This discussion is archived
4 Replies Latest reply: May 30, 2013 11:58 PM by 1011269 RSS

SGD 5.0 and Nested LDAP queries against subgroups

1011269 Newbie
Currently Being Moderated
Hi All --

Banging my head against a wall on this one.

SGD 5.0

Querying AD via LDAP method [not via AD method]

Say I permission an Application to this group;

"SGDTest,OU=SGD,DC=blah,DC=com"

If I have an AD user in that group. The user gets the App correctly.

However, if I place a group that the user is in, in that SGDTest group. The user does not get the app.

I have increased ldap nested group depth via;

./tarantella config edit --tarantella-config-ldap-nested-group-depth 20


an ldapsearch query shows the correct user and groupings, queried against;

(&(memberOf=CN=SGDTest,OU=SGD,DC=blah,DC=com))

brings back

dn: CN=Sec Group,OU=Security Groups,DC=blah,DC=com
objectClass: top
objectClass: group
cn: Sec Group
member: CN=Username,OU=IT,OU=London,DC=blah,DC=com



If I log in as "Username" I see this in the logs;

The LDAP Webtop generator did not match the following apps
user: CN=Username1,OU=IT,DC=blah,DC=com
o=applications/cn=xclock-ldaptest


As mentioned if I place Username1 directly into the SGDTest group, it works.

Am I doing something stupid here? I feel increasing nested search depth from 0 should be all I need?

Possibly its the group membership attributes or short attributes, but I cant see how I can change them for the better?

Cheers for your help all.

Jack.
  • 1. Re: SGD 5.0 and Nested LDAP queries against subgroups
    DeanyDean Newbie
    Currently Being Moderated
    Hi Jack,

    You need to set the ldapgroups setting on the app object instead of the ldapsearch setting. Set this to the DN of your LDAP group and your assignment should work. If you have a group inside a group then setting the nested group depth to 1 should be adequate for this to work.

    Hope this helps,

    Matt

    Edited by: DeanyDean on 28-May-2013 07:23
  • 2. Re: SGD 5.0 and Nested LDAP queries against subgroups
    1011269 Newbie
    Currently Being Moderated
    Hi Matt --

    Appreciate your reply.

    Sorry I think I wasn't being clear.

    I have set the LDAP search on the App Object.

    And it is indeed a group within a group.

    So My user "Username1"

    CN=Username,OU=IT,OU=London,DC=blah,DC=com

    is a member of "Sec Group"

    CN=Sec Group,OU=Security Groups,DC=blah,DC=com

    which is a member of

    CN=SGDTest,OU=SGD,DC=blah,DC=com


    So your right I think increasing nested group depths should be enough. However, doesn't work!

    If I place Username1 into SGDTest group. It works. If I remove the user, and place his group in SGDTest, it doesn't work.

    Here is my app object attributes [truncated]


    /opt/tarantella/bin/tarantella object list_attributes --name "o=applications/cn=xclock-ldaptest"

    Attributes for .../_ens/o=applications/cn=xclock-ldaptest:
    Name: xclock-ldaptest
    [....]
    app: /usr/bin/xclock
    appserv: "o=appservers/cn=Tarantella server server1"
    args: "-bw 1 -geometry 198x198+0+0"
    [....]
    ldapsearch: "(&(memberOf=CN=SGDTest,OU=SGD,DC=blah,DC=com))"
    loadbal: default
    login: unix.exp

    [....]


    Thanks again!

    Cheers,
  • 3. Re: SGD 5.0 and Nested LDAP queries against subgroups
    DeanyDean Newbie
    Currently Being Moderated
    Setting an ldapsearch query to an app object will not evaluate nested groups. If you want to do nested group assignments, you have to assign the application to the LDAP group object explicitly. This can be done from the command line by setting the --ldapgroups parameter on the application object. You can also do this from the SGD Admin Console by browsing your LDAP directory and assigning the LDAP group object to your application. For more details, have a look at the SGD admin guide:

    http://docs.oracle.com/cd/E37459_01/E37463/html/apps-publishing.html#assign-apps-ldap-groups

    Hope this helps,

    Matt

    Edited by: DeanyDean on 28-May-2013 08:45
  • 4. Re: SGD 5.0 and Nested LDAP queries against subgroups
    1011269 Newbie
    Currently Being Moderated
    Hi Matt --

    Really appreciate your help. Worked a treat!

    Would mark as SOLVED if I could.

    Its a completely different way of thinking about how to assign groups that we currently use. However I have no doubt its the correct way!

    For the record its frustrating that our LDAP queries don't work, as they are valid and preview does give the correct users, but none-the-less this is a better solution, so thanks for that.

    Cheers,

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points