Forums / Install & configuration / LDAP Groups

LDAP Groups

Next topic

Author	Message
Juan Asensio Sánchez	Tuesday 19 August 2008 4:06:37 am Hi I have just configured ez to authenticate against a LDAP Active Directory Server. The authentication look to work fine, but I have two problems: - If the user has not a mail attribute, login fails. - If I set "LDAPGroupMappingType=GetGroupsTree", LDAP groups the user belongs to are created automatically in ez, but the user can not access any area on the site, because he has not any role assigned. If I set "LDAPGroupMappingType=GetGroupsTree" or "LDAPGroupMappingType=UseGroupAttribute" the user is included in "Guest Accounts" group, but the groups he belongs to in the LDAP directory are not created. Is there any way to automatically create the groups the user belongs to, and also add him to some specific ez groups for default roles and permissions? Could you help me? Thanks in advance. Below is my ldap.ini file. ===================================================== #?ini charset="iso-8859-1"? # eZ Publish configuration file for connection and authentication of users via LDAP # [LDAPSettings] # Set LDAP version number LDAPVersion=3 # Set to true if use LDAP server LDAPEnabled=true # LDAP host LDAPServer=192.168.1.159 # Port nr for LDAP, default is 389 LDAPPort=389 # Specifies the base DN for the directory. LDAPBaseDn=ou--Cuentas,dc--leo2008,dc--local # If the server does not allow anonymous bind, specify the user name for the bind here. LDAPBindUser=LEO2008\Administrador # If the server does not allow anonymous bind, specify the password for the bind here. LDAPBindPassword=a1b2c3D4 # Could be sub, one, base. LDAPSearchScope=sub # Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters LDAPEqualSign=-- # Add extra search requirment. Uncomment it if you don't need it. # Example LDAPSearchFilters[]=objectClass--inetOrgPerson LDAPSearchFilters[]=objectClass--person # LDAP attribute for login. Normally, uid LDAPLoginAttribute=samaccountname # Could be id or name LDAPUserGroupType=id # Default place to store LDAP users. Could be content object id or group name for LDAP user group, # depends on LDAPUserGroupType. LDAPUserGroup[]=11 # Group mapping settings: # Possible values: UseGroupAttribute (old style group assignig using LDAPUserGroupAttribute setting), # SimpleMapping (using LDAPUserGroupMap array for name-to-name group mapping) or GetGroupsTree LDAPGroupMappingType=GetGroupsTree # Base LDAP dn which should be used to fetch user group objects from LDAP LDAPGroupBaseDN=ou=Cuentas,dc=leo2008,dc=local # LDAP user group class LDAPGroupClass=group # Attribute which should be used to obtain name of an LDAP group # Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping' LDAPGroupNameAttribute=cn # Attribute of LDAP user which should be used to obtain groups which user(group) belongs to. # Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping' LDAPGroupMemberAttribute=member # Attribute which contain description of LDAP group, optional LDAPGroupDescriptionAttribute=description # Group names map (from LDAP to ezpublish user-groups), # used then 'LDAPGroupMappingType' is set to 'SimpleMapping' LDAPUserGroupMap[] # LDAP attribute type for user group. Could be name or id LDAPUserGroupAttributeType=name # LDAP attribute for user group. For example, employeetype. If specified, LDAP users # will be saved under the same group as in LDAP server. LDAPUserGroupAttribute= # LDAP attribute for First name. Normally, givenname LDAPFirstNameAttribute=givenname # LDAP attribute for Last name. Normally, sn LDAPLastNameAttribute=sn # LDAP attribute for email. Normally, mail LDAPEmailAttribute=mail # LDAP encoding is utf-8 or not Utf8Encoding=false # if 'enabled' you can move LDAP users to a different group and they will not # be automatically moved back (to the group they are configured to be placed in) # when the user logs in again. KeepGroupAssignment=disabled
Gunnstein Lye	Tuesday 14 July 2009 2:10:11 am I wasn't aware of this post until now. Sorry for my very late reply, you probably don't need it anymore. I'm posting it anyway in case it can help others. Q: If the user has not a mail attribute, login fails. A: By default, eZ Publish requires all users to have a valid email address. You can change this in site.ini though: [UserSettings] # Authenticate match, a list of authenticate fields to use # Available are login and email AuthenticateMatch=login # Controls whether a unique email is required for all users, # if set to true and email is set in AuthenticateMatch then only # one email address instance is allowed on the site. # Set to false to disable it RequireUniqueEmail=false Q: Is there any way to automatically create the groups the user belongs to, and also add him to some specific ez groups for default roles and permissions? A: No, the default group for LDAP users will only be used if no match is found for the more advanced methods (see below). The user will either be placed in the default group for LDAP users (see setting in ldap.ini) or in the group given by his placement on the LDAP server (if there is a match, see below). LDAP settings and functionality LDAPGroupMappingType can be one of three: - UseGroupAttribute - SimpleMapping - GetGroupsTree What all three have in common is that eZ Publish will only assign users to groups automatically. It will not assign roles to groups automatically. The eZ Publish system administrator must create the roles you need, and assign them to user groups. UseGroupAttribute: This setting will make one eZ Publish group assignment per LDAP group, as a flat structure. Users will therefore have the same group names in LDAP and in eZ Publish. You must set LDAPUserGroupAttribute, it must be set to the attribute of the LDAP user object that identifies the group(s) the user belongs to. SimpleMapping: This setting allows you to have different group names in LDAP and in eZ Publish. The user groups in eZ Publish can have any structure you like (flat or tree). You must set LDAPUserGroupMap, LDAPGroupNameAttribute, and LDAPGroupMemberAttribute. - LDAPUserGroupMap maps LDAP group names to eZ Publish group names. - LDAPGroupNameAttribute must be set to the group attribute that contains the name of LDAP group objects. - LDAPGroupMemberAttribute must be set to the user attribute that contains the group(s) the user belongs to. GetGroupsTree: This setting replicates the structure of the LDAP group tree in eZ Publish groups. You must set LDAPGroupNameAttribute, and LDAPGroupMemberAttribute. - LDAPGroupNameAttribute must be set to the group attribute that contains the name of LDAP group objects. - LDAPGroupMemberAttribute must be set to the user attribute that contains the group(s) the user belongs to.

