• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item5474: nested groups don't work with Active Directory server

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Extension LdapContrib Normal Being Worked On TWiki:Main/MichaelDaum n/a  

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Hi,

It seems that the twiki 4.2.0 and LdapContrib v2.99.4 doesn't work with hierarchical groups or nested groups in my environment. I'm running Microsoft AD LDAP server and I have groups like

objectClass: groups

dn:CN=EL_FIN,OU=Org,...

cn: EL_FIN

member: CN=EL_FIN_DIR,OU=Org,....

I'm using

GroupAttribute = 'cn'

MemberAttribute = 'member'

MemberIndirection = 1

It seems that the cacheGroupFromEntry function iterates over all groups found from the LDAP search and adds those members of the current group $groupName, which have $data->{"DN2U::$member_DN"} defined. Because groups are not user accounts, they don't have this data defined and they are skipped with the error message "oops, $member_DN not found, but member of $groupName".

Therefore the relationship between for example EL_FIN and EL_FIN_DIR is never established and the nested groups do not work for authorizations.

The patch has a bug with international group names. I didn't convert from the UTF to twiki charset and the correct lines should be

if ($memberGroupName) {
   $memberGroupName = from_utf8(-string=>$memberGroupName, -charset=>$TWiki::cfg{Site}{CharSet}) 
      unless $TWiki::cfg{Site}{CharSet} =~ /^utf-?8$/i;

-- TWiki:Main.AivoJurgenson - 29 Apr 2008

This might be related to Item5118. TWiki's 4.2.0 code is pretty buggy currently.

-- TWiki:Main.MichaelDaum - 02 Jun 2008

No I've found the bug. Being worked on.

-- TWiki:Main.MichaelDaum - 11 Jun 2008

The provided patch has another bug itself. When normalizeGroupName is used, the patch doesn't follow normalized group names and therefore breaks the indirection. The correct way is to add

if ($this->{normalizeGroupName}) {
   $memberGroupName = $this->normalizeWikiName($memberGroupName);
}

code snippet to if ($memberGroupName) { branch.

-- TWiki:Main.AivoJurgenson - 29 Jul 2008

ItemTemplate
Summary nested groups don't work with Active Directory server
ReportedBy TWiki:Main.AivoJurgenson
Codebase 4.2.0
SVN Range TWiki-5.0.0, Sun, 09 Mar 2008, build 16496
AppliesTo Extension
Component LdapContrib
Priority Normal
CurrentState Being Worked On
WaitingFor TWiki:Main/MichaelDaum
Checkins

TargetRelease n/a
ReleasedIn

Topic attachments
I Attachment History Action Size Date Who Comment
Unknown file formatpatch LdapContrib.patch r1 manage 1.6 K 2008-03-25 - 17:34 AivoJurgenson quick and dirty patch to lib/TWiki/Contrib/LdapContrib.pm
Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r6 - 2008-07-29 - AivoJurgenson
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback