ibexa

Path

ez publish / technical manual / 4.4 / features / ldap login handler / ldap group mapping type


Caution: This documentation is for eZ Publish legacy, from version 3.x to 5.x.

LDAP Group Mapping Type

UseGroupAttribute

This mode requires that group membership is specified in the LDAP user object, i.e. the user object contains an attribute specifying the groups. When you use this, you must set LDAPUserGroupAttribute to the LDAP attribute that holds the group information. Also, LDAPUserGroupAttributeType must be either 'id' or 'name'.

If 'id' is used, then the LDAPUserGroupAttribute attribute must contain an ID (example: 42) that will match an existing eZ Publish group with the name 'LDAP 42'. If 'name' is used, then the LDAPUserGroupAttribute attribute must contain the name of an existing eZ Publish group. Starting with eZ Publish 4.3, there is a third option 'dn', meaning that the LDAPUserGroupAttribute attribute must contain a DN referring to the group the user belongs to. (Note that in LDAP, some attributes may be set multiple times, as opposed to having the same attribute containing multiple values.)

Some examples:

ldap.ini settings

LDAPGroupMappingType=UseGroupAttribute
LDAPUserGroupAttributeType=id
LDAPUserGroupAttribute=employeetype

LDAP user objects

uid: janedoe
employeetype: 22

uid: johndoe
employeetype: 22
employeetype: 42

Maps users to eZ Publish groups

janedoe: 'LDAP 22'

johndoe: 'LDAP 22', 'LDAP 42'

ldap.ini settings

LDAPGroupMappingType=UseGroupAttribute
LDAPUserGroupAttributeType=name
LDAPUserGroupAttribute=employeetype

LDAP user objects

uid: janedoe
employeetype: Editors

uid: johndoe
employeetype: Editors
employeetype: Technical writers

Maps users to eZ Publish groups

janedoe: 'Editors'

johndoe: 'Editors', 'Technical writers'

ldap.ini settings

LDAPGroupMappingType=UseGroupAttribute
LDAPUserGroupAttributeType=dn
LDAPUserGroupAttribute=employeetype

LDAP user objects

uid: janedoe
employeetype:cn=Editors,dc=Groups,dc=example,dc=com

uid: johndoe
employeetype:cn=Editors,dc=Groups,dc=example,dc=com
employeetype:cn="Technical writers",dc=Groups,dc=example,dc=com

Maps users to eZ
Publish groups

janedoe: 'Editors'

johndoe: 'Editors', 'Technical writers'

In eZ Publish 4.2 and older, all three LDAPUserGroupAttributeType alternatives require that the groups exist in eZ Publish, they will not be created by the login handler. However, starting with eZ Publish 4.3, if LDAPCreateMissingGroups is enabled, it will create groups as needed. This setting is disabled by default, for backwards compatibility. When not creating groups, the handler will fall back to using the default group.

SimpleMapping

This mode requires that group membership is specified in the LDAP group object, i.e. the group object contains an attribute specifying the users that are members. When you use this, you must set LDAPGroupClass, LDAPGroupNameAttribute, LDAPGroupMemberAttribute, and LDAPUserGroupMap.

LDAPGroupClass must be set to the class of LDAP group objects. LDAPGroupNameAttribute must be set to the attribute of the LDAP group that contains the name of the group. LDAPGroupMemberAttribute must be set to the attribute of the LDAP group that contains the names of the users that are members. LDAPUserGroupMap is a simple mapping from LDAP group names to eZ Publish group names. Example: 'LDAPUserGroupMap[myldapgroup]=myezgroup'. You may also set LDAPGroupBaseDN and LDAPGroupDescriptionAttribute. LDAPGroupBaseDN may be set to the base DN of your groups tree, to limit the amount of data to search through. LDAPGroupDescriptionAttribute may be set to the attribute of the LDAP group that contains the description of the group, if any. This will set the same description in the eZ Publish group. This mode requires that the groups exist in eZ Publish, because they will not be created automatically. This allows the eZ Publish groups to have different names than the corresponding LDAP groups.
The LDAPCreateMissingGroups setting does not apply in this mode.

An example:

ldap.ini settings

LDAPGroupMappingType=SimpleMapping
LDAPUserGroupClass=organizationalUnit
LDAPUserGroupAttribute=cn
LDAPGroupMemberAttribute=members
LDAPUserGroupMap[]
LDAPUserGroupMap[editor]=Editor
LDAPUserGroupMap[techwriter]=Technical writer

LDAP group objects

cn: editor
members: janedoe
members: johndoe

cn: techwriter
members: johndoe

Maps users to eZ Publish groups

janedoe: 'Editors'

johndoe: 'Editors', 'Technical writers'

GetGroupsTree

This mode requires that group membership is specified in the LDAP group object, i.e. the group object contains an attribute specifying the users that are members. When you use this, you must set LDAPGroupClass, LDAPGroupNameAttribute and LDAPGroupMemberAttribute.
LDAPGroupClass must be set to the class of LDAP group objects. LDAPGroupNameAttribute must be set to the attribute of the LDAP group that contains the name of the group. LDAPGroupMemberAttribute must be set to the attribute of the LDAP group that contains the names of the users that are members. You may also set LDAPGroupBaseDN and LDAPGroupDescriptionAttribute. LDAPGroupBaseDN may be set to the base DN of your groups tree, to limit the amount of data to search through. LDAPGroupDescriptionAttribute may be set to the attribute of the LDAP group that contains the description of the group, if any. This will set the same description in the eZ Publish group. This mode will create groups in eZ Publish automatically. The groups will be given the same name in eZ Publish as they have in LDAP.

An example:

ldap.ini settings

LDAPGroupMappingType=GetGroupsTree
LDAPUserGroupClass=organizationalUnit
LDAPUserGroupAttribute=cn
LDAPGroupMemberAttribute=members

LDAP group objects

cn: editor
members: janedoe
members: johndoe

cn: techwriter
members: johndoe

Maps users to eZ Publish groups

janedoe: 'editors'

johndoe: 'editors', 'techwriter'

Default group

The default LDAP group is not created automatically, you should create one and call it e.g. 'LDAP Users'. If the group mapping fails, the user will instead be placed in the default group, as specified in the LDAPUserGroupType and LDAPUserGroup[] settings.
LDAPUserGroupType can be either 'id' or 'name'. If 'id' is used, LDAPUserGroup[] must contain the content object ID of the default group. If 'name' is used, LDAPUserGroup[] must contain the name of the default group. The default group is not used when group mapping succeeds.

Ester Heylen (30/09/2009 10:15 am)

Ester Heylen (01/10/2009 7:09 am)


Comments

  • Example for "SimpleMapping" doesn't work!

    The example for method "SimpleMapping" is wrong. Correct settings are:

    LDAPGroupBaseDN=DC--example,DC--com
    LDAPGroupMappingType=SimpleMapping
    LDAPGroupClass=group
    LDAPGroupNameAttribute=cn
    LDAPGroupMemberAttribute=member
    LDAPUserGroupMap[]
    LDAPUserGroupMap[eZPublish1]=eZPublish1
    LDAPUserGroupMap[eZPublish2]=eZPublish2
    • Re: Example for "SimpleMapping" doesn't work!

      The correct settings depend on your LDAP server, so they can be very different from case to case. Other than that, if you see any settings in the examples that you know cannot work on any server, please let us know.
      Best regards