Author

Message

Tuesday 19 August 2008 4:06:37 am

I have just configured ez to authenticate against a LDAP Active Directory Server. The authentication look to work fine, but I have two problems:

- If the user has not a mail attribute, login fails.
- If I set "LDAPGroupMappingType=GetGroupsTree", LDAP groups the user belongs to are created automatically in ez, but the user can not access any area on the site, because he has not any role assigned. If I set "LDAPGroupMappingType=GetGroupsTree" or "LDAPGroupMappingType=UseGroupAttribute" the user is included in "Guest Accounts" group, but the groups he belongs to in the LDAP directory are not created.

Is there any way to automatically create the groups the user belongs to, and also add him to some specific ez groups for default roles and permissions?

Could you help me? Thanks in advance.

Below is my ldap.ini file.

=====================================================

#?ini charset="iso-8859-1"?
# eZ Publish configuration file for connection and authentication of users via LDAP
#

[LDAPSettings]
# Set LDAP version number
LDAPVersion=3

# Set to true if use LDAP server
LDAPEnabled=true

# LDAP host
LDAPServer=192.168.1.159

# Port nr for LDAP, default is 389
LDAPPort=389

# Specifies the base DN for the directory.
LDAPBaseDn=ou--Cuentas,dc--leo2008,dc--local

# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=LEO2008\Administrador

# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=a1b2c3D4

# Could be sub, one, base.
LDAPSearchScope=sub

# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--

# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]=objectClass--person

# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=samaccountname

# Could be id or name
LDAPUserGroupType=id

# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
LDAPUserGroup[]=11

# Group mapping settings:
# Possible values: UseGroupAttribute (old style group assignig using LDAPUserGroupAttribute setting),
# SimpleMapping (using LDAPUserGroupMap array for name-to-name group mapping) or GetGroupsTree
LDAPGroupMappingType=GetGroupsTree

