This question about Using an extension: Asked
LdapContrib nested groups with memberIndirection enabled don't work for groups in a sub ou
When attempting to parse my organization's LDAP for group membership information, nested groups do not get parsed properly if the group is in a sub ou. Here is an example where groupA contains two groups, groupB and groupC, that are located in a sub ou.
LdapContrib - called getGroup(groupA), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupA)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - found 1 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called getGroup(groupB,ou=subou), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupB,ou=subou)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - found 0 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called getGroup(groupC,ou=subou), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - called search(filter=(&(objectClass=posixGroup)(cn=groupC,ou=subou)), base=ou=groups,dc=domain,dc=local, scope=sub, limit=0, attrs=*), referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
LdapContrib - found 0 entries, referer: http://localhost/foswiki/bin/view/Testing/WebHome?foswiki_redirect_cache=e481fe9268da7b6123c97cbab1fbd341
If getGroup could have been called on just the group name and not the group name plus the sub ou, it would have worked. Is this a problem with my LDAP server not returning a result for the filter or an issue with
LdapContrib? Here are the relevant settings from my
LocalSite.cfg:
$Foswiki::cfg{Ldap}{Host} = 'ldap.domain.local';
$Foswiki::cfg{Ldap}{Port} = 389;
$Foswiki::cfg{Ldap}{Version} = '3';
$Foswiki::cfg{Ldap}{Base} = 'dc=domain,dc=local';
$Foswiki::cfg{Ldap}{BindDN} = '';
$Foswiki::cfg{Ldap}{BindPassword} = 'secret';
$Foswiki::cfg{Ldap}{UseSASL} = 0;
$Foswiki::cfg{Ldap}{SASLMechanism} = 'PLAIN CRAM-MD5 EXTERNAL ANONYMOUS';
$Foswiki::cfg{Ldap}{UseTLS} = 0;
$Foswiki::cfg{Ldap}{TLSSSLVersion} = 'tlsv1';
$Foswiki::cfg{Ldap}{TLSVerify} = 'require';
$Foswiki::cfg{Ldap}{TLSCAPath} = '';
$Foswiki::cfg{Ldap}{TLSCAFile} = '';
$Foswiki::cfg{Ldap}{TLSClientCert} = '';
$Foswiki::cfg{Ldap}{TLSClientKey} = '';
$Foswiki::cfg{Ldap}{Debug} = 1;
$Foswiki::cfg{Ldap}{UserBase} = 'ou=people,dc=domain,dc=local';
$Foswiki::cfg{Ldap}{LoginFilter} = 'objectClass=posixAccount';
$Foswiki::cfg{Ldap}{UserScope} = 'sub';
$Foswiki::cfg{Ldap}{LoginAttribute} = 'uid';
$Foswiki::cfg{Ldap}{WikiNameAttribute} = 'cn';
$Foswiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$Foswiki::cfg{Ldap}{NormalizeLoginNames} = 0;
$Foswiki::cfg{Ldap}{WikiNameAliases} = '';
$Foswiki::cfg{Ldap}{AllowChangePassword} = 0;
$Foswiki::cfg{Ldap}{SecondaryPasswordManager} = 'none';
$Foswiki::cfg{Ldap}{GroupBase} = 'ou=groups,dc=domain,dc=local';
$Foswiki::cfg{Ldap}{GroupFilter} = 'objectClass=posixGroup';
$Foswiki::cfg{Ldap}{GroupScope} = 'sub';
$Foswiki::cfg{Ldap}{GroupAttribute} = 'cn';
$Foswiki::cfg{Ldap}{PrimaryGroupAttribute} = 'gidNumber';
$Foswiki::cfg{Ldap}{MemberAttribute} = 'member';
$Foswiki::cfg{Ldap}{InnerGroupAttribute} = 'member';
$Foswiki::cfg{Ldap}{MemberIndirection} = 1;
$Foswiki::cfg{Ldap}{WikiGroupsBackoff} = 1;
$Foswiki::cfg{Ldap}{NormalizeGroupNames} = 0;
$Foswiki::cfg{Ldap}{MapGroups} = 1;
$Foswiki::cfg{Ldap}{RewriteGroups} = {};
$Foswiki::cfg{Ldap}{RewriteWikiNames} = {};
$Foswiki::cfg{Ldap}{MergeGroups} = 0;
$Foswiki::cfg{Ldap}{MaxCacheAge} = 86400;
$Foswiki::cfg{Ldap}{Precache} = 0;
$Foswiki::cfg{Ldap}{PageSize} = 0;
$Foswiki::cfg{Ldap}{Exclude} = 'WikiGuest, ProjectContributor, RegistrationAgent, UnknownUser, AdminGroup, NobodyGroup';
I patched my LDAPContrib.pm with this to make it work:
@@ -2210,9 +2211,9 @@
if (!$this->{preCache} && $member =~ /$this->{groupBase}/i) {
my $innerGroupName = $member;
$innerGroupName =~ s/$this->{groupBase}//o;
$innerGroupName =~ s/$this->{groupAttribute}=//o;
$innerGroupName =~ s/^,+//o;
- $innerGroupName =~ s/,+$//o;
+ $innerGroupName =~ s/,.*$//o;
# Smell: this may not be reliable and may work only with membersind
irection. TO CHECK
if ($innerGroupName ne "" && $this->isGroup($innerGroupName, $data)
) {
--
JayenAshar - 02 Nov 2011