Placing users in a group based of LDAP attribute

Author Message

Bruce Morrison

Thursday 18 March 2004 5:55:47 pm

I'm currently building an extranet application and am utilising the LDAP authentication. In particular I'm using the option that places an LDAP user in a user group based on a LDAP attribute.

I have the following the /override/ldap.ini.append.php file

# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=o

where o is the organisation.

In eZ Publish I have a User Group called 'Client A' and a Folder called 'Client A". When I login to the system with a user with an organisation of 'Client A' the eZ Publish user is being created under the Client A folder and not the user group.

Looking at the code in kernel/classes/datatypes/ezuser/ezldapuser.php I discovered that when LDAPUserGroupAttributeType is set to name all object that match that name are retrieved and the first matching node is used for placement. I want it to use the first matching node of type 'User Group'.

The code in question is

if ( $LDAPUserGroupAttributeType == "name" )
{
$groupName = $info[0][$LDAPUserGroupAttribute][0];
if ( $groupName != null )
{
$groupQuery = "SELECT ezcontentobject_tree.node_id
FROM ezcontentobject, ezcontentobject_tree
WHERE ezcontentobject.name='$groupName'
AND ezcontentobject.id=ezcontentobject_tree.contentobject_id";
$groupObject =& $db->arrayQuery( $groupQuery );

if ( count( $groupObject ) > 0 )
{
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
}

The quick n' dirty solution is add a where clause to the $groupQuery to only return items with a contentclass_id of 3 (User Groups)

$groupQuery = "SELECT ezcontentobject_tree.node_id
FROM ezcontentobject, ezcontentobject_tree
WHERE ezcontentobject.name='$groupName'
AND ezcontentobject.id=ezcontentobject_tree.contentobject_id
AND contentclass_id = 3";

I've never liked hard coding these things so a better solution would be to add an additional ini file variable that defines the content class that will be searched for a match.

Does anyone think that there is a need to allow for multiple content class id to be defined?

Thanks
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Jonny Bergkvist

Friday 19 March 2004 12:13:39 am

I am also using the LDAP-auth, and have experienced the same problem as you describe. To get around it, I chose to use id instead of name for matching:

LDAPUserGroupType=id
LDAPUserGroup=<object_id> (not node-id!)

(I have not started using the LDAP-attribute-functionality yet, but I soon will)

I do support your idea of being able to specify object-class! For my use, I cannot se the need for multiple content-class-ie's to search for, but I think the support for it should be there anyway to make it more flexible and general. It shouldn't be much more difficult to make.

The ini-variable could be an array like:
LDAPUserGroupClassFilters[]

Samuel Sauder

Thursday 19 May 2005 7:29:42 am

I have version 3.5.0 and it does include this id=3 logic.
I happened to stumble unto it from the /cronjobs/ldapusermanage.php side. We have an odd configuration for NDS that causes all the ldap_bind function calls not to work. So I'm trying to debug that ;)

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.