Forums / Developer / Placing users in a group based of LDAP attribute

Placing users in a group based of LDAP attribute

Previous topic

Developer

Next topic

Author	Message
Bruce Morrison	Thursday 18 March 2004 5:55:47 pm I'm currently building an extranet application and am utilising the LDAP authentication. In particular I'm using the option that places an LDAP user in a user group based on a LDAP attribute. I have the following the /override/ldap.ini.append.php file # LDAP attribute type for user group. Could be name or id LDAPUserGroupAttributeType=name # LDAP attribute for user group. For example, employeetype. If specified, LDAP users # will be saved under the same group as in LDAP server. LDAPUserGroupAttribute=o where o is the organisation. In eZ Publish I have a User Group called 'Client A' and a Folder called 'Client A". When I login to the system with a user with an organisation of 'Client A' the eZ Publish user is being created under the Client A folder and not the user group. Looking at the code in kernel/classes/datatypes/ezuser/ezldapuser.php I discovered that when LDAPUserGroupAttributeType is set to name all object that match that name are retrieved and the first matching node is used for placement. I want it to use the first matching node of type 'User Group'. The code in question is if ( $LDAPUserGroupAttributeType == "name" ) { $groupName = $info[0][$LDAPUserGroupAttribute][0]; if ( $groupName != null ) { $groupQuery = "SELECT ezcontentobject_tree.node_id FROM ezcontentobject, ezcontentobject_tree WHERE ezcontentobject.name='$groupName' AND ezcontentobject.id=ezcontentobject_tree.contentobject_id"; $groupObject =& $db->arrayQuery( $groupQuery ); if ( count( $groupObject ) > 0 ) { $defaultUserPlacement = $groupObject[0]['node_id']; } } } The quick n' dirty solution is add a where clause to the $groupQuery to only return items with a contentclass_id of 3 (User Groups) $groupQuery = "SELECT ezcontentobject_tree.node_id FROM ezcontentobject, ezcontentobject_tree WHERE ezcontentobject.name='$groupName' AND ezcontentobject.id=ezcontentobject_tree.contentobject_id AND contentclass_id = 3"; I've never liked hard coding these things so a better solution would be to add an additional ini file variable that defines the content class that will be searched for a match. Does anyone think that there is a need to allow for multiple content class id to be defined? Thanks Bruce My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish
Jonny Bergkvist	Friday 19 March 2004 12:13:39 am I am also using the LDAP-auth, and have experienced the same problem as you describe. To get around it, I chose to use id instead of name for matching: LDAPUserGroupType=id LDAPUserGroup=<object_id> (not node-id!) (I have not started using the LDAP-attribute-functionality yet, but I soon will) I do support your idea of being able to specify object-class! For my use, I cannot se the need for multiple content-class-ie's to search for, but I think the support for it should be there anyway to make it more flexible and general. It shouldn't be much more difficult to make. The ini-variable could be an array like: LDAPUserGroupClassFilters[]
Samuel Sauder	Thursday 19 May 2005 7:29:42 am I have version 3.5.0 and it does include this id=3 logic. I happened to stumble unto it from the /cronjobs/ldapusermanage.php side. We have an odd configuration for NDS that causes all the ldap_bind function calls not to work. So I'm trying to debug that ;)

Author

Message

Bruce Morrison

Thursday 18 March 2004 5:55:47 pm

I'm currently building an extranet application and am utilising the LDAP authentication. In particular I'm using the option that places an LDAP user in a user group based on a LDAP attribute.

I have the following the /override/ldap.ini.append.php file

# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=o

where o is the organisation.

In eZ Publish I have a User Group called 'Client A' and a Folder called 'Client A". When I login to the system with a user with an organisation of 'Client A' the eZ Publish user is being created under the Client A folder and not the user group.

Looking at the code in kernel/classes/datatypes/ezuser/ezldapuser.php I discovered that when LDAPUserGroupAttributeType is set to name all object that match that name are retrieved and the first matching node is used for placement. I want it to use the first matching node of type 'User Group'.

The code in question is

if ( $LDAPUserGroupAttributeType == "name" )
{
$groupName = $info[0][$LDAPUserGroupAttribute][0];
if ( $groupName != null )
{
$groupQuery = "SELECT ezcontentobject_tree.node_id
FROM ezcontentobject, ezcontentobject_tree
WHERE ezcontentobject.name='$groupName'
AND ezcontentobject.id=ezcontentobject_tree.contentobject_id";
$groupObject =& $db->arrayQuery( $groupQuery );

if ( count( $groupObject ) > 0 )
{
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
}

The quick n' dirty solution is add a where clause to the $groupQuery to only return items with a contentclass_id of 3 (User Groups)

$groupQuery = "SELECT ezcontentobject_tree.node_id
FROM ezcontentobject, ezcontentobject_tree
WHERE ezcontentobject.name='$groupName'
AND ezcontentobject.id=ezcontentobject_tree.contentobject_id
AND contentclass_id = 3";

I've never liked hard coding these things so a better solution would be to add an additional ini file variable that defines the content class that will be searched for a match.

Does anyone think that there is a need to allow for multiple content class id to be defined?

Thanks
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Jonny Bergkvist

Friday 19 March 2004 12:13:39 am

I am also using the LDAP-auth, and have experienced the same problem as you describe. To get around it, I chose to use id instead of name for matching:

LDAPUserGroupType=id
LDAPUserGroup=<object_id> (not node-id!)

(I have not started using the LDAP-attribute-functionality yet, but I soon will)

I do support your idea of being able to specify object-class! For my use, I cannot se the need for multiple content-class-ie's to search for, but I think the support for it should be there anyway to make it more flexible and general. It shouldn't be much more difficult to make.

The ini-variable could be an array like:
LDAPUserGroupClassFilters[]

Samuel Sauder

Thursday 19 May 2005 7:29:42 am

I have version 3.5.0 and it does include this id=3 logic.
I happened to stumble unto it from the /cronjobs/ldapusermanage.php side. We have an odd configuration for NDS that causes all the ldap_bind function calls not to work. So I'm trying to debug that ;)