This question about LDAP: Asked

How to config LDAP Group query

Note: I am authenticating against AD

I have gotten apache to work using the following LDAP config
<Directory "/sa001/ldaptest" >

      AuthBasicProvider ldap
      AuthzLDAPAuthoritative On

      AuthLDAPURL ldap://,ou=usa,ou=noram,dc=fss,dc=pykie,dc=com?userPrincipalName?sub?(objectClass=person)

        AuthLDAPGroupAttributeIsDN on
        Require ldap-group CN=UNIX_G,OU=Users,OU=USA,OU=NORAM,DC=fss,DC=pykie,DC=com

AuthLDAPBindDN "cn=svc_apacheldap,cn=Users,dc=fss,dc=pykie,dc=COM"
AuthLDAPBindPassword jswertpoi

    AuthType Basic
    AuthName "Authorization required"

    AuthzLDAPLogLevel debug

I can log in to the foswiki with these settings
$Foswiki::cfg{Ldap}{UserBase} = [
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=person';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'userPrincipalName';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'cn';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;
$Foswiki::cfg{Ldap}{CaseSensitiveLogin} = 0;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {};

but I can not for the life of me figure out how to config the Groups in foswiki.

I found this doc online -

Membership:: LDAP servers follow different schemata to define "membership". They store the information either using a set of unique ids in the group object (posixGroup) or the full DNs of the user objects (groupOfNames). In the latter case the user objects' unique ids have to be fetched separately based on their distinguished name. This mode has to be switched on using the MemberIndirection setting.

The reverse relation, where the user objects hold membership information (for example using a memberOf attribute) is maintained by some LDAP servers automatically. Those that encode membership this way only are not supported by the LdapContrib yet.

If what I am trying to do is not possible - I would gladly give up - but I can see a AD entry like this
          objectClass: top
                   cn: UNIX_G
          description: UNIX DOCS
               member: CN=Smith\, John J.,OU=Users,OU=USA,OU=NORAM,DC=fss,DC=pykie,DC=com

so the group membership is not only in the user.

The docs also say: Furthermore, user objects may have one primary group attribute. This is a simple value that stores the id of a default group that user is member of. This attribute is defined by specifying the PrimaryGroupAttribute setting.

LdapContrib reads membership information as they are stored in the group objects, and may map the member object indirectly to the login name. In addition any "primary group" setting stored in the user objects is consulted as well.

Online I have found references to In AD (Active Directory) it is not obvious or straight-forward to understand how to find out the Primary Group that a user belongs to which may be part of my problem. but again it is not obvious that I am defintely SOL and should give up.

I have this setting - because that seems the sanest, but my LDAP dump of UNIX_G shows no field primaryGroupID. Dump of my (the user) entry in LDAP does.

$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'primaryGroupID';

Can anyone give me direction. I will happily supply more info - I just have to sanitize it first.

April 5, 2017

Anyone out there? I think this question pertains to my question as well (Support.Question1869)

-- VickiBrown

QuestionForm edit

Subject LDAP
Extension LdapContrib
Version Foswiki 1.1.8
Status Asked
Related Topics
Topic revision: r2 - 05 Apr 2017, VickiBrown - This page was cached on 13 Jan 2018 - 02:15.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License