AD group mapping in EzPublish

Author Message

nicholas king

Thursday 29 July 2010 2:24:21 am

Hello,
I am currently really struggling to get AD and Ezpublish group mappings to work. At the moment a user enters their details into the login boxes, ezpublish delves into AD finds the user and creates and adds them to the members group in Ezpublish.

I have trawled the documentation and forums and tried all the things suggested and still i cannot stop users from going into the members group.

Currently i can confirm that:-

*The Active directory Ezpublish connection is currently working.
*Ezpublish puts all AD users who log in into the members directory.

my settings inside ldap.ini.append.php are as follows:-

#?ini charset="iso-8859-1"?
# eZ Publish configuration file for connection and authentication of users via LDAP
#
[LDAPSettings]
LDAPDebugTrace=enabled
# Enable tracing the the ldap login, outputs extensive debug info for use during setup
# NOTE: Do not keep this enabled on production setup as login name and passwords will be
# logged to logfiles or outputted if DebugOutput settings are enabled.
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=3
# Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not.
# set to 1 to enable
LDAPFollowReferrals=0
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=gcwwdc01.example.co.uk
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--example,DC--co,DC--uk
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=<intranetuser>
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=<intranetpassword>
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]=objectCategory--person
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=sAMAccountName
LDAPDebugTrace=enabled
LDAPUserGroupType=name
LDAPUserGroupAttribute=intranetAdmin
LDAPGroupBaseDN = DC--example, DC--co, DC--uk
LDAPGroupMappingType=SimpleMapping
LDAPGroupClass=group
LDAPUserGroupAttribute=cn
LDAPUserGroupMap[]
LDAPUserGroupMap[intranetAdmin]=intranetAdmin

Any help suggestions would be really appreciated

many thanks

Nicholas

Robin Muilwijk

Friday 27 August 2010 1:14:27 pm

Hi Nicholas,

Do you have this working already? I'm no expert on this, but can you check http://ez.no/doc/ez_publish/technical_manual/4_x/reference/configuration_files/ldap_ini/ldapsettings/ldapusergrouptype

You use LDAPUserGroupType=name, and the link/doc page says you then need to set LDAPUsergroup, where instead you set the LDAPUserGroupAttribute ?

This is the only inconsistency I've been able to find, as LDAP n00b ;)

Regards Robin

Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.

LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk

Nicolas Pastorino

Monday 30 August 2010 12:24:14 am

Hi Nicholas,

You can also have a look here :
http://share.ez.no/forums/install-configuration/ldap-user-groups-activedirectory-ez-publish

Cheers !

--
Nicolas Pastorino
Director Community - eZ
Member of the Community Project Board

eZ Publish Community on twitter: http://twitter.com/ezcommunity

t : http://twitter.com/jeanvoye
G+ : http://plus.tl/jeanvoye

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.