cross
New Foswiki release 2.1.6 is available with important security fixes.
Sourceforge foswiki email lists being discontinued. Subscribe to the new Foswiki announce and discuss lists at MailingLists
This question about Using an extension: Asked

LdapContrib nested groups with memberIndirection enabled don't work for groups in a sub ou

When attempting to parse my organization's LDAP for group membership information, nested groups do not get parsed properly if the group is in a sub ou. Here is an example where groupA contains two groups, groupB and groupC, that are located in a sub ou.

LdapContrib - called getGroup(groupA), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupA)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - found 1 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called getGroup(groupB,ou=subou), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupB,ou=subou)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - found 0 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called getGroup(groupC,ou=subou), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupC,ou=subou)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - found 0 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341

If getGroup could have been called on just the group name and not the group name plus the sub ou, it would have worked. Is this a problem with my LDAP server not returning a result for the filter or an issue with LdapContrib? Here are the relevant settings from my LocalSite.cfg: $Foswiki::cfg{Ldap}{Host} = 'ldap.domain.local';

$Foswiki::cfg{Ldap}{Port} = 389;

$Foswiki::cfg{Ldap}{Version} = '3';

$Foswiki::cfg{Ldap}{Base} = 'dc=domain,dc=local';

$Foswiki::cfg{Ldap}{BindDN} = '';

$Foswiki::cfg{Ldap}{BindPassword} = 'secret';

$Foswiki::cfg{Ldap}{UseSASL} = 0;

$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';

$Foswiki::cfg{Ldap}{UseTLS} = 0;

$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';

$Foswiki::cfg{Ldap}{TLSVerify} = 'require';

$Foswiki::cfg{Ldap}{TLSCAPath} = '';

$Foswiki::cfg{Ldap}{TLSCAFile} = '';

$Foswiki::cfg{Ldap}{TLSClientCert} = '';

$Foswiki::cfg{Ldap}{TLSClientKey} = '';

$Foswiki::cfg{Ldap}{Debug} = 1;

$Foswiki::cfg{Ldap}{UserBase} = 'ou=people,dc=domain,dc=local';

$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=posixAccount';

$Foswiki::cfg{Ldap}{UserScope} = 'sub';

$Foswiki::cfg{Ldap}{LoginAttribute} = 'uid';

$Foswiki::cfg{Ldap}{WikiNameAttribute} = 'cn';

$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;

$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;

$Foswiki::cfg{Ldap}{WikiNameAliases} = '';

$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;

$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';

$Foswiki::cfg{Ldap}{GroupBase} = 'ou=groups,dc=domain,dc=local';

$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';

$Foswiki::cfg{Ldap}{GroupScope} = 'sub';

$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';

$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';

$Foswiki::cfg{Ldap}{MemberAttribute} = 'member';

$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'member';

$Foswiki::cfg{Ldap}{MemberIndirection} = 1;

$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;

$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;

$Foswiki::cfg{Ldap}{MapGroups} = 1;

$Foswiki::cfg{Ldap}{RewriteGroups} = {};

$Foswiki::cfg{Ldap}{RewriteWikiNames} = {};

$Foswiki::cfg{Ldap}{MergeGroups} = 0;

$Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;

$Foswiki::cfg{Ldap}{Precache} = 0;

$Foswiki::cfg{Ldap}{PageSize} = 0;

$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup';

I patched my LDAPContrib.pm with this to make it work:
@@ -2210,9 +2211,9 @@
           if (!$this->{preCache} && $member =~ /$this->{groupBase}/i) {
             my $innerGroupName = $member;
             $innerGroupName =~ s/$this->{groupBase}//o;
             $innerGroupName =~ s/$this->{groupAttribute}=//o;
             $innerGroupName =~ s/^,+//o;
-            $innerGroupName =~ s/,+$//o;
+            $innerGroupName =~ s/,.*$//o;
 
             # Smell: this may not be reliable and may work only with membersind
irection. TO CHECK
             if ($innerGroupName ne "" && $this->isGroup($innerGroupName, $data)
) {

-- JayenAshar - 02 Nov 2011
 

QuestionForm edit

Subject Using an extension
Extension LdapContrib
Version Foswiki 1.0.7
Status Asked
Related Topics
Topic revision: r3 - 02 Nov 2011, JayenAshar - This page was cached on 22 Jun 2018 - 11:51.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy