[Zope] Re: Group mapping not working on LDAPUserFolder

Fri Jun 4 15:35:32 EDT 2004

Josef Meile wrote:
>  
> I just found that the group mapping isn't working for our LDAP. I tried 
> with the LDAPUserFolder 2.4beta2 and CookieCrumbler 1-1. I could 
> authentificate myself against the LDAP, search some users, and I could 
> also see the groups, but the group mapping (on the groups tab) didn't work.
> 
> This is what I have:
> 
> 1) We have an extra attribute for the LDAP Schema:
> LDAP Attribute Name: ou
> Friendly Name: group
> Multi-valued: Yes
> 
> This attribute gives us a list of groups to which a user belongs to. The 
> rest configuration for the LDAP is quite normal:

I'm not able to tell entirely from your verbal description, but are
you saying that you've added an attribute to your users so that each
user record contains the list of groups to which it belongs, and
that attribute is 'ou'? This seems odd, not to mention confusing
in that 'ou', an organizational unit, is typically structural and
holds other entries, you certainly could have picked a better name
for this.

This alone isn't enough for LDAPUserFolder to map groups to (assuming
that I understand LDAPUserFolder and your description properly). In
fact, it will merely see this as an additional attribute for your
user records

> Login Name Attribute: uid
> RDN Attribute: uid
> Users Base DN: ou=grp1,ou=grp2,ou=grp3,ou=grp4,o=org,c=country
> Scope: SUBTREE
> Group storage: Groups stored on LDAP server
> Groups Base DN: cn=foo_account,ou=admins,ou=grp3,ou=grp4,o=org,c=country
> Password: xxxxxx
> Manager DN Usage: Always
> Read-only checked
> User password encryption: SSHA
> Default User Roles: LDAP=Anonymous
> 

Your "Groups Base DN" goes one level too low. You need to point to
a structural entry which contains your group entries. The groups
themselves must be something like groupOfUniqueNames, and must have
individual attribute values for uniqueMember for every member of
that group.

LDAPUserFolder covers this in the README and comes with some simple
LDIF examples that illustrate this.

> 
> 2) Group mapping on the LDAPUserFolder's "groups" Tab:
> "foo_group" maps to zope role "Manager"

Once you point the "Groups Base DN" to the (or a) parent element
of cn=foo_group, and cn=foo_group is of objectClass
'groupOfUniqueNames', and your user is listed as a 'uniqueMember',
*then* this will work properly and user 'my_login_name' will have
the 'Manager' role.

Hope I've followed your description correctly, and I hope this
helps...LDAPUserFolder (and pal, LDAPUserSatellite) have made
authentication in our Zope setup a pleasure to work with.

-- 
- David A. Riggs <riggs at csee dot wvu dot edu>