Placing users in a group based of LDAP attribute

Next topic

Author	Message
Bruce Morrison	Thursday 18 March 2004 5:55:47 pm I'm currently building an extranet application and am utilising the LDAP authentication. In particular I'm using the option that places an LDAP user in a user group based on a LDAP attribute. I have the following the /override/ldap.ini.append.php file # LDAP attribute type for user group. Could be name or id LDAPUserGroupAttributeType=name # LDAP attribute for user group. For example, employeetype. If specified, LDAP users # will be saved under the same group as in LDAP server. LDAPUserGroupAttribute=o where o is the organisation. In eZ Publish I have a User Group called 'Client A' and a Folder called 'Client A". When I login to the system with a user with an organisation of 'Client A' the eZ Publish user is being created under the Client A folder and not the user group. Looking at the code in kernel/classes/datatypes/ezuser/ezldapuser.php I discovered that when LDAPUserGroupAttributeType is set to name all object that match that name are retrieved and the first matching node is used for placement. I want it to use the first matching node of type 'User Group'. The code in question is if ( $LDAPUserGroupAttributeType == "name" ) { $groupName = $info[0][$LDAPUserGroupAttribute][0]; if ( $groupName != null ) { $groupQuery = "SELECT ezcontentobject_tree.node_id FROM ezcontentobject, ezcontentobject_tree WHERE ezcontentobject.name='$groupName' AND ezcontentobject.id=ezcontentobject_tree.contentobject_id"; $groupObject =& $db->arrayQuery( $groupQuery ); if ( count( $groupObject ) > 0 ) { $defaultUserPlacement = $groupObject[0]['node_id']; } } } The quick n' dirty solution is add a where clause to the $groupQuery to only return items with a contentclass_id of 3 (User Groups) $groupQuery = "SELECT ezcontentobject_tree.node_id FROM ezcontentobject, ezcontentobject_tree WHERE ezcontentobject.name='$groupName' AND ezcontentobject.id=ezcontentobject_tree.contentobject_id AND contentclass_id = 3"; I've never liked hard coding these things so a better solution would be to add an additional ini file variable that defines the content class that will be searched for a match. Does anyone think that there is a need to allow for multiple content class id to be defined? Thanks Bruce My Blog: http://www.stuffandcontent.com/ Follow me on twitter: http://twitter.com/brucemorrison Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish
Jonny Bergkvist	Friday 19 March 2004 12:13:39 am I am also using the LDAP-auth, and have experienced the same problem as you describe. To get around it, I chose to use id instead of name for matching: LDAPUserGroupType=id LDAPUserGroup=<object_id> (not node-id!) (I have not started using the LDAP-attribute-functionality yet, but I soon will) I do support your idea of being able to specify object-class! For my use, I cannot se the need for multiple content-class-ie's to search for, but I think the support for it should be there anyway to make it more flexible and general. It shouldn't be much more difficult to make. The ini-variable could be an array like: LDAPUserGroupClassFilters[]
Samuel Sauder	Thursday 19 May 2005 7:29:42 am I have version 3.5.0 and it does include this id=3 logic. I happened to stumble unto it from the /cronjobs/ldapusermanage.php side. We have an odd configuration for NDS that causes all the ldap_bind function calls not to work. So I'm trying to debug that ;)

Author

Message

Thursday 18 March 2004 5:55:47 pm

I'm currently building an extranet application and am utilising the LDAP authentication. In particular I'm using the option that places an LDAP user in a user group based on a LDAP attribute.

I have the following the /override/ldap.ini.append.php file

# LDAP attribute type for user group. Could be name or id
LDAPUserGroupAttributeType=name
# LDAP attribute for user group. For example, employeetype. If specified, LDAP users
# will be saved under the same group as in LDAP server.
LDAPUserGroupAttribute=o

where o is the organisation.

In eZ Publish I have a User Group called 'Client A' and a Folder called 'Client A". When I login to the system with a user with an organisation of 'Client A' the eZ Publish user is being created under the Client A folder and not the user group.

Looking at the code in kernel/classes/datatypes/ezuser/ezldapuser.php I discovered that when LDAPUserGroupAttributeType is set to name all object that match that name are retrieved and the first matching node is used for placement. I want it to use the first matching node of type 'User Group'.

The code in question is

if ( $LDAPUserGroupAttributeType == "name" )
{
$groupName = $info[0][$LDAPUserGroupAttribute][0];
if ( $groupName != null )
{
$groupQuery = "SELECT ezcontentobject_tree.node_id
FROM ezcontentobject, ezcontentobject_tree
WHERE ezcontentobject.name='$groupName'
AND ezcontentobject.id=ezcontentobject_tree.contentobject_id";
$groupObject =& $db->arrayQuery( $groupQuery );

if ( count( $groupObject ) > 0 )
{
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
}

The quick n' dirty solution is add a where clause to the $groupQuery to only return items with a contentclass_id of 3 (User Groups)

$groupQuery = "SELECT ezcontentobject_tree.node_id
FROM ezcontentobject, ezcontentobject_tree
WHERE ezcontentobject.name='$groupName'
AND ezcontentobject.id=ezcontentobject_tree.contentobject_id
AND contentclass_id = 3";

I've never liked hard coding these things so a better solution would be to add an additional ini file variable that defines the content class that will be searched for a match.

