This discussion is archived
1 Reply Latest reply: Feb 14, 2013 11:56 AM by 978453 RSS

LDAPAuthenticator Static Groups

978453 Newbie
Currently Being Moderated
I setup a custom LDAPAuthenticator that successfuly reads users and groups from our internal LDAP server. The problem I'm running into is setting up group membership; I checked with our admins and I believe static is what I want. The following is a sample of our LDAP schema that defines a group and its members:

dn: cn=group1,ou=group,<BASEDN>
cn: group1
gid: 1000
memberUid: user1
memberUid: user2
memberUid: user3
objectClass: top
objectClass: posixGroup

So I setup the static group settings in my custom authenticator as follow:

Static Group Attribute: cn
Static Group Class: posixGroup
Static Member DN Attribute: memberUid
Static Group DNs from Member DN: (&(memberUid=%u)(objectClass=posixGroup))

Using this, none of my LDAP users get marked as members of the groups they're in. I'm a little worried that the documentation for the "Static Member DN Attribute" says that it should be an attribute that specifies the DN of the group members, but according to our schema we only list the uid of the group members. I tried to account for this in the filter by using %u instead of the default %M, but I'm not having any luck.
  • 1. Re: LDAPAuthenticator Static Groups
    978453 Newbie
    Currently Being Moderated
    For anyone who stumbles across this, I did figure out the problem. The answer is that, indeed, whatever attribute you specify that contains members, it must specify full DNs of the members.

    For example, this is how our LDAP looked when it did not work:

    dn: cn=group1,ou=group,<BASEDN>
    cn: group1
    gid: 1000
    memberUid: user1
    memberUid: user2
    memberUid: user3
    objectClass: top
    objectClass: posixGroup

    To solve the proble, the memberUid parameter needed to use full DNs:

    dn: cn=group1,ou=group,<BASEDN>
    cn: group1
    gid: 1000
    memberUid: user1,ou=people,...
    memberUid: user2,ou=people,...
    memberUid: user3,ou=people,...
    objectClass: top
    objectClass: posixGroup

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points