[Zope] Re: Group mapping not working on LDAPUserFolder

Josef Albert Meile jmeile at hotmail.com
Mon Jun 7 02:48:59 EDT 2004


>I'm not able to tell entirely from your verbal description, but are
>you saying that you've added an attribute to your users so that each
>user record contains the list of groups to which it belongs, and
>that attribute is 'ou'? This seems odd, not to mention confusing
>in that 'ou', an organizational unit, is typically structural and
>holds other entries, you certainly could have picked a better name
>for this.
I don't do that, the people who set-up the ldap did it. I don't know either 
why.

>This alone isn't enough for LDAPUserFolder to map groups to (assuming
>that I understand LDAPUserFolder and your description properly). In
>fact, it will merely see this as an additional attribute for your
>user records
Actually with the patch I did it maps the groups correctly, but it's not an 
standard way.

> > Login Name Attribute: uid
> > RDN Attribute: uid
> > Users Base DN: ou=grp1,ou=grp2,ou=grp3,ou=grp4,o=org,c=country
> > Scope: SUBTREE
> > Group storage: Groups stored on LDAP server
> > Groups Base DN: cn=foo_account,ou=admins,ou=grp3,ou=grp4,o=org,c=country
> > Password: xxxxxx
> > Manager DN Usage: Always
> > Read-only checked
> > User password encryption: SSHA
> > Default User Roles: LDAP=Anonymous
> >
>
>
>Your "Groups Base DN" goes one level too low. You need to point to
>a structural entry which contains your group entries. The groups
>themselves must be something like groupOfUniqueNames, and must have
>individual attribute values for uniqueMember for every member of
>that group.
>
>LDAPUserFolder covers this in the README and comes with some simple
>LDIF examples that illustrate this.
>
>
> > > 2) Group mapping on the LDAPUserFolder's "groups" Tab:
> > "foo_group" maps to zope role "Manager"
>
>
>Once you point the "Groups Base DN" to the (or a) parent element
>of cn=foo_group, and cn=foo_group is of objectClass
>'groupOfUniqueNames', and your user is listed as a 'uniqueMember',
>*then* this will work properly and user 'my_login_name' will have
>the 'Manager' role.
Actually with that "Groups base DN" and deleting the "ou" attribute, I can 
see every group when doing a search from the manage interface, but when a 
user authentificates itself, it can get the groups to which he belongs to. 
Anyway, I will check what you said.

>
>Hope I've followed your description correctly, and I hope this
>helps...LDAPUserFolder (and pal, LDAPUserSatellite) have made
>authentication in our Zope setup a pleasure to work with.
Yes, you understood perffectly my bad english :-)

Thanks,
Josef

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus




More information about the Zope mailing list