Does anyone think that there is a need to allow for multiple content class id to be defined?

Thanks
Bruce

My Blog: http://www.stuffandcontent.com/
Follow me on twitter: http://twitter.com/brucemorrison
Consolidated eZ Publish Feed : http://friendfeed.com/rooms/ez-publish

Jonny Bergkvist

Friday 19 March 2004 12:13:39 am

I am also using the LDAP-auth, and have experienced the same problem as you describe. To get around it, I chose to use id instead of name for matching:

LDAPUserGroupType=id
LDAPUserGroup=<object_id> (not node-id!)

(I have not started using the LDAP-attribute-functionality yet, but I soon will)

I do support your idea of being able to specify object-class! For my use, I cannot se the need for multiple content-class-ie's to search for, but I think the support for it should be there anyway to make it more flexible and general. It shouldn't be much more difficult to make.

The ini-variable could be an array like:
LDAPUserGroupClassFilters[]

Samuel Sauder

Thursday 19 May 2005 7:29:42 am

I have version 3.5.0 and it does include this id=3 logic.
I happened to stumble unto it from the /cronjobs/ldapusermanage.php side. We have an odd configuration for NDS that causes all the ldap_bind function calls not to work. So I'm trying to debug that ;)

eZ debug

Timing:	Jan 18 2025 19:38:11
Script start
Timing:	Jan 18 2025 19:38:11
Module start 'layout'
Timing:	Jan 18 2025 19:38:11
Module start 'content'
Timing:	Jan 18 2025 19:38:12
Module end 'content'
Timing:	Jan 18 2025 19:38:12
Script end

Main resources:

Total runtime	0.6595 sec
Peak memory usage	4,096.0000 KB
Database Queries	59

Timing points:

Checkpoint	Start (sec)	Duration (sec)	Memory at start (KB)	Memory used (KB)
Script start	0.0000	0.0055	588.0469	152.6406
Module start 'layout'	0.0056	0.0021	740.6875	39.4766
Module start 'content'	0.0077	0.6504	780.1641	592.2578
Module end 'content'	0.6581	0.0014	1,372.4219	12.1250
Script end	0.6595		1,384.5469

Time accumulators:

Accumulator	Duration (sec)	Duration (%)	Count	Average (sec)
Ini load
Load cache	0.0030	0.4562	16	0.0002
Check MTime	0.0013	0.1976	16	0.0001
Mysql Total
Database connection	0.0009	0.1289	1	0.0009
Mysqli_queries	0.6037	91.5273	59	0.0102
Looping result	0.0007	0.1040	57	0.0000
Template Total	0.6324	95.9	2	0.3162
Template load	0.0019	0.2902	2	0.0010
Template processing	0.6305	95.5892	2	0.3152
Template load and register function	0.0001	0.0164	1	0.0001
states
state_id_array	0.0012	0.1763	1	0.0012
state_identifier_array	0.0009	0.1404	2	0.0005
Override
Cache load	0.0016	0.2406	53	0.0000
Sytem overhead
Fetch class attribute can translate value	0.0008	0.1166	3	0.0003
Fetch class attribute name	0.0013	0.2044	5	0.0003
XML
Image XML parsing	0.0011	0.1669	3	0.0004
class_abstraction
Instantiating content class attribute	0.0000	0.0013	5	0.0000
General
dbfile	0.0010	0.1502	22	0.0000
String conversion	0.0000	0.0013	4	0.0000
Note: percentages do not add up to 100% because some accumulators overlap

Templates used to render the page:

Usage	Requested template	Template	Template loaded
1	node/view/full.tpl	full/forum_topic.tpl	extension/sevenx/design/simple/override/templates/full/forum_topic.tpl
2	content/datatype/view/ezimage.tpl	<No override>	extension/sevenx/design/simple/templates/content/datatype/view/ezimage.tpl
3	content/datatype/view/ezxmltext.tpl	<No override>	extension/community_design/design/suncana/templates/content/datatype/view/ezxmltext.tpl
10	content/datatype/view/ezxmltags/paragraph.tpl	<No override>	extension/ezwebin/design/ezwebin/templates/content/datatype/view/ezxmltags/paragraph.tpl
8	content/datatype/view/ezxmltags/line.tpl	<No override>	design/standard/templates/content/datatype/view/ezxmltags/line.tpl
1	print_pagelayout.tpl	<No override>	extension/community/design/community/templates/print_pagelayout.tpl
Number of times templates used: 25 Number of unique templates used: 6

Time used to render debug report: 0.0001 secs