[Zope] Group mapping not working on LDAPUserFolder
Josef Meile
jmeile at hotmail.com
Fri Jun 4 12:59:20 EDT 2004
Hi,
I just found that the group mapping isn't working for our LDAP. I tried
with the LDAPUserFolder 2.4beta2 and CookieCrumbler 1-1. I could
authentificate myself against the LDAP, search some users, and I could
also see the groups, but the group mapping (on the groups tab) didn't work.
This is what I have:
1) We have an extra attribute for the LDAP Schema:
LDAP Attribute Name: ou
Friendly Name: group
Multi-valued: Yes
This attribute gives us a list of groups to which a user belongs to. The
rest configuration for the LDAP is quite normal:
Login Name Attribute: uid
RDN Attribute: uid
Users Base DN: ou=grp1,ou=grp2,ou=grp3,ou=grp4,o=org,c=country
Scope: SUBTREE
Group storage: Groups stored on LDAP server
Groups Base DN: cn=foo_account,ou=admins,ou=grp3,ou=grp4,o=org,c=country
Password: xxxxxx
Manager DN Usage: Always
Read-only checked
User password encryption: SSHA
Default User Roles: LDAP=Anonymous
LDAP Servers:
my_ldap.mydomain.com, port: 636, LDAP over SSL
2) Group mapping on the LDAPUserFolder's "groups" Tab:
"foo_group" maps to zope role "Manager"
3) Tried the following PageTemplate to authenticate my self on the LDAP
(it prints the roles I have over the request):
User: <p tal:replace="python:user.getUserName()"></p><br>
Roles: <p tal:replace="python:user.getRolesInContext(here)"></p><br>
<p tal:condition="python:user.getUserName()=='Anonymous User'">
you aren't logged in
</p>
<span tal:condition="python:user.getUserName()=='Anonymous User'">
<span tal:condition="python:request.has_key('firstTime')">
<h1>Login error</h1>
<br><br>
This user name isn't valid.<br>
Perhaps your browser doesn't has cookies enabled.
<br><br>
</span>
<span tal:condition="python:not request.has_key('firstTime')">
<h1>
For the following pages you need to login.
</h1>
</span>
<table>
<tr>
<td>
<form method="post" name="loginForm" action="some_url"
tal:attributes="action python:request.URL0">
<input type="hidden" name="firstTime" value="0">
<table cellspacing="10">
<tr>
<td align="left" valign="top" width="170">
<font face="verdana"><strong>login:</strong></font>
</td>
<td align="left" valign="top">
<input type="TEXT" name="__ac_name" size="20" class="text"
value="" tal:attributes="value
python:request.get('__ac_name','')">
</td>
</tr>
<tr>
<td align="left" valign="top">
<font face="verdana"><strong>password:</strong></font>
</td>
<td align="left" valign="top">
<input type="PASSWORD" name="__ac_password" size="20"
class="text">
</td>
</tr>
<tr>
<td align="right" colspan="2">
<input type="submit" value=" Login " class="button">
</td>
</tr>
</table>
</form>
</td>
<td>
<p>
Login problems?<br>
Perhaps your browser has cookies disabled
</p>
</td>
</tr>
</table>
</span>
I can authenticate myself against the LDAP, but What I get when printing
the roles is:
User: my_login_name
Roles: ['Anonymous', 'Authenticated']
"my_login_name" belongs the foo_group and other groups as well, but It
doesn't get the 'Manager' role as expected. Then, I found that line 333
of LDAPUserFolder.py (method _lookupuserbyattr):
groups = list(self.getGroups(dn=dn, attr='cn', pwd=user_pwd))
doesn't return any group for this user, so, I replaced it for:
groups = user_attrs.get('ou',None)
if groups==None:
groups = list(self.getGroups(dn=dn, attr='cn', pwd=user_pwd))
and now it works. I think this is possible on our case because of the
additional "ou" attribute, but would it work on other configurations? Is
this only happening to me, or is it a bug?
Regards,
Josef
More information about the Zope
mailing list