Re: ldapReference usage question]
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Re: ldapReference usage question]
by Patrick Turcotte-3
::
Rate this Message:
Sorry about previous message, got tangled in my addresses.
-------- Original Message -------- Hi Anahide, Thanks for your answer. Here are my config files. I think I need another directory definition for my posixGroups (as per the tests config (src)) but would like a confirmation before digging into it. Thanks. Patrick > Hi, > There is some documentation available here: > http://doc.nuxeo.org/5.1/books/nuxeo-book/html/chapter-directories.html#ldap-directories > But given what you're saying, it looks like you're in the good > direction. Maybe copying here your configuration that doesn't behave > as expected would help figuring out the problem. > > Regards, > > > Still configuring my Ldap for production usage. For my group creation > > problem (with attributes with set values), I'll post a patch in jira soon. > > > > I'm trying to achieve subGroups (group of group in fact). Looking at the > > examples and the test configs, I realise I have to use ldapReference > > and/or ldapReferenceTree, but I can't figure out how exactly to do it yet. > > > > My nuxeo managed groups have objectClass "gosaGroupOfNames" with > > attribute "member = uid=username,dc=example,dc=com" for members. > > I can put our general group in there "member = > > cn=personGroup,ou=Groups,dc=example,dc=com". > > > > Unfortunatly, nuxeo can't see the members of those groups. > > > > My internal groups have objectClass of "posixGroup" and the members are > > identified with "memberUid = myUid". > > > > Should I create another "directory" element to configure the lookup of > > group members? Should I put a specific value in dynamicAttributeId of > > ldapReference? Should I user ldapTreeReference? > > > > To put things in context, our ldap is OpenLdap, managed with GOsa > > (https://oss.gonicus.de/labs/gosa/) and is structured around posixGroup. > > > > Thanks for any help in sorting this out. > > > > Patrick Turcotte > > Revolution Linux <?xml version="1.0"?> <component name="org.nuxeo.ecm.directory.ldap.storage.groups"> <implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" /> <implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" /> <require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require> <!-- the groups LDAP directory for users is required to make this bundle work --> <require>org.nuxeo.ecm.directory.ldap.storage.users</require> <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories"> <directory name="groupDirectory"> <!-- Reuse the default server configuration defined for userDirectory --> <server>default</server> <schema>group</schema> <idField>groupname</idField> <searchBaseDn>dc=example,dc=com</searchBaseDn> <!-- <searchFilter></searchFilter> --> <searchFilter>(|(objectClass=posixGroup)(objectClass=gosaGroupOfNames))</searchFilter> <searchScope>subtree</searchScope> <readOnly>false</readOnly> <!-- comment <cache* /> tags to disable the cache --> <!-- cache timeout in seconds --> <cacheTimeout>3600</cacheTimeout> <!-- maximum number of cached entries before global invalidation --> <cacheMaxSize>1000</cacheMaxSize> <creationBaseDn>ou=Group,ou=nuxeo,dc=example,dc=com</creationBaseDn> <creationClass>top</creationClass> <!-- <creationClass>groupOfUniqueNames</creationClass> --> <creationClass>gosaGroupOfNames</creationClass> <attributesWithValues name="gosaGroupObjects">[U]</attributesWithValues> <!-- Maximum number of entries returned by the search --> <querySizeLimit>200</querySizeLimit> <!-- Time to wait for a search to finish. 0 to wait indefinitely --> <queryTimeLimit>0</queryTimeLimit> <rdnAttribute>cn</rdnAttribute> <fieldMapping name="groupname">cn</fieldMapping> <references> <!