# Base LDAP dn which should be used to fetch user group objects from LDAP
LDAPGroupBaseDN=ou=Cuentas,dc=leo2008,dc=local

# LDAP user group class
LDAPGroupClass=group

# Attribute which should be used to obtain name of an LDAP group
# Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping'
LDAPGroupNameAttribute=cn

# Attribute of LDAP user which should be used to obtain groups which user(group) belongs to.
# Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping'
LDAPGroupMemberAttribute=member

# Attribute which contain description of LDAP group, optional
LDAPGroupDescriptionAttribute=description

# Group names map (from LDAP to ezpublish user-groups),
# used then 'LDAPGroupMappingType' is set to 'SimpleMapping'
LDAPUserGroupMap[]

# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name

# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=

# LDAP attribute for First name. Normally, givenname
LDAPFirstNameAttribute=givenname

# LDAP attribute for Last name. Normally, sn
LDAPLastNameAttribute=sn

# LDAP attribute for email. Normally, mail
LDAPEmailAttribute=mail

# LDAP encoding is utf-8 or not
Utf8Encoding=false

# if 'enabled' you can move LDAP users to a different group and they will not
# be automatically moved back (to the group they are configured to be placed in)
# when the user logs in again.
KeepGroupAssignment=disabled

Gunnstein Lye

Tuesday 14 July 2009 2:10:11 am

I wasn't aware of this post until now. Sorry for my very late reply, you probably don't need it anymore. I'm posting it anyway in case it can help others.

Q: If the user has not a mail attribute, login fails.
A: By default, eZ Publish requires all users to have a valid email address. You can change this in site.ini though:

[UserSettings]
# Authenticate match, a list of authenticate fields to use
# Available are login and email
AuthenticateMatch=login
# Controls whether a unique email is required for all users,
# if set to true and email is set in AuthenticateMatch then only
# one email address instance is allowed on the site.
# Set to false to disable it
RequireUniqueEmail=false

Q: Is there any way to automatically create the groups the user belongs to, and also add him to some specific ez groups for default roles and permissions?
A: No, the default group for LDAP users will only be used if no match is found for the more advanced methods (see below). The user will either be placed in the default group for LDAP users (see setting in ldap.ini) or in the group given by his placement on the LDAP server (if there is a match, see below).

LDAP settings and functionality

LDAPGroupMappingType can be one of three:
- UseGroupAttribute
- SimpleMapping
- GetGroupsTree
What all three have in common is that eZ Publish will only assign users to groups automatically. It will not assign roles to groups automatically. The eZ Publish system administrator must create the roles you need, and assign them to user groups.

UseGroupAttribute:
This setting will make one eZ Publish group assignment per LDAP group, as a flat structure. Users will therefore have the same group names in LDAP and in eZ Publish.
You must set LDAPUserGroupAttribute, it must be set to the attribute of the LDAP user object that identifies the group(s) the user belongs to.

SimpleMapping:
This setting allows you to have different group names in LDAP and in eZ Publish. The user groups in eZ Publish can have any structure you like (flat or tree). You must set LDAPUserGroupMap, LDAPGroupNameAttribute, and LDAPGroupMemberAttribute.
- LDAPUserGroupMap maps LDAP group names to eZ Publish group names.
- LDAPGroupNameAttribute must be set to the group attribute that contains the name of LDAP group objects.
- LDAPGroupMemberAttribute must be set to the user attribute that contains the group(s) the user belongs to.

GetGroupsTree:
This setting replicates the structure of the LDAP group tree in eZ Publish groups.
You must set LDAPGroupNameAttribute, and LDAPGroupMemberAttribute.
- LDAPGroupNameAttribute must be set to the group attribute that contains the name of LDAP group objects.
- LDAPGroupMemberAttribute must be set to the user attribute that contains the group(s) the user belongs to.