Users, groups and Active Directory

Hi,

I finally got to show my active directory groups, but they do not contain my active directory users. I use this configuration files here: https://github.com/nuxeo/nuxeo-services/tree/master/nuxeo-platform-directory/nuxeo-platform-directory-ldap/examples

An idea of the reason for this problem?

0 votes

1 answers

1966 views

ANSWER



You have to introspect you Active Directory structure with a LDAP client such as Apache Directory Studio to adapt the configuration to make it match to your own directory structure.

You can find more details on the page on LDAP configuration in the documentation.

In particular it gives you instruction to enable the debug log and see which LDAP requests are performed by Nuxeo to try and replicate them in Apache Directory Studio to understand why the return no results.

0 votes



With Apache Directory Studio I can see members of my group, but I do not know where to put this in the configuration file groups …

I have this:

<searchBaseDn>ou=Groupes,ou=XXX,dc=XXX,dc=local</searchBaseDn>
       <searchFilter>
        (objectClass=group)
      </searchFilter> 

<creationBaseDn>ou=Groupes,ou=XXX,dc=XXX,dc=local</creationBaseDn>
      <creationClass>top</creationClass>
      <creationClass>groupOfUniqueNames</creationClass>

I managed to retrieve the description of the group, but not the member…

  <rdnAttribute>cn</rdnAttribute>
  <fieldMapping name="groupname">cn</fieldMapping>
      <fieldMapping name="grouplabel">description</fieldMapping>

Should we put this kind of code?

 <fieldMapping name="member">member</fieldMapping>

(Désolé pour mon anglais très mauvais et surement la mauvaise utilisation de google translate…)

05/14/2013

The members will be retrieved once you've configured the ldapReference. Something like <pre> <ldapReference field="members" directory="userDirectory" staticAttributeId="uniqueMember" /> </pre>
05/15/2013

I have this in my configuration file :

&lt;references&gt;

        &lt;ldapReference field=&quot;members&quot; directory=&quot;userLdapDirectory&quot;
          forceDnConsistencyCheck=&quot;false&quot; staticAttributeId=&quot;uniqueMember&quot;
          dynamicAttributeId=&quot;memberURL&quot; /&gt;

        &lt;ldapReference field=&quot;subGroups&quot; directory=&quot;groupLdapDirectory&quot;
          forceDnConsistencyCheck=&quot;false&quot; staticAttributeId=&quot;uniqueMember&quot;
          dynamicAttributeId=&quot;memberURL&quot; /&gt;

        &lt;inverseReference field=&quot;parentGroups&quot; directory=&quot;groupLdapDirectory&quot;
          dualReferenceField=&quot;subGroups&quot; /&gt;

        &lt;ldapTreeReference field=&quot;directChildren&quot; directory=&quot;unitDirectory&quot;
          scope=&quot;onelevel&quot; /&gt;
        &lt;ldapTreeReference field=&quot;children&quot; directory=&quot;unitDirectory&quot;
          scope=&quot;subtree&quot; /&gt;

      &lt;/references&gt;

But I doesn't work…

05/15/2013

And does that correspond to your LDAP entries fpr groups?
05/15/2013

Hello,

Yes, userLdapDirectory and groupLdapDirectory are the same name I use in my xml files…

05/21/2013

that's not exactly the answer I expected: is it possible to have LDIF export from your Ldap user/group to validate your configuration?
05/21/2013

I am sorry, I don't understand. I did ldifde -f sortie.ldf -r (ObjectClass=User) but I don't know what I search …
05/21/2013

Que dois je faire ? / what should I do ?
05/22/2013

please paste the content of 1 user entry and 1 group entry from the LDIF export => I'll check if it's correct according to what you wrote in your Nuxeo XML files
05/22/2013

An user :

dn: CN=Prenom Nom,OU=xxx,OU=Utilisateurs,OU=xxx,DC=xxx,DC=local
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Prenom Nom
sn: NOM
givenName: Prenom
distinguishedName: 
 CN=Prenom Nom,OU=xxx,OU=Utilisateurs,OU=xxx,DC=xxx,DC=local
displayName: Prenom Nom
name: Prenom Nom
objectGUID:: /1aMD2vL+k++AfrLWRKUDg==
codePage: 0
countryCode: 0
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA+KEb6izD8ObyGL07qQQAAA==
sAMAccountName: xxx
sAMAccountType: 805306368
userPrincipalName: xxx@ensip.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=xxx,DC=local

