SID-00360: Cannot get group support working in LdapContrib

Status:	Answered	TWiki version:	4.3.1	Perl version:	5.8.8
Category:	LdapContrib	Server OS:	CentOS 5.3	Last update:	16 years ago

I have been working with 4.3.1-build 18054 and the beta LdapContrib 2.99.7 on CentOS 5.3. This is configured to run against Active Directory on Windows 2003 . While I have user authentication working correctly, my problem is with groups.

1. Our groups in Active Directory are not proper WikiNames and the normalization that occurs is not quite sufficient. Groups are required to have a "Group" suffix, which none of our do. I changed the code to add this suffix based on the current collision code in LdapContrib.pm. However, that is still not sufficient. If a group called "IT" is present, it is being changed to "ITGroup" and not "ItGroup" which creates an error.

2. In the configuration of the plugin, the value called PrimaryGroupAttribute appears to be optional. However, the code makes it mandatory. With Active Directory, the user object has a value called primaryGroupID which is a numeric value. However, this value does not appear within the AD group object anywhere. According to Microsoft, this is a derived value (http://support.microsoft.com/kb/321360). How are people getting this to work?

3. Groups in AD are not creating TwikiGroups as others have reported with earlier versions of the plugin. Perhaps this is related to the errors above, but I am not sure.

My configuration is as follows:

$TWiki::cfg{Ldap}{Host} = 'DomainController.mycompany.com'; $TWiki::cfg{Ldap}{Port} = 389; $TWiki::cfg{Ldap}{Version} = '3'; $TWiki::cfg{Ldap}{Base} = 'dc=mycompany,dc=com'; $TWiki::cfg{Ldap}{BindDN} = 'cn=auth-account,cn=users,dc=mycompany,dc=com'; $TWiki::cfg{Ldap}{BindPassword} = 'password'; $TWiki::cfg{Ldap}{UseSASL} = 0; $TWiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS'; $TWiki::cfg{Ldap}{UseTLS} = 0; $TWiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1'; $TWiki::cfg{Ldap}{TLSVerify} = 'require'; $TWiki::cfg{Ldap}{TLSCAPath} = ''; $TWiki::cfg{Ldap}{TLSCAFile} = ''; $TWiki::cfg{Ldap}{TLSClientCert} = ''; $TWiki::cfg{Ldap}{TLSClientKey} = ''; $TWiki::cfg{Ldap}{Debug} = 7; $TWiki::cfg{Ldap}{UserBase} = 'cn=users,dc=mycompany,dc=com'; $TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=organizationalPerson'; $TWiki::cfg{Ldap}{LoginAttribute} = 'mailNickname'; $TWiki::cfg{Ldap}{WikiNameAttribute} = 'cn'; $TWiki::cfg{Ldap}{NormalizeWikiNames} = 1; $TWiki::cfg{Ldap}{NormalizeLoginNames} = 0; $TWiki::cfg{Ldap}{WikiNameAliases} = ''; $TWiki::cfg{Ldap}{AllowChangePassword} = 0; $TWiki::cfg{Ldap}{SecondaryPasswordManager} = 'TWiki::Users::HtPasswdUser'; $TWiki::cfg{Ldap}{GroupBase} = 'cn=users,dc=mycompany,dc=com'; $TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=group'; $TWiki::cfg{Ldap}{GroupAttribute} = 'cn'; $TWiki::cfg{Ldap}{PrimaryGroupAttribute} = 'primaryGroupID'; $TWiki::cfg{Ldap}{MemberAttribute} = 'member'; $TWiki::cfg{Ldap}{MemberIndirection} = 1; $TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1; $TWiki::cfg{Ldap}{NormalizeGroupNames} = 1; $TWiki::cfg{Ldap}{MapGroups} = 1; $TWiki::cfg{Ldap}{MaxCacheAge} = 86400; $TWiki::cfg{Ldap}{PageSize} = 500; $TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';

Am I missing something obvious? If so, please advise. If not, perhaps I can work with someone to get this working correctly within Active Directory.

-- SteveVanDomelen - 2009-06-09

Discussion and Answer

Closing this question after more than 30 days of inactivity. Feel free to reopen if needed. Consider engaging one of the TWiki consultants if you need timely help. We invite you to get involved with the community, it is more likely you get community support if you support the open source project!

-- PeterThoeny - 2009-08-12

You can go to this page : http://twiki.org/cgi-bin/view/Plugins/LdapContribDev and answer is in the attach file - myLdapContrib4.3.1.zip

-- DarrenYang - 2009-09-15

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.