1 Reply Latest reply: Feb 14, 2013 1:56 PM by 978453 RSS

    LDAPAuthenticator Static Groups

    978453
      I setup a custom LDAPAuthenticator that successfuly reads users and groups from our internal LDAP server. The problem I'm running into is setting up group membership; I checked with our admins and I believe static is what I want. The following is a sample of our LDAP schema that defines a group and its members:

      dn: cn=group1,ou=group,<BASEDN>
      cn: group1
      gid: 1000
      memberUid: user1
      memberUid: user2
      memberUid: user3
      objectClass: top
      objectClass: posixGroup

      So I setup the static group settings in my custom authenticator as follow:

      Static Group Attribute: cn
      Static Group Class: posixGroup
      Static Member DN Attribute: memberUid
      Static Group DNs from Member DN: (&(memberUid=%u)(objectClass=posixGroup))

      Using this, none of my LDAP users get marked as members of the groups they're in. I'm a little worried that the documentation for the "Static Member DN Attribute" says that it should be an attribute that specifies the DN of the group members, but according to our schema we only list the uid of the group members. I tried to account for this in the filter by using %u instead of the default %M, but I'm not having any luck.
        • 1. Re: LDAPAuthenticator Static Groups
          978453
          For anyone who stumbles across this, I did figure out the problem. The answer is that, indeed, whatever attribute you specify that contains members, it must specify full DNs of the members.

          For example, this is how our LDAP looked when it did not work:

          dn: cn=group1,ou=group,<BASEDN>
          cn: group1
          gid: 1000
          memberUid: user1
          memberUid: user2
          memberUid: user3
          objectClass: top
          objectClass: posixGroup

          To solve the proble, the memberUid parameter needed to use full DNs:

          dn: cn=group1,ou=group,<BASEDN>
          cn: group1
          gid: 1000
          memberUid: user1,ou=people,...
          memberUid: user2,ou=people,...
          memberUid: user3,ou=people,...
          objectClass: top
          objectClass: posixGroup