27 February 2006 2:09:33 am

Hello j jevack!

I experienced the same problem as you with eZ publish 3.7.3, but I think this is not a bug.

You have to specify only ONE LDAPUserGroup[], the one where the default LDAP-Users should be placed.
Every time a user logs in and his LDAP attribute e.g. employeeType matches an existing group name in eZ publish, he will be placed in this group.

Daniel

Samuel Sauder

Tuesday 28 February 2006 7:09:48 am

Jason, from my experience Daniel is correct. Default means "if I can't find any (existing in EzPublish) groups that match (to LDAP groups) for this user." So if you define LDAPUserGroup as an array, it means if there is no match assign them to all these groups.

(I think the above quote and example you mentioned is misleading.)