ibexa

Path

ez publish / technical manual / 5.x / features / ldap login handler / ldap group mapping type


Caution: This documentation is for eZ Publish legacy, from version 3.x to 5.x.

  • LDAP Group Mapping Type

    UseGroupAttribute

    This mode requires that group membership is specified in the LDAP user object, i.e. the user object contains an attribute specifying the groups. When you use this, you must set LDAPUserGroupAttribute to the LDAP attribute that holds the group information. Also, LDAPUserGroupAttributeType must be either 'id' or 'name'.

    If 'id' is used, then the LDAPUserGroupAttribute attribute must contain an ID (example: 42) that will match an existing eZ Publish group with the name 'LDAP 42'. If 'name' is used, then the LDAPUserGroupAttribute attribute must contain the name of an existing eZ Publish group. Starting with eZ Publish 4.3, there is a third option 'dn', meaning that the LDAPUserGroupAttribute attribute must contain a DN referring to the group the user belongs to. (Note that in LDAP, some attributes may be set multiple times, as opposed to having the same attribute containing multiple values.)

    Some examples:

    ldap.ini settings

    LDAPGroupMappingType=UseGroupAttribute
    LDAPUserGroupAttributeType=id
    LDAPUserGroupAttribute=employeetype

    LDAP user objects

    uid: janedoe
    employeetype: 22

    uid: johndoe
    employeetype: 22
    employeetype: 42

    Maps users to eZ Publish groups

    janedoe: 'LDAP 22'

    johndoe: 'LDAP 22', 'LDAP 42'

    ldap.ini settings

    LDAPGroupMappingType=UseGroupAttribute
    LDAPUserGroupAttributeType=name
    LDAPUserGroupAttribute=employeetype

    LDAP user objects

    uid: janedoe
    employeetype: Editors

    uid: johndoe
    employeetype: Editors
    employeetype: Technical writers

    Maps users to eZ Publish groups

    janedoe: 'Editors'

    johndoe: 'Editors', 'Technical writers'

    ldap.ini settings

    LDAPGroupMappingType=UseGroupAttribute
    LDAPUserGroupAttributeType=dn
    LDAPUserGroupAttribute=employeetype

    LDAP user objects

    uid: janedoe
    employeetype:cn=Editors,dc=Groups,dc=example,dc=com

    uid: johndoe
    employeetype:cn=Editors,dc=Groups,dc=example,dc=com
    employeetype:cn="Technical writers",dc=Groups,dc=example,dc=com

    Maps users to eZ
    Publish groups

    janedoe: 'Editors'

    johndoe: 'Editors', 'Technical writers'

    In eZ Publish 4.2 and older, all three LDAPUserGroupAttributeType alternatives require that the groups exist in eZ Publish, they will not be created by the login handler. However, starting with eZ Publish 4.3, if LDAPCreateMissingGroups is enabled, it will create groups as needed. This setting is disabled by default, for backwards compatibility. When not creating groups, the handler will fall back to using the default group.

    SimpleMapping

    This mode requires that group membership is specified in the LDAP group object, i.e. the group object contains an attribute specifying the users that are members. When you use this, you must set LDAPGroupClass, LDAPGroupNameAttribute, LDAPGroupMemberAttribute, and LDAPUserGroupMap.

    LDAPGroupClass must be set to the class of LDAP group objects. LDAPGroupNameAttribute must be set to the attribute of the LDAP group that contains the name of the group. LDAPGroupMemberAttribute must be set to the attribute of the LDAP group that contains the names of the users that are members. LDAPUserGroupMap is a simple mapping from LDAP group names to eZ Publish group names. Example: 'LDAPUserGroupMap[myldapgroup]=myezgroup'. You may also set LDAPGroupBaseDN and LDAPGroupDescriptionAttribute. LDAPGroupBaseDN may be set to the base DN of your groups tree, to limit the amount of data to search through. LDAPGroupDescriptionAttribute may be set to the attribute of the LDAP group that contains the description of the group, if any. This will set the same description in the eZ Publish group. This mode requires that the groups exist in eZ Publish, because they will not be created automatically. This allows the eZ Publish groups to have different names than the corresponding LDAP groups.
    The LDAPCreateMissingGroups setting does not apply in this mode.

    An example:

    ldap.ini settings

    LDAPGroupMappingType=SimpleMapping
    LDAPUserGroupClass=organizationalUnit
    LDAPUserGroupAttribute=cn
    LDAPGroupMemberAttribute=members
    LDAPUserGroupMap[]
    LDAPUserGroupMap[editor]=Editor
    LDAPUserGroupMap[techwriter]=Technical writer

    LDAP group objects

    cn: editor
    members: janedoe
    members: johndoe

    cn: techwriter
    members: johndoe

    Maps users to eZ Publish groups

    janedoe: 'Editors'

    johndoe: 'Editors', 'Technical writers'

    GetGroupsTree

    This mode requires that group membership is specified in the LDAP group object, i.e. the group object contains an attribute specifying the users that are members. When you use this, you must set LDAPGroupClass, LDAPGroupNameAttribute and LDAPGroupMemberAttribute.
    LDAPGroupClass must be set to the class of LDAP group objects. LDAPGroupNameAttribute must be set to the attribute of the LDAP group that contains the name of the group. LDAPGroupMemberAttribute must be set to the attribute of the LDAP group that contains the names of the users that are members. You may also set LDAPGroupBaseDN and LDAPGroupDescriptionAttribute. LDAPGroupBaseDN may be set to the base DN of your groups tree, to limit the amount of data to search through. LDAPGroupDescriptionAttribute may be set to the attribute of the LDAP group that contains the description of the group, if any. This will set the same description in the eZ Publish group. This mode will create groups in eZ Publish automatically. The groups will be given the same name in eZ Publish as they have in LDAP.

    An example:

    ldap.ini settings

    LDAPGroupMappingType=GetGroupsTree
    LDAPUserGroupClass=organizationalUnit
    LDAPUserGroupAttribute=cn
    LDAPGroupMemberAttribute=members

    LDAP group objects

    cn: editor
    members: janedoe
    members: johndoe

    cn: techwriter
    members: johndoe

    Maps users to eZ Publish groups

    janedoe: 'editors'

    johndoe: 'editors', 'techwriter'

    Default group

    The default LDAP group is not created automatically, you should create one and call it e.g. 'LDAP Users'. If the group mapping fails, the user will instead be placed in the default group, as specified in the LDAPUserGroupType and LDAPUserGroup[] settings.
    LDAPUserGroupType can be either 'id' or 'name'. If 'id' is used, LDAPUserGroup[] must contain the content object ID of the default group. If 'name' is used, LDAPUserGroup[] must contain the name of the default group. The default group is not used when group mapping succeeds.

    Ester Heylen (30/09/2009 10:15 am)

    Ester Heylen (01/10/2009 7:09 am)


    Comments

    • Example for "SimpleMapping" doesn't work!

      The example for method "SimpleMapping" is wrong. Correct settings are:

      LDAPGroupBaseDN=DC--example,DC--com
      LDAPGroupMappingType=SimpleMapping
      LDAPGroupClass=group
      LDAPGroupNameAttribute=cn
      LDAPGroupMemberAttribute=member
      LDAPUserGroupMap[]
      LDAPUserGroupMap[eZPublish1]=eZPublish1
      LDAPUserGroupMap[eZPublish2]=eZPublish2
      • Re: Example for "SimpleMapping" doesn't work!

        The correct settings depend on your LDAP server, so they can be very different from case to case. Other than that, if you see any settings in the examples that you know cannot work on any server, please let us know.
        Best regards