Josef Meile wrote:
I just found that the group mapping isn't working for our LDAP. I tried with the LDAPUserFolder 2.4beta2 and CookieCrumbler 1-1. I could authentificate myself against the LDAP, search some users, and I could also see the groups, but the group mapping (on the groups tab) didn't work.
This is what I have:
1) We have an extra attribute for the LDAP Schema: LDAP Attribute Name: ou Friendly Name: group Multi-valued: Yes
This attribute gives us a list of groups to which a user belongs to. The rest configuration for the LDAP is quite normal:
I'm not able to tell entirely from your verbal description, but are you saying that you've added an attribute to your users so that each user record contains the list of groups to which it belongs, and that attribute is 'ou'? This seems odd, not to mention confusing in that 'ou', an organizational unit, is typically structural and holds other entries, you certainly could have picked a better name for this. This alone isn't enough for LDAPUserFolder to map groups to (assuming that I understand LDAPUserFolder and your description properly). In fact, it will merely see this as an additional attribute for your user records
Login Name Attribute: uid RDN Attribute: uid Users Base DN: ou=grp1,ou=grp2,ou=grp3,ou=grp4,o=org,c=country Scope: SUBTREE Group storage: Groups stored on LDAP server Groups Base DN: cn=foo_account,ou=admins,ou=grp3,ou=grp4,o=org,c=country Password: xxxxxx Manager DN Usage: Always Read-only checked User password encryption: SSHA Default User Roles: LDAP=Anonymous
Your "Groups Base DN" goes one level too low. You need to point to a structural entry which contains your group entries. The groups themselves must be something like groupOfUniqueNames, and must have individual attribute values for uniqueMember for every member of that group. LDAPUserFolder covers this in the README and comes with some simple LDIF examples that illustrate this.
2) Group mapping on the LDAPUserFolder's "groups" Tab: "foo_group" maps to zope role "Manager"
Once you point the "Groups Base DN" to the (or a) parent element of cn=foo_group, and cn=foo_group is of objectClass 'groupOfUniqueNames', and your user is listed as a 'uniqueMember', *then* this will work properly and user 'my_login_name' will have the 'Manager' role. Hope I've followed your description correctly, and I hope this helps...LDAPUserFolder (and pal, LDAPUserSatellite) have made authentication in our Zope setup a pleasure to work with. -- - David A. Riggs <riggs at csee dot wvu dot edu>