 |
|
You are here: Foswiki>Support Web>SupportQuestions>Question343 (02 Nov 2011, JayenAshar)Edit Attach
This question about Using an extension: Asked
LdapContrib nested groups with memberIndirection enabled don't work for groups in a sub ou
When attempting to parse my organization's LDAP for group membership information, nested groups do not get parsed properly if the group is in a sub ou. Here is an example where groupA contains two groups, groupB and groupC, that are located in a sub ou. LdapContrib - called getGroup(groupA), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupA)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - found 1 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called getGroup(groupB,ou=subou), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupB,ou=subou)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - found 0 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called getGroup(groupC,ou=subou), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupC,ou=subou)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - found 0 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341 If getGroup could have been called on just the group name and not the group name plus the sub ou, it would have worked. Is this a problem with my LDAP server not returning a result for the filter or an issue with LdapContrib? Here are the relevant settings from my LocalSite.cfg: $Foswiki::cfg{Ldap}{Host} = 'ldap.domain.local';
$Foswiki::cfg{Ldap}{Port} = 389;
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{Base} = 'dc=domain,dc=local';
$Foswiki::cfg{Ldap}{BindDN} = '';
$Foswiki::cfg{Ldap}{BindPassword} = 'secret';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{Debug} = 1;
$Foswiki::cfg{Ldap}{UserBase} = 'ou=people,dc=domain,dc=local';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=posixAccount';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'uid';
$Foswiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';
$Foswiki::cfg{Ldap}{GroupBase} = 'ou=groups,dc=domain,dc=local';
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'member';
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'member';
$Foswiki::cfg{Ldap}{MemberIndirection} = 1;
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {};
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;
$Foswiki::cfg{Ldap}{Precache} = 0;
$Foswiki::cfg{Ldap}{PageSize} = 0;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup';
I patched my LDAPContrib.pm with this to make it work:
@@ -2210,9 +2211,9 @@
if (!$this->{preCache} && $member =~ /$this->{groupBase}/i) {
my $innerGroupName = $member;
$innerGroupName =~ s/$this->{groupBase}//o;
$innerGroupName =~ s/$this->{groupAttribute}=//o;
$innerGroupName =~ s/^,+//o;
- $innerGroupName =~ s/,+$//o;
+ $innerGroupName =~ s/,.*$//o;
# Smell: this may not be reliable and may work only with membersind
irection. TO CHECK
if ($innerGroupName ne "" && $this->isGroup($innerGroupName, $data)
) {
-- JayenAshar - 02 Nov 2011
QuestionForm edit
| Subject | Using an extension |
| Extension | LdapContrib |
| Version | Foswiki 1.0.7 |
| Status | Asked |
| Related Topics |
Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r3 - 02 Nov 2011, JayenAshar
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. 
Legal Imprint Privacy Policy
Legal Imprint Privacy Policy