Forums / Setup & design / AD group mapping in EzPublish

AD group mapping in EzPublish

Previous topic

Setup & design

Next topic

Author	Message
nicholas king	Thursday 29 July 2010 2:24:21 am Hello, I am currently really struggling to get AD and Ezpublish group mappings to work. At the moment a user enters their details into the login boxes, ezpublish delves into AD finds the user and creates and adds them to the members group in Ezpublish. I have trawled the documentation and forums and tried all the things suggested and still i cannot stop users from going into the members group. Currently i can confirm that:- The Active directory Ezpublish connection is currently working. Ezpublish puts all AD users who log in into the members directory. my settings inside ldap.ini.append.php are as follows:- #?ini charset="iso-8859-1"? # eZ Publish configuration file for connection and authentication of users via LDAP # [LDAPSettings] LDAPDebugTrace=enabled # Enable tracing the the ldap login, outputs extensive debug info for use during setup # NOTE: Do not keep this enabled on production setup as login name and passwords will be # logged to logfiles or outputted if DebugOutput settings are enabled. LDAPDebugTrace=enabled # Set LDAP version number LDAPVersion=3 # Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not. # set to 1 to enable LDAPFollowReferrals=0 # Set to true if use LDAP server LDAPEnabled=true # LDAP host LDAPServer=gcwwdc01.example.co.uk # Port nr for LDAP, default is 389 LDAPPort=389 # Specifies the base DN for the directory. LDAPBaseDn=DC--example,DC--co,DC--uk # If the server does not allow anonymous bind, specify the user name for the bind here. LDAPBindUser=<intranetuser> # If the server does not allow anonymous bind, specify the password for the bind here. LDAPBindPassword=<intranetpassword> # Could be sub, one, base. LDAPSearchScope=sub # Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters LDAPEqualSign=-- # Add extra search requirment. Uncomment it if you don't need it. # Example LDAPSearchFilters[]=objectClass--inetOrgPerson LDAPSearchFilters[]=objectCategory--person # LDAP attribute for login. Normally, uid LDAPLoginAttribute=sAMAccountName LDAPDebugTrace=enabled LDAPUserGroupType=name LDAPUserGroupAttribute=intranetAdmin LDAPGroupBaseDN = DC--example, DC--co, DC--uk LDAPGroupMappingType=SimpleMapping LDAPGroupClass=group LDAPUserGroupAttribute=cn LDAPUserGroupMap[] LDAPUserGroupMap[intranetAdmin]=intranetAdmin Any help suggestions would be really appreciated many thanks Nicholas
Robin Muilwijk	Friday 27 August 2010 1:14:27 pm Hi Nicholas, Do you have this working already? I'm no expert on this, but can you check http://ez.no/doc/ez_publish/technical_manual/4_x/reference/configuration_files/ldap_ini/ldapsettings/ldapusergrouptype You use LDAPUserGroupType=name, and the link/doc page says you then need to set LDAPUsergroup, where instead you set the LDAPUserGroupAttribute ? This is the only inconsistency I've been able to find, as LDAP n00b ;) Regards Robin Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation. LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk
Nicolas Pastorino	Monday 30 August 2010 12:24:14 am Hi Nicholas, You can also have a look here : http://share.ez.no/forums/install-configuration/ldap-user-groups-activedirectory-ez-publish Cheers ! -- Nicolas Pastorino Director Community - eZ Member of the Community Project Board eZ Publish Community on twitter: http://twitter.com/ezcommunity t : http://twitter.com/jeanvoye G+ : http://plus.tl/jeanvoye

Author

Message

nicholas king

Thursday 29 July 2010 2:24:21 am

Hello,
I am currently really struggling to get AD and Ezpublish group mappings to work. At the moment a user enters their details into the login boxes, ezpublish delves into AD finds the user and creates and adds them to the members group in Ezpublish.

I have trawled the documentation and forums and tried all the things suggested and still i cannot stop users from going into the members group.

Currently i can confirm that:-

*The Active directory Ezpublish connection is currently working.
*Ezpublish puts all AD users who log in into the members directory.

my settings inside ldap.ini.append.php are as follows:-

#?ini charset="iso-8859-1"?
# eZ Publish configuration file for connection and authentication of users via LDAP
#
[LDAPSettings]
LDAPDebugTrace=enabled
# Enable tracing the the ldap login, outputs extensive debug info for use during setup
# NOTE: Do not keep this enabled on production setup as login name and passwords will be
# logged to logfiles or outputted if DebugOutput settings are enabled.
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=3
# Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not.
# set to 1 to enable
LDAPFollowReferrals=0
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=gcwwdc01.example.co.uk
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--example,DC--co,DC--uk
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=<intranetuser>
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=<intranetpassword>
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]=objectCategory--person
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=sAMAccountName
LDAPDebugTrace=enabled
LDAPUserGroupType=name
LDAPUserGroupAttribute=intranetAdmin
LDAPGroupBaseDN = DC--example, DC--co, DC--uk
LDAPGroupMappingType=SimpleMapping
LDAPGroupClass=group
LDAPUserGroupAttribute=cn
LDAPUserGroupMap[]
LDAPUserGroupMap[intranetAdmin]=intranetAdmin

Any help suggestions would be really appreciated

many thanks

Nicholas

Robin Muilwijk

Friday 27 August 2010 1:14:27 pm

Hi Nicholas,

Do you have this working already? I'm no expert on this, but can you check http://ez.no/doc/ez_publish/technical_manual/4_x/reference/configuration_files/ldap_ini/ldapsettings/ldapusergrouptype

You use LDAPUserGroupType=name, and the link/doc page says you then need to set LDAPUsergroup, where instead you set the LDAPUserGroupAttribute ?

This is the only inconsistency I've been able to find, as LDAP n00b ;)

Regards Robin

Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.

LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk

Nicolas Pastorino

Monday 30 August 2010 12:24:14 am

Hi Nicholas,

You can also have a look here :
http://share.ez.no/forums/install-configuration/ldap-user-groups-activedirectory-ez-publish

Cheers !

--
Nicolas Pastorino
Director Community - eZ
Member of the Community Project Board

eZ Publish Community on twitter: http://twitter.com/ezcommunity

t : http://twitter.com/jeanvoye
G+ : http://plus.tl/jeanvoye