Question

We are using LdapContrib 1.11. ALLOWWEBVIEW works with ldap users but we need to integrate with ldap groups. We think that the configuration is ok because we are able to see all the ldap groups with http://evan.ocunet/twiki/bin/view/Main/TWikiGroups

Environment

-- MarianoSanz - 21 Aug 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

Sorry, closing this after more than 30 days of inactivity. Please feel free to reopen the question.

-- PeterThoeny - 03 Oct 2007

Please try the latest LdapContrib release.

-- MichaelDaum - 11 Oct 2007

-- NigelWhitley - 23 Jan 2008

I have the same requirement i.e. using LDAP (actually AD) groups to control access to Webs and Topics. As with the the OP, I can authenticate the user and see the AD groups in TWikiGroups. However, when I try to limit access to a Web by specifying ALLOWWEBVIEW = TestGroup in preferences and attempt to access the Web with TestUser who is in TestGroup the access is not authorized (although the user is authenticated correctly). I'm using Twiki 4.1.2 and the latest LdapContrib (timestamps indicate 07 Jan 2008 19:11).

Adding the TestUser directly to ALLOWWEBVIEW will permit access so it correctly authenticates and authorizes for AD users, just not based on AD group membership.

At the moment I'd settle for a workaround, other than simply recreating the AD groups as TWikiGroups since that would defeat the purpose. Or perhaps an example configuration from someone who has got this working with AD groups.

-- NigelWhitley - 23 Jan 2008

I think I've found the problem.

View calls checkAccess with session->user which is the "real" login name not the TWikiName form.

isInList uses the list generated from groupMembers and that uses the TwikiName for the login name (it seems).

So, for a login name of nigel, say, it compares "nigel" to "Nigel" and fails to find a match. I saw this behaviour by putting some debugging in isInList in User.pm and it cheerfully ignored the user it should have matched. I haven't figured out any sort of fix yet I'm afraid.

-- NigelWhitley - 12 Feb 2008

I've changed line 123 of LdapUserMapping.pm to call findUser with $name rather than $wikiName and it seems to be working now. With that change in place, I can allow access to a topic through AD group membership. Hopefully someone else can confirm whether that is the "right" fix.

-- NigelWhitley - 13 Feb 2008

Nigel, thanks a lot for investigating this bug! I will take a look at it.

-- MichaelDaum - 14 Feb 2008

Closing, identified as a bug.

-- PeterThoeny - 03 Apr 2008

Can I please know the bug that NigelWhitley pointed out has been fixed ? I use TWiki-4.3.2, Wed, 02 Sep 2009, build 18148 and LdapContrib $Rev: 16840 (06 Oct 2008) but still have the same problem with access control. Thank you.

-- AnhTran - 2010-03-29

Not sure, possibly not. The group support in the LdapContrib is still flaky. There are other problems with this contrib as well, such as not scaling well to over few thousand users in the LDAP directory. I'd like to see this contrib rewritten from scratch.

-- PeterThoeny - 2010-03-29