This question about LDAP: Asked

Group members dont show correctly

Hello

im having issues with the groups members. Now im using:

-foswiki 1.1.3

-authenticating from ds389 (replica of AD ldap)

-ldapcontrib

In the groups page i can see the all the ldap groups, but i can not see the members. There are some groups that shows some users, but not all. This is my config:

$Foswiki::cfg{Ldap}{GroupBase} = 'ou=users,ou=city,ou=corporate,dc=corporate,dc=es';
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=ntGroup';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'uniqueMember';
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = '';
$Foswiki::cfg{Ldap}{MemberIndirection} = 1;
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 0;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;
$Foswiki::cfg{Ldap}{Precache} = 1;
$Foswiki::cfg{Ldap}{PageSize} = 500;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';

I can see this on the apache/error.log:

[error] [client x.x.x.x] - LdapContrib - following indirection for uid=username,OU=Explotacion,OU=Users,OU=city,ou=corporate, dc=corporate, dc=es

[error] [client x.x.x.x] - LdapContrib - WARNING: oops, uid=username,OU=Explotacion,OU=Users,OU=city,ou=corporate, dc=corporate, dc=es not found, but member of groupname


The user that appears on the message is not present on any group of wikigroup pages, but user exists in the ldap tree on the correct location.

If uncheck {Ldap}{MemberIndirection} i can see the users on groupadmin web but they are showed as this:

uid=username, OU=Explotacion, OU=Users, OU=city, ou=corporate, dc=corporate, dc=es

More users appears, not all, but many of it.

I think maybe errors cames from this part:

  1. # assert group members to data store

  2. foreach my $groupName (keys %{$this->{_groups}}) {

  3. my %members = ();

  4. foreach my $member (keys %{$this->{_groups}{$groupName}}) {

  5. # groups may store DNs to members instead of a memberUid, in this case we

  6. # have to lookup the corresponding loginAttribute

  7. if ($this->{memberIndirection}) {

  8. writeDebug("following indirection for $member");

  9. my $memberName = $data->{"DN2U::$member"};

  10. if ($memberName) {

  11. $members{$memberName} = 1;

  12. } else {

  13. writeWarning("oops, $member not found, but member of $groupName");

  14. }

  15. } else {

  16. $members{$member} = 1;

  17. }

  18. }

  19. $data->{"GROUPS::$groupName"} = join(',', sort keys %members);

  20. undef $this->{_groups}{$groupName};

  21. }

  22. undef $this->{_groups};

  23. # remember list of all groups

  24. $data->{GROUPS} = join(',', sort keys %groupNames);

  25. #writeDebug("got $nrRecords keys in cache");

  26. return 1;

  27. }

--

I don't see any users on the groups page, unless they have logged in since the cache was last cleared. Not sure what the correct behaviour is supposed to be, though.

-- JayenAshar - 18 Dec 2011

The cache was cleared every time i made a change on ldapcontrib preferences.

When $Foswiki::cfg{Ldap}{InnerGroupAttribute} = '' is set to 1, groups appears correctly but users not. When is set to 0, i get the content of the "uniqueMember" field, like this:

uuid=username,OU=blabla,OU=users,OU=organization,ou=empresa,ou=com

and all the users appears correctly in his groups.....

-- AlbertoFrontera - 19 Dec 2011

I have {Ldap}{InnerGroupAttribute} set to 'member'. It is probably the same as {Ldap}{MemberAttribute}.

