Hi All --
Banging my head against a wall on this one.
Querying AD via LDAP method [not via AD method]
Say I permission an Application to this group;
If I have an AD user in that group. The user gets the App correctly.
However, if I place a group that the user is in, in that SGDTest group. The user does not get the app.
I have increased ldap nested group depth via;
./tarantella config edit --tarantella-config-ldap-nested-group-depth 20
an ldapsearch query shows the correct user and groupings, queried against;
dn: CN=Sec Group,OU=Security Groups,DC=blah,DC=com
cn: Sec Group
If I log in as "Username" I see this in the logs;
The LDAP Webtop generator did not match the following apps
As mentioned if I place Username1 directly into the SGDTest group, it works.
Am I doing something stupid here? I feel increasing nested search depth from 0 should be all I need?
Possibly its the group membership attributes or short attributes, but I cant see how I can change them for the better?
Cheers for your help all.
You need to set the ldapgroups setting on the app object instead of the ldapsearch setting. Set this to the DN of your LDAP group and your assignment should work. If you have a group inside a group then setting the nested group depth to 1 should be adequate for this to work.
Hope this helps,
Edited by: DeanyDean on 28-May-2013 07:23
Hi Matt --
Appreciate your reply.
Sorry I think I wasn't being clear.
I have set the LDAP search on the App Object.
And it is indeed a group within a group.
So My user "Username1"
is a member of "Sec Group"
CN=Sec Group,OU=Security Groups,DC=blah,DC=com
which is a member of
So your right I think increasing nested group depths should be enough. However, doesn't work!
If I place Username1 into SGDTest group. It works. If I remove the user, and place his group in SGDTest, it doesn't work.
Here is my app object attributes [truncated]
/opt/tarantella/bin/tarantella object list_attributes --name "o=applications/cn=xclock-ldaptest"
Attributes for .../_ens/o=applications/cn=xclock-ldaptest:
appserv: "o=appservers/cn=Tarantella server server1"
args: "-bw 1 -geometry 198x198+0+0"
Setting an ldapsearch query to an app object will not evaluate nested groups. If you want to do nested group assignments, you have to assign the application to the LDAP group object explicitly. This can be done from the command line by setting the --ldapgroups parameter on the application object. You can also do this from the SGD Admin Console by browsing your LDAP directory and assigning the LDAP group object to your application. For more details, have a look at the SGD admin guide:
Hope this helps,
Edited by: DeanyDean on 28-May-2013 08:45
Hi Matt --
Really appreciate your help. Worked a treat!
Would mark as SOLVED if I could.
Its a completely different way of thinking about how to assign groups that we currently use. However I have no doubt its the correct way!
For the record its frustrating that our LDAP queries don't work, as they are valid and preview does give the correct users, but none-the-less this is a better solution, so thanks for that.