[389-users] Membership of Roles

Derek Belcher jderekbelcher at gmail.com
Mon Sep 2 23:52:05 UTC 2013 

I have been watching this thread all weekend with great interest also. I am
hoping that since this is a holiday weekend in the states, that every one
is just busy. Might get responses tomorrow.
On Sep 2, 2013 6:08 PM, "Andy" <racingyacht1 at gmail.com> wrote:

> Does anyone have any experience in setting up roles to work with either
> Liferay or blog systems to give me a pointer? ****
>
> I can import users, but I am having problems with getting the systems to
> identify which roles are assigned to users.****
>
> ** **
>
> ****
>
> ** **
>
> *From:* Andy [mailto:racingyacht1 at gmail.com]
> *Sent:* 01 September 2013 20:59
> *To:* 389-users at lists.fedoraproject.org
> *Subject:* RE: Membership of Roles****
>
> ** **
>
> One further clarification on the problem. Users and roles are being
> imported, but user’s membership of roles is not being found on searches.
> Also tried on Liferay enterprise portal and get a similar problem. Users
> are being imported, but issues with roles.  ****
>
> ** **
>
> *From:* Andy [mailto:racingyacht1 at gmail.com <racingyacht1 at gmail.com>]
> *Sent:* 01 September 2013 12:50
> *To:* 389-users at lists.fedoraproject.org
> *Subject:* RE: Membership of Roles****
>
> ** **
>
> Please find additional information on the configuration of the blog system
> ****
>
> ** **
>
> My configuration:****
>
> ** **
>
> AuthenticationModule LDAP****
>
> LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail****
>
> LDAPAuthBindDN cn=Directory Manager (will replace with application user
> account once phase one integration is completed)****
>
> LDAPAuthPassword xxxxxx****
>
> LDAPAuthSASLMechanism PLAIN  (note SSL not yet configured)****
>
> ExternalUserManagement 1****
>
> ExternalGroupManagement 1****
>
> ExternalUserSyncFrequency 60****
>
> LDAPGroupNameAttribute cn****
>
> LDAPGroupIdAttribute nsUniqueId****
>
> LDAPGroupFullNameAttribute cn****
>
> LDAPGroupMemberAttribute memberof****
>
> LDAPGroupSearchBase ou=customers,dc=xxx,dc=com****
>
> LDAPGroupFilter (objectclass=ldapSubEntry)****
>
> LDAPUserIdAttribute uid****
>
> LDAPUserEmailAttribute mail****
>
> LDAPUserFullNameAttribute cn****
>
> LDAPUserGroupMemberAttribute nsrole****
>
> ** **
>
> The default settings for OpenLDAP installations are:****
>
> *Stage 1*
>
> * *
>
> *Authentication URL*****
>
> ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail****
>
> *Authentication DN*****
>
> *Authentication Password*****
>
> Password ****
>
> *Test Username*****
>
> Test email address****
>
> *Test Password*****
>
> Password for test user****
>
> ** **
>
> ** **
>
> *Stage 2*
>
> * *
>
> Group Search Base Attribute****
>
> dc=xxx,dc=com****
>
> Group Filter Attribute****
>
> (objectClass=groupOfUniqueNames)****
>
> ** **
>
> ** **
>
> *Attributes*
>
> *OpenLDAP*
>
> User ID Attribute****
>
> entryUUID****
>
> Email Attribute****
>
> mail****
>
> User Fullname Attribute****
>
> cn****
>
> User Member Attribute****
>
> uid****
>
> GroupID Attribute****
>
> entryUUID****
>
> Group Name Attribute****
>
> cn****
>
> Group Fullname Attribute****
>
> cn****
>
> Group Member Attribute****
>
> memberUid****
>
> ** **
>
> ** **
>
> *From:* Andy [mailto:racingyacht1 at gmail.com <racingyacht1 at gmail.com>]
> *Sent:* 31 August 2013 13:43
> *To:* '389-users at lists.fedoraproject.org'
> *Subject:* Membership of Roles****
>
> ** **
>
> Hello****
>
> I am testing integration of 389-ds with a blogging system. I plan to use
> roles instead of groups to automatically give users rights to service on
> the blog system. However, I am having problems with the system identifying
> members of roles. I need help with defining the correct search parameters
> to identify which roles a uid or cn is a member of.****
>
> ** **
>
> From within the blog system I’m using LDAPGroupFilter
> (objectclass=ldapSubEntry) to list the roles. The roles list correctly as
> groups within the blog system. ****
>
> From within 389 the members of roles are configured as filtered, and I can
> see the configured members using the Directory Server GUI.****
>
> ** **
>
> The blog system is not identifying members of roles when it does its
> search against 389. Note, users can log into the blog system using the
> accounts created on 389. I don’t think I am applying the correct search
> criteria to identify group membership. I need advice on creation of the
> correct search criteria for membership of roles/groups. ****
>
>  ****
>
> ** **
>
> Sample log from access****
>
> ** **
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager"
> method=128 version=3****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0
> etime=0 dn="cn=directory manager"****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com"
> scope=2 filter="(&(mail=testuser16 at xxxx.com)(objectClass=*))"
> attrs="distinguishedName"****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1
> etime=0****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND
> dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0
> etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager"
> method=128 version=3****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0
> etime=0 dn="cn=directory manager"****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com"
> scope=2 filter="(&(mail=testuser16 at xxxx.com)(objectClass=*))" attrs="uid
> mail cn mail distinguishedName"****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1
> etime=0****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com"
> scope=2 filter="(|(uid=1000016))" attrs="nsRole"****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1
> etime=0****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH
> base="ou=customers,dc=xxxx,dc=com" scope=2
> filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))"
> attrs="cn cn member nsUniqueId"****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0
> etime=0****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND****
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1****
>
> ** **
>
> ** **
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130902/edb6cfb3/attachment.html>

More information about the 389-users mailing list