Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
I´m using LDAP Apache Directory Server to authenticate our users. We have one LDAP Group "WEBDELIVERY" with member attribute. This member attribute has 2 user DN´s. Apache Directory Server doesn´t have memberOf attibute into user Class. Only it has member attribute into Group Class.
We need authorization in a document for users into WEBDELIVERY Group. We have LDAP users and groups into "Users Management Page" but never appear groups assign to users in Groups tab. We selected user U0001 and Group WEBDELIVERY but never appear nothing in Groups tab.
INFO:
----WEBDELIVERY GROUP----
dn: cn=WEBDELIVERY,ou=Profile,ou=SUPERQLIK,ou=Application,dc=dominio,dc=prueba,dc=com
objectClass: top
objectClass: groupOfNames
cn: WEBDELIVERY
member: cn=U0001,ou=Users,dc=dominio,dc=prueba,dc=com
member: cn=U0002,ou=Users,dc=dominio,dc=prueba,dc=com
description:: XXXXXXX
----U001 USER----
dn: cn=U0001,ou=Users,dc=dominio,dc=prueba,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: U0001
sn:: XXXXX
givenName: XXXX
mail: xxx.zzzz@dominio.prueba.com
----QLIKVIEW LDAP CONFIGURATION----
Hi Pedro,
Do you have memberOf overlay (or equivalent) set up and working in your slapd.conf? Otherwise, member is just another attribute of the user, but not actually a group as in AD or other directory services.
Apart from that, in your DSP settings, you are using "GroupOfNames" instead of "groupOfNames". Could that be the cause if your BDB or backend is case sensitive?
If you do, please ignore this one.
Miguel
I haven't memberOf overlay. Backend is not case sensitive.
Is it necessary memberOf attribute into user Class to work? Is it necessary have data into memberOf user attribute to work?
Why would you used Group LDAP parameters ?
Thanks,
Pedro M.
Yes, yo need to be able to reverse group membership queries. With Apache Directory Studio you can get it using either command line like
ldapsearch -h ldap -x -b "dc=dominio,dc=prueba,dc=com" '(cn=U0001)' memberOf
or specifying Fetch Operational Attributes in the browser options or something similar. I don't have ApacheDS now at hand.
Miguel
Ok, but memberOf is not a standard attribute. Active Directory and OpenLdap have this operational attribute but Apache Directory Server doesn't have it. We never have values in this attribute.
On the other hand, What are these parameters then?
Group / Member match property | ||
Group id property name | ||
Group member property name | ||
Group object class value |
Pedro M.
Pedro,
In regards to every parameter:
The memberOf overlay will update your users' attribute memberOf when they not have it populated (basically, doing the reverse group membership resolution possible). So when you have it enabled it will show when you explicitly request it in the search, because it's operational.
Miguel