A group :

dn: CN=xxx,OU=Groupes,OU=LIAS,DC=xxx,DC=local
changetype: add
objectClass: top
objectClass: group
cn: xxx
member:: 
 Q049UGluZyBEQUksT1U9RG9jdG9yYW50cyxPVT1VdGlsaXNhdGV1cnMsT1U9TElBUyxEQz1lbnNpcC
 xEQz1sb2NhbA==
member:: 
 Q049RGF0IGR1b25nIFBIQU4sT1U9RG9jdG9yYW50cyxPVT1VdGlsaXNhdGV1cnMsT1U9TElBUyxEQz
 1lbnNpcCxEQz1sb2NhbA==
member:: 
 Q049RmF5w6dhbCBCRU5TTUFJTkUsT1U9RG9jdG9yYW50cyxPVT1VdGlsaXNhdGV1cnMsT1U9TElBUy
 xEQz1lbnNpcCxEQz1sb2NhbA==
member:: 
 Q049QmVub2l0IEhVQVJELE9VPURvY3RvcmFudHMsT1U9VXRpbGlzYXRldXJzLE9VPUxJQVMsREM9ZW
 5zaXAsREM9bG9jYWw=
member:: 
 Q049TWFyaWVtIEdIQU1HVUksT1U9RG9jdG9yYW50cyxPVT1VdGlsaXNhdGV1cnMsT1U9TElBUyxEQz
 1lbnNpcCxEQz1sb2NhbA==
member:: 
 Q049SW5lcyBPTVJBTkUsT1U9RG9jdG9yYW50cyxPVT1VdGlsaXNhdGV1cnMsT1U9TElBUyxEQz1lbn
 NpcCxEQz1sb2NhbA==
member:: 
 Q049TW9oYW1lZCBGQVJBSCxPVT1Eb2N0b3JhbnRzLE9VPVV0aWxpc2F0ZXVycyxPVT1MSUFTLERDPW
 Vuc2lwLERDPWxvY2Fs
member:: 
 Q049TmFpbWEgQk9VR0FURUYsT1U9RG9jdG9yYW50cyxPVT1VdGlsaXNhdGV1cnMsT1U9TElBUyxEQz
 1lbnNpcCxEQz1sb2NhbA==
member:: 
 Q049TW9oYW1lZCBMYW1pbmUgTUFTTU9VREksT1U9RG9jdG9yYW50cyxPVT1VdGlsaXNhdGV1cnMsT1
 U9TElBUyxEQz1lbnNpcCxEQz1sb2NhbA==
member:: 
 Q049RGFuaWVsIFZJWkVSLE9VPURvY3RvcmFudHMsT1U9VXRpbGlzYXRldXJzLE9VPUxJQVMsREM9ZW
 5zaXAsREM9bG9jYWw=
member:: 
 Q049SG91Y2VtIEtBTk9VTixPVT1Eb2N0b3JhbnRzLE9VPVV0aWxpc2F0ZXVycyxPVT1MSUFTLERDPW
 Vuc2lwLERDPWxvY2Fs
member:: 
 Q049U2FtaSBOQUpBUixPVT1Eb2N0b3JhbnRzLE9VPVV0aWxpc2F0ZXVycyxPVT1MSUFTLERDPWVuc2
 lwLERDPWxvY2Fs
member:: 
 Q049TWFuaGFsIEFCT1VaTEFNLE9VPURvY3RvcmFudHMsT1U9VXRpbGlzYXRldXJzLE9VPUxJQVMsRE
 M9ZW5zaXAsREM9bG9jYWw=
member:: 
 Q049TWFtbWFyIFRFTk9VVElULE9VPURvY3RvcmFudHMsT1U9VXRpbGlzYXRldXJzLE9VPUxJQVMsRE
 M9ZW5zaXAsREM9bG9jYWw=
member:: 
 Q049QmF5YSBIQURJRCxPVT1Eb2N0b3JhbnRzLE9VPVV0aWxpc2F0ZXVycyxPVT1MSUFTLERDPWVuc2
 lwLERDPWxvY2Fs
member:: 
 Q049TGlsYSBDUk9DSSxPVT1Eb2N0b3JhbnRzLE9VPVV0aWxpc2F0ZXVycyxPVT1MSUFTLERDPWVuc2
 lwLERDPWxvY2Fs
distinguishedName: CN=xxx,OU=Groupes,OU=xxx,DC=xxx,DC=local
instanceType: 4
whenCreated: 20130103100935.0Z
whenChanged: 20130430071152.0Z
uSNCreated: 8365
uSNChanged: 165294
name: xxx
objectGUID:: OsBRPJ8H30ugenghxgTK1g==
objectSid:: AQUAAAAAAAUVAAAA+KEb6izD8ObyGL07UwYAAA==
sAMAccountName: xxx
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=xxx,DC=local
dSCorePropagationData: 20130514093030.0Z
dSCorePropagationData: 20130417122120.0Z
dSCorePropagationData: 16010101000417.0Z
05/22/2013

So the reference you've defined using staticAttributeId="uniqueMember" is not correct because you can see in your group entry that the members are stored in an attribute called "member" => need to fix that ! Same battle for subgroups
05/22/2013

I Changed uniquemember by member and it's work ! But I must changed subgroups by what ? by group ?
05/22/2013

No. By "member" too IMHO Usually the attribute "member" (or the one from your LDAP schema) stores the references on users and groups
05/22/2013

Hi,

Thanks a lot, For the moment everything seems to work.

05/28/2013