This question about Using an extension: Asked

LdapContrib nested groups with memberIndirection enabled don't work for groups in a sub ou

When attempting to parse my organization's LDAP for group membership information, nested groups do not get parsed properly if the group is in a sub ou. Here is an example where groupA contains two groups, groupB and groupC, that are located in a sub ou.

LdapContrib - called getGroup(groupA), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupA)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - found 1 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called getGroup(groupB,ou=subou), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupB,ou=subou)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - found 0 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called getGroup(groupC,ou=subou), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupC,ou=subou)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341



LdapContrib - found 0 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341

If getGroup could have been called on just the group name and not the group name plus the sub ou, it would have worked. Is this a problem with my LDAP server not returning a result for the filter or an issue with LdapContrib? Here are the relevant settings from my LocalSite.cfg: $Foswiki::cfg{Ldap}{Host} = 'ldap.domain.local';

$Foswiki::cfg{Ldap}{Port} = 389;

$Foswiki::cfg{Ldap}{Version} = '3';

$Foswiki::cfg{Ldap}{Base} = 'dc=domain,dc=local';

$Foswiki::cfg{Ldap}{BindDN} = '';

$Foswiki::cfg{Ldap}{BindPassword} = 'secret';

$Foswiki::cfg{Ldap}{UseSASL} = 0;

$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';

$Foswiki::cfg{Ldap}{UseTLS} = 0;

$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';

$Foswiki::cfg{Ldap}{TLSVerify} = 'require';

$Foswiki::cfg{Ldap}{TLSCAPath} = '';

$Foswiki::cfg{Ldap}{TLSCAFile} = '';

$Foswiki::cfg{Ldap}{TLSClientCert} = '';

$Foswiki::cfg{Ldap}{TLSClientKey} = '';

$Foswiki::cfg{Ldap}{Debug} = 1;

$Foswiki::cfg{Ldap}{UserBase} = 'ou=people,dc=domain,dc=local';

$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=posixAccount';

$Foswiki::cfg{Ldap}{UserScope} = 'sub';

$Foswiki::cfg{Ldap}{LoginAttribute} = 'uid';

$Foswiki::cfg{Ldap}{WikiNameAttribute} = 'cn';

$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;

$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;

$Foswiki::cfg{Ldap}{WikiNameAliases} = '';

$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;

$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';

$Foswiki::cfg{Ldap}{GroupBase} = 'ou=groups,dc=domain,dc=local';

$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';

$Foswiki::cfg{Ldap}{GroupScope} = 'sub';

$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';

$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';

$Foswiki::cfg{Ldap}{MemberAttribute} = 'member';

$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'member';

$Foswiki::cfg{Ldap}{MemberIndirection} = 1;

$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;

$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;

$Foswiki::cfg{Ldap}{MapGroups} = 1;

$Foswiki::cfg{Ldap}{RewriteGroups} = {};

$Foswiki::cfg{Ldap}{RewriteWikiNames} = {};

$Foswiki::cfg{Ldap}{MergeGroups} = 0;

$Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;

$Foswiki::cfg{Ldap}{Precache} = 0;

$Foswiki::cfg{Ldap}{PageSize} = 0;

$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup';

I patched my LDAPContrib.pm with this to make it work:
@@ -2210,9 +2211,9 @@
           if (!$this->{preCache} && $member =~ /$this->{groupBase}/i) {
             my $innerGroupName = $member;
             $innerGroupName =~ s/$this->{groupBase}//o;
             $innerGroupName =~ s/$this->{groupAttribute}=//o;
             $innerGroupName =~ s/^,+//o;
-            $innerGroupName =~ s/,+$//o;
+            $innerGroupName =~ s/,.*$//o;
 
             # Smell: this may not be reliable and may work only with membersind
irection. TO CHECK
             if ($innerGroupName ne "" && $this->isGroup($innerGroupName, $data)
) {

-- JayenAshar - 02 Nov 2011
 

QuestionForm edit

Subject Using an extension
Extension LdapContrib
Version Foswiki 1.0.7
Status Asked
Related Topics
Topic revision: r3 - 02 Nov 2011, JayenAshar - This page was cached on 09 Jan 2018 - 12:11.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License