-- LDAP reference resolve DNs embedded in uniqueMember attributes If the target directory has no specific filtering policy, it is most of the time not necessary to enable the 'forceDnConsistencyCheck' policy. Enabling this option will fetch each reference entry to ensure its existence in the target directory. --> <ldapReference field="members" directory="userDirectory" forceDnConsistencyCheck="false" staticAttributeId="member" dynamicAttributeId="memberURL" /> <ldapReference field="subGroups" directory="groupDirectory" forceDnConsistencyCheck="false" staticAttributeId="member" dynamicAttributeId="memberURL" /> <inverseReference field="parentGroups" directory="groupDirectory" dualReferenceField="subGroups" /> </references> </directory> </extension> </component> <?xml version="1.0"?> <component name="org.nuxeo.ecm.directory.ldap.storage.users"> <implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" /> <implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" /> <require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require> <!-- the groups SQL directories are required to make this bundle work --> <require>org.nuxeo.ecm.directory.sql.storage</require> <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="servers"> <!-- Configuration of a server connection A single server declaration can point to a cluster of replicated servers (using OpenLDAP's slapd + sluprd for instance). To leverage such a cluster and improve availibility, please provide one <ldapUrl/> tag for each replica of the cluster. --> <server name="default"> <ldapUrl>ldap://ldap-pturcotte.example.com:389</ldapUrl> <!-- <ldapUrl>ldaps://ldapdmz.example.com:636</ldapUrl> --> <!-- Optional servers from the same cluster for failover and load balancing: <ldapUrl>ldap://server2:389</ldapUrl> <ldapUrl>ldaps://server3:389</ldapUrl> "ldaps" means TLS/SSL connection. --> <!-- Credentials used by Nuxeo5 to browse the directory, create and modify entries. Only the authentication of users (bind) use the credentials entered through the login form if any. --> <bindDn>uid=nuxeoadmin,ou=People,ou=nuxeo,dc=example,dc=com</bindDn> <bindPassword>changeme</bindPassword> </server> </extension> <extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories"> <directory name="userDirectory"> <server>default</server> <schema>user</schema> <idField>username</idField> <passwordField>password</passwordField> <searchBaseDn>ou=People,dc=example,dc=com</searchBaseDn> <searchClass>person</searchClass> <!-- To additionally restricte entries you can add an arbitrary search filter such as the following: <searchFilter>(&(sn=toto*)(myCustomAttribute=somevalue))</searchFilter> Beware that "&" writes "&" in XML. --> <!-- use subtree if the people branch is nested --> <searchScope>onelevel</searchScope> <!-- using 'subany', search will match *toto*. use 'subfinal' to match *toto and 'subinitial' to match toto*. subinitial is the default behaviour--> <substringMatchType>subany</substringMatchType> <readOnly>false</readOnly> <!-- comment <cache* /> tags to disable the cache --> <!-- cache timeout in seconds --> <cacheTimeout>3600</cacheTimeout> <!-- maximum number of cached entries before global invalidation --> <cacheMaxSize>1000</cacheMaxSize> <!-- If the id field is not returned by the search, we set it with the searched entry, probably the login. Before setting it, you can change its case. Accepted values are 'lower' and 'upper', anything else will not change the case. --> <missingIdFieldCase>lower</missingIdFieldCase> <!-- Maximum number of entries returned by the search --> <querySizeLimit>200</querySizeLimit> <!-- Time to wait for a search to finish. 0 to wait indefinitely --> <queryTimeLimit>0</queryTimeLimit> <creationBaseDn>ou=People,dc=example,dc=com</creationBaseDn> <creationClass>top</creationClass> <creationClass>person</creationClass> <creationClass>organizationalPerson</creationClass> <creationClass>inetOrgPerson</creationClass> <rdnAttribute>uid</rdnAttribute> <fieldMapping name="username">uid</fieldMapping> <fieldMapping name="password">userPassword</fieldMapping> <fieldMapping name="firstName">givenName</fieldMapping> <fieldMapping name="lastName">sn</fieldMapping> <fieldMapping name="company">o</fieldMapping> <fieldMapping name="email">mail</fieldMapping> <references> <inverseReference field="groups" directory="groupDirectory" dualReferenceField="members" /> </references> </directory> </extension> </component> _______________________________________________ ECM mailing list ECM@... http://lists.nuxeo.com/mailman/listinfo/ecm To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm |
