LDAP user groups ActiveDirectory <-> eZ Publish

Monday 31 May 2010 6:55:51 am

Hi there.

I'm trying to set up a site on eZ Publish (version 4.3) with LDAP-Login support. The user login itself is working very well.

Now I want eZ to store the users out of our AD into special groups.

This should work like this:

• We have created some groups for eZ publish inside our AD
• These groups were created in eZ, too
• Roles for these groups were created and assigned
• If a user logs in he should be created in the same group as he is in the AD

According to the eZ documentation this should work with LDAP Group Mapping Type "SimpleMapping". (http://ez.no/doc/ez_publish/techn...gin_handler/ldap_group_mapping_type)

Ini settings from the documentation are:

LDAPGroupMappingType=SimpleMapping
LDAPUserGroupClass=organizationalUnit
LDAPUserGroupAttribute=cn
LDAPGroupMemberAttribute=members
LDAPUserGroupMap[]
LDAPUserGroupMap[editor]=Editor
LDAPUserGroupMap[techwriter]=Technical writer

I had to change some settings for our need.

My settings in LDAP.ini:

[LDAPSettings]

# Enable tracing the the ldap login, outputs extensive debug info for use during setup
# NOTE: Do not keep this enabled on production setup as login name and passwords will be 
# logged to logfiles or outputted if DebugOutput settings are enabled. 
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=3
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=<MyHost>

[...]

LDAPGroupMappingType=SimpleMapping
LDAPUserGroupClass=organizationalPerson
LDAPUserGroupAttribute=cn
LDAPGroupMemberAttribute=memberof
LDAPUserGroupMap[]
LDAPUserGroupMap[Group1]=Group1
LDAPUserGroupMap[Group2]=Group2

Problem is that all users are stored in Members-Folder (Node 12) when a user is logging in. Is there someone who has done this before successfully? I don't have any idea why this does not work.

Thanks for your help.

Linux is like a wigwam; no windows, now gates, and apache inside!

Monday 07 June 2010 1:14:25 am

Hi Nicolas,

thank you for your hint.

It still won't work but it was good to find out that there might be an issue in ldap documentation on ez.no.

Here are my current settings in ldap.ini:

# Group mapping settings:
# Root node id where LDAP groups are created, node id: 5 is used if blank
LDAPGroupMappingType=SimpleMapping
LDAPGroupClass=group
#LDAPUserGroupClass=group
LDAPUserGroupAttribute=cn
LDAPGroupMemberAttribute=member
LDAPUserGroupMap[]
LDAPUserGroupMap[eZPublish1]=eZPublish1
LDAPUserGroupMap[eZPublish2]=eZPublish2

As you can see I have two different settings to set the class of a user group:

• LDAPUserGroupClasss (as it is described in documentation sites: http://ez.no/doc/ez_publish/technical_manual/4_x/features/ldap_login_handler/ldap_group_mapping_type#SimpleMapping )
• LDAPGroupClass (as it can be found in ldap.ini)

There is no "LDAPUserGroupClass" setting in ldap.ini. I gave it a try anyway and I got the same result as with "LDAPGroupClass": users are still stored in Members-Folder.

I take a look into my error.log and found following enty:

 [ Jun 07 2010 10:03:59 ] [127.0.0.1] eZLDAPUser.php, function getUserGroupsTree():
Missing one of required parameters.

I will try to find out which parameter is needed and tell it here.

Thank you for your help.

Philip

Linux is like a wigwam; no windows, now gates, and apache inside!

Tuesday 15 June 2010 2:22:17 am

I got it!

After some 'try & error' I found the correct settings for ldap.ini. Here is how it works now:

1. Create users in your ActiveDirectory (AD)
2. Create groups that should be used with eZ Publish in your AD
3. Create the same groups in eZ Publish
4. Link users with groups in your AD

If you use "SimpleMapping" method now the user will be created in the same group as he is in your AD.

Here are all ini settings you need to have in your ldap.ini.append.php (based on Windows Active Directory):

[LDAPSettings]
# Enable tracing the the ldap login, outputs extensive debug info for use during setup
# NOTE: Do not keep this enabled on production setup as login name and passwords will be 
# logged to logfiles or outputted if DebugOutput settings are enabled. 
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=3
# Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not.
# set to 1 to enable
LDAPFollowReferrals=0
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=<YOUR SERVER IP>
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--example,DC--com
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=administrator@example.com
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=<YOUR ADMIN PASS>
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]=objectCategory--person
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=sAMAccountName

## LDAP GROUP SETTINGS
LDAPGroupBaseDN=DC--example,DC--com
LDAPGroupMappingType=SimpleMapping
LDAPGroupClass=group
LDAPGroupNameAttribute=cn
LDAPGroupMemberAttribute=member
LDAPUserGroupMap[]
LDAPUserGroupMap[eZPublish1]=eZPublish1
LDAPUserGroupMap[eZPublish2]=eZPublish2

Finally I have to say that the example on documentation page for "SimpleMapping" is absolutly wrong!

Thank you Nicolas for your help!

Philip

Linux is like a wigwam; no windows, now gates, and apache inside!