One further clarification on the problem. Users and roles are being imported, but user’s membership of roles is not being found on searches. Also tried on Liferay enterprise portal and get a similar problem. Users are being imported, but issues with roles.
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 01 September 2013 12:50
To: 389-users@lists.fedoraproject.org
Subject: RE: Membership of Roles
Please find additional information on the configuration of the blog system
My configuration:
AuthenticationModule LDAP
LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail
LDAPAuthBindDN cn=Directory Manager (will replace with application user account once phase one integration is completed)
LDAPAuthPassword xxxxxx
LDAPAuthSASLMechanism PLAIN (note SSL not yet configured)
ExternalUserManagement 1
ExternalGroupManagement 1
ExternalUserSyncFrequency 60
LDAPGroupNameAttribute cn
LDAPGroupIdAttribute nsUniqueId
LDAPGroupFullNameAttribute cn
LDAPGroupMemberAttribute memberof
LDAPGroupSearchBase ou=customers,dc=xxx,dc=com
LDAPGroupFilter (objectclass=ldapSubEntry)
LDAPUserIdAttribute uid
LDAPUserEmailAttribute mail
LDAPUserFullNameAttribute cn
LDAPUserGroupMemberAttribute nsrole
The default settings for OpenLDAP installations are:
Stage 1 | |
Authentication URL | ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail |
Authentication DN | |
Authentication Password | Password |
Test Username | Test email address |
Test Password | Password for test user |
Stage 2 | |
Group Search Base Attribute | dc=xxx,dc=com |
Group Filter Attribute | (objectClass=groupOfUniqueNames) |
Attributes | OpenLDAP |
User ID Attribute | entryUUID |
Email Attribute | mail |
User Fullname Attribute | cn |
User Member Attribute | uid |
GroupID Attribute | entryUUID |
Group Name Attribute | cn |
Group Fullname Attribute | cn |
Group Member Attribute | memberUid |
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 31 August 2013 13:43
To: '389-users@lists.fedoraproject.org'
Subject: Membership of Roles
Hello
I am testing integration of 389-ds with a blogging system. I plan to use roles instead of groups to automatically give users rights to service on the blog system. However, I am having problems with the system identifying members of roles. I need help with defining the correct search parameters to identify which roles a uid or cn is a member of.
From within the blog system I’m using LDAPGroupFilter (objectclass=ldapSubEntry) to list the roles. The roles list correctly as groups within the blog system.
From within 389 the members of roles are configured as filtered, and I can see the configured members using the Directory Server GUI.
The blog system is not identifying members of roles when it does its search against 389. Note, users can log into the blog system using the accounts created on 389. I don’t think I am applying the correct search criteria to identify group membership. I need advice on creation of the correct search criteria for membership of roles/groups.
Sample log from access
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com" scope=2 filter="(&(mail=testuser16@xxxx.com)(objectClass=*))" attrs="distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com" scope=2 filter="(&(mail=testuser16@xxxx.com)(objectClass=*))" attrs="uid mail cn mail distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com" scope=2 filter="(|(uid=1000016))" attrs="nsRole"
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))" attrs="cn cn member nsUniqueId"
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1