|
|
Re: ldapReference usage question]
by Anahide Tchertchian-2
::
Rate this Message:
Hi,
Sorry if i did not get it in the first place. So we currently only support resolution of members with a dn such as the member field of the groupOfUniqueNames class (staticAttributeId) or dynamic ldap URL such as in the groupOfURLs class (dynamicAttributeId) (plus hierarchical membership but that's not what you'd like to get). Resolution based on static ids is missing, we'd be happy to review a patch and integrate it (see LDAPReference class). Regards, -- Anahide Tchertchian, Nuxeo Mail: at@... - Tel: +33 (0)1 40 33 79 87 http://www.nuxeo.com - http://www.nuxeo.org 2009/11/12 Patrick Turcotte <patrek@...>: > Sorry about previous message, got tangled in my addresses. > > -------- Original Message -------- > > Hi Anahide, > > Thanks for your answer. Here are my config files. > > I think I need another directory definition for my posixGroups (as per > the tests config (src)) but would like a confirmation before digging > into it. > > Thanks. > > Patrick >> Hi, >> There is some documentation available here: >> http://doc.nuxeo.org/5.1/books/nuxeo-book/html/chapter-directories.html#ldap-directories >> But given what you're saying, it looks like you're in the good >> direction. Maybe copying here your configuration that doesn't behave >> as expected would help figuring out the problem. >> >> Regards, >> >> > > Original message from Patrick >> Still configuring my Ldap for production usage. For my group creation >> > problem (with attributes with set values), I'll post a patch in jira soon. >> > >> > I'm trying to achieve subGroups (group of group in fact). Looking at the >> > examples and the test configs, I realise I have to use ldapReference >> > and/or ldapReferenceTree, but I can't figure out how exactly to do it yet. >> > >> > My nuxeo managed groups have objectClass "gosaGroupOfNames" with >> > attribute "member = uid=username,dc=example,dc=com" for members. >> > I can put our general group in there "member = >> > cn=personGroup,ou=Groups,dc=example,dc=com". >> > >> > Unfortunatly, nuxeo can't see the members of those groups. >> > >> > My internal groups have objectClass of "posixGroup" and the members are >> > identified with "memberUid = myUid". >> > >> > Should I create another "directory" element to configure the lookup of >> > group members? Should I put a specific value in dynamicAttributeId of >> > ldapReference? Should I user ldapTreeReference? >> > >> > To put things in context, our ldap is OpenLdap, managed with GOsa >> > (https://oss.gonicus.de/labs/gosa/) and is structured around posixGroup. >> > >> > Thanks for any help in sorting this out. >> > >> > Patrick Turcotte >> > Revolution Linux > > ECM mailing list ECM@... http://lists.nuxeo.com/mailman/listinfo/ecm To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm |
|
|
Re: ldapReference usage question]
by Patrick Turcotte-3
::
Rate this Message:
Hi Anahide,
I'd gladly look into it, but, beeing new to Ldap and nuxeo, I'd need a little more guidance, as to within which method of LDAPReference I should patch, what existing test would be close of what's needed, anything. Thanks, Patrick > Hi, > > Sorry if i did not get it in the first place. So we currently only > support resolution of members with a dn such as the member field of > the groupOfUniqueNames class (staticAttributeId) or dynamic ldap URL > such as in the groupOfURLs class (dynamicAttributeId) (plus > hierarchical membership but that's not what you'd like to get). > Resolution based on static ids is missing, we'd be happy to review a > patch and integrate it (see LDAPReference class). > > Regards, > > _______________________________________________ ECM mailing list ECM@... http://lists.nuxeo.com/mailman/listinfo/ecm To unsubscribe, go to http://lists.nuxeo.com/mailman/options/ecm |
| Free embeddable forum powered by Nabble | Forum Help |