-- JayenAshar - 19 Dec 2011

set $Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'uniqueMember' '';

Nothing change :´(

-- AlbertoFrontera - 20 Dec 2011

Here is my setup:
$Foswiki::cfg{UserMappingManager} = 'Foswiki::Users::LdapUserMapping';
$Foswiki::cfg{PasswordManager} = 'Foswiki::Users::LdapPasswdUser';
$Foswiki::cfg{Ldap}{Host} = 'ad.unsw.edu.au';
$Foswiki::cfg{Ldap}{Port} = 389;
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{Base} = 'DC=ad,DC=unsw,DC=edu,DC=au';
$Foswiki::cfg{Ldap}{BindDN} = 'binddn@AD.UNSW.EDU.AU';
$Foswiki::cfg{Ldap}{BindPassword} = 'bindpassword';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{UseTLS} = 1;
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{TLSCAPath} = '/etc/ssl/certs/';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{Debug} = 0;
$Foswiki::cfg{Ldap}{UserBase} = 'OU=IDM_People,OU=IDM,DC=ad,DC=unsw,DC=edu,DC=au';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=person';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'cn';
$Foswiki::cfg{Ldap}{MailAttribute} = 'mail';
$Foswiki::cfg{Ldap}{WikiNameAttributes} = 'displayName,cn';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 1;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {
$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'Foswiki::Users::HtPasswdUser';
$Foswiki::cfg{Ldap}{GroupBase} = 'DC=ad,DC=unsw,DC=edu,DC=au';
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'memberOf';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'member';
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'member';
$Foswiki::cfg{Ldap}{MemberIndirection} = 1;
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{MaxCacheAge} = '86400';
$Foswiki::cfg{Ldap}{Precache} = 0;
$Foswiki::cfg{Ldap}{PageSize} = 500;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup, AdminUser, admin, guest';
Also, see Tasks.Item11230 to see if you need the same patch I did.

-- JayenAshar - 20 Dec 2011

gotcha!

Taking this uninqueMemeber present on a group:

uniqueMember: uid=afrontera,OU=Siscomseg,OU=Users,OU=City,ou=Corporate, dc=Corporate, dc=es.

Note that there are a space before "dc" on the last two values. This causes the problem. That explain why when i disable MemberIndirection all the users appears on his groups, and when i enable, only have the users without these spaces.

I dont know if these spaces are normal or not. We remove some for testings and works correctly.

Maybe a patch needed here? smile

-- AlbertoFrontera - 22 Dec 2011

Looking at http://tools.ietf.org/html/rfc2253#section-4 I would say that the space " " is valid between the comma "," and the name component "dc". Maybe open a task?

-- JayenAshar - 22 Dec 2011

What is the next step? must be the task open by me? Where?

-- AlbertoFrontera - 27 Dec 2011

There are many options as to your next step. You could try patching it yourself. (I think around line 2215 of LdapContrib.pm is about the right place.) Or you could report a bug at CreateNewTask . If you choose to patch it yourself, please open a task with your fix, so that other people don't trip over the same issue.

-- JayenAshar - 28 Dec 2011

Roger that.

New task created http://foswiki.org/Tasks/Item11391

-- AlbertoFrontera - 28 Dec 2011

Side question for JayenAshar... I noticed you had TLS enabled on your LDAP setup above and was wondering if you had any online references or documentation as to how you set it up? I had asked Support.Question947 and was still trying to track down some more info on getting that configured.

Many thanks if you happened to have any info on this.

-- JohnV - 28 Dec 2011

The documentation I used when setting up Foswiki for LDAP was the info texts in configure; the Net::LDAP http://search.cpan.org/~gbarr/perl-ldap-0.43/lib/Net/LDAP.pod pod; the ldapsearch man page (http://www.openldap.org/software/man.cgi?query=ldapsearch); and the http://trac.foswiki.org/browser/trunk/LdapContrib/lib/Foswiki/Contrib/LdapContrib.pm LDAPContrib.pm and http://cpansearch.perl.org/src/GBARR/perl-ldap-0.43/lib/Net/LDAP.pm Net::LDAP source code.

-- JayenAshar - 29 Dec 2011
 

QuestionForm edit

Subject LDAP
Extension LdapContrib
Version Foswiki 1.1.3
Status Asked
Related Topics
Topic revision: r13 - 29 Dec 2011, JayenAshar
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy