|
Dong Fu
|
Thursday 23 April 2009 11:26:11 am
We are trying to implement group filtering using LDAP authentication. Basically the server is able to talk to the LDAP server, and we would like to only authenticate users in a special LDAP group while rejecting all others. However, we are not sure which settings in the ldap.ini.append.php should be modified to achieve this. Any one who knows how to do this? We used the following template to build out ldap.ini.append.php file.
#?ini charset="iso-8859-1"?
# eZ Publish configuration file for connection and authentication of users via LDAP
#
[LDAPSettings]
# Set LDAP version number
LDAPVersion=2
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=uid
# Could be id or name
LDAPUserGroupType=id
# Default place to store LDAP users. Could be content object id or group name for LDAP user group,
# depends on LDAPUserGroupType.
LDAPUserGroup[]
# Group mapping settings:
# Possible values: UseGroupAttribute (old style group assignig using LDAPUserGroupAttribute setting),
# SimpleMapping (using LDAPUserGroupMap array for name-to-name group mapping) or GetGroupsTree
LDAPGroupMappingType=UseGroupAttribute
# Base LDAP dn which should be used to fetch user group objects from LDAP
LDAPGroupBaseDN=
# LDAP user group class
LDAPGroupClass=exampleGroupDAClassName
# Attribute which should be used to obtain name of an LDAP group
# Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping'
LDAPGroupNameAttribute=cn
# Attribute of LDAP user which should be used to obtain groups which user(group) belongs to.
# Required then 'LDAPGroupMappingType' is set to 'GetGroupsTree' or 'SimpleMapping'
LDAPGroupMemberAttribute=member
# Attribute which contain description of LDAP group, optional
LDAPGroupDescriptionAttribute=
# Group names map (from LDAP to ezpublish user-groups),
# used then 'LDAPGroupMappingType' is set to 'SimpleMapping'
LDAPUserGroupMap[]
# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=employeetype
# LDAP attribute for First name. Normally, givenname
LDAPFirstNameAttribute=givenname
# LDAP attribute for Last name. Normally, sn
LDAPLastNameAttribute=sn
# LDAP attribute for email. Normally, mail
LDAPEmailAttribute=mail
# LDAP encoding is utf-8 or not
Utf8Encoding=false
# if 'enabled' you can move LDAP users to a different group and they will not
# be automatically moved back (to the group they are configured to be placed in)
# when the user logs in again.
KeepGroupAssignment=disabled
|