QLIK VIEW : LDAP Apache Directory Server member at... - Qlik Community

Permalink · ‎2015-03-24

I´m using LDAP Apache Directory Server to authenticate our users. We have one LDAP Group "WEBDELIVERY" with member attribute. This member attribute has 2 user DN´s. Apache Directory Server doesn´t have memberOf attibute into user Class. Only it has member attribute into Group Class.

We need authorization in a document for users into WEBDELIVERY Group. We have LDAP users and groups into "Users Management Page" but never appear groups assign to users in Groups tab. We selected user U0001 and Group WEBDELIVERY but never appear nothing in Groups tab.

INFO:

----WEBDELIVERY GROUP----

dn: cn=WEBDELIVERY,ou=Profile,ou=SUPERQLIK,ou=Application,dc=dominio,dc=prueba,dc=com

objectClass: top

objectClass: groupOfNames

cn: WEBDELIVERY

member: cn=U0001,ou=Users,dc=dominio,dc=prueba,dc=com

member: cn=U0002,ou=Users,dc=dominio,dc=prueba,dc=com

description:: XXXXXXX

----U001 USER----

dn: cn=U0001,ou=Users,dc=dominio,dc=prueba,dc=com

objectClass: top

objectClass: inetOrgPerson

objectClass: person

objectClass: organizationalPerson

cn: U0001

sn:: XXXXX

givenName: XXXX

mail: xxx.zzzz@dominio.prueba.com

----QLIKVIEW LDAP CONFIGURATION----

Miguel_Angel_Baeyens · ‎2015-03-26

Hi Pedro,

Do you have memberOf overlay (or equivalent) set up and working in your slapd.conf? Otherwise, member is just another attribute of the user, but not actually a group as in AD or other directory services.

Apart from that, in your DSP settings, you are using "GroupOfNames" instead of "groupOfNames". Could that be the cause if your BDB or backend is case sensitive?

If you do, please ignore this one.

Miguel

Permalink · ‎2015-03-27

I haven't memberOf overlay. Backend is not case sensitive.

Is it necessary memberOf attribute into user Class to work? Is it necessary have data into memberOf user attribute to work?

Why would you used Group LDAP parameters ?

Thanks,

Pedro M.

Miguel_Angel_Baeyens · ‎2015-03-27

Yes, yo need to be able to reverse group membership queries. With Apache Directory Studio you can get it using either command line like

ldapsearch -h ldap -x -b "dc=dominio,dc=prueba,dc=com" '(cn=U0001)' memberOf

or specifying Fetch Operational Attributes in the browser options or something similar. I don't have ApacheDS now at hand.

Miguel

Permalink · ‎2015-03-27

Ok, but memberOf is not a standard attribute. Active Directory and OpenLdap have this operational attribute but Apache Directory Server doesn't have it. We never have values in this attribute.

On the other hand, What are these parameters then?

Group / Member match property
Group id property name
Group member property name
Group object class value

Pedro M.

Miguel_Angel_Baeyens · ‎2015-03-27

Pedro,

In regards to every parameter:

Group / Member match property: When resolving from groups to users, this parameter should be set to the member identifying property. In your example, the group entries contained the multi valued attribute “member”, which held a list of member entries which were identified by their Distinguished Name. For this case the parameter should be set to “dn” or "distinguishedName". If members are identified by an attribute, for example uid, then the parameter should be set to the name of that attribute
Group id property name: The attribute in the groups that is used to identify the groups. If the field is left blank it would default to the same value as set in ID property name ("cn")
Group member property name: The attribute of the groups which contains the list of the group members ("member")
Group object class value: The object class of the group ("groupOfNames")

The memberOf overlay will update your users' attribute memberOf when they not have it populated (basically, doing the reverse group membership resolution possible). So when you have it enabled it will show when you explicitly request it in the search, because it's operational.

Miguel

QLIK VIEW : LDAP Apache Directory Server member attribute