5 Replies Latest reply: Mar 27, 2015 7:33 AM by Miguel Angel Baeyens de Arce RSS

    QLIK VIEW : LDAP Apache Directory Server member attribute

      I´m using LDAP Apache Directory Server to authenticate our users. We have one LDAP Group "WEBDELIVERY" with member attribute. This member attribute has 2 user DN´s. Apache Directory Server doesn´t have memberOf attibute into user Class. Only it has member attribute into Group Class.

       

      We need authorization in a document for users into WEBDELIVERY Group. We have LDAP users and groups into "Users Management Page" but never appear groups assign to users in Groups tab. We selected user U0001 and Group WEBDELIVERY but never appear nothing in Groups tab.

       

      INFO:

       

      ----WEBDELIVERY GROUP----

       

      dn: cn=WEBDELIVERY,ou=Profile,ou=SUPERQLIK,ou=Application,dc=dominio,dc=prueba,dc=com

      objectClass: top

      objectClass: groupOfNames

      cn: WEBDELIVERY

      member: cn=U0001,ou=Users,dc=dominio,dc=prueba,dc=com

      member: cn=U0002,ou=Users,dc=dominio,dc=prueba,dc=com

      description:: XXXXXXX

       

      ----U001 USER----


      dn: cn=U0001,ou=Users,dc=dominio,dc=prueba,dc=com

      objectClass: top

      objectClass: inetOrgPerson

      objectClass: person

      objectClass: organizationalPerson

      cn: U0001

      sn:: XXXXX

      givenName: XXXX

      mail: xxx.zzzz@dominio.prueba.com

       

      ----QLIKVIEW LDAP CONFIGURATION----

       

        • Re: QLIK VIEW : LDAP Apache Directory Server member attribute
          Miguel Angel Baeyens de Arce

          Hi Pedro,

          Do you have memberOf overlay (or equivalent) set up and working in your slapd.conf? Otherwise, member is just another attribute of the user, but not actually a group as in AD or other directory services.

          Apart from that, in your DSP settings, you are using "GroupOfNames" instead of "groupOfNames". Could that be the cause if your BDB or backend is case sensitive?

          If you do, please ignore this one.

          Miguel

            • Re: QLIK VIEW : LDAP Apache Directory Server member attribute

              I haven't memberOf overlay. Backend is not case sensitive.

               

              Is it necessary memberOf attribute into user Class to work? Is it necessary have data into memberOf user attribute to work?

              Why would you used Group LDAP parameters ?

               

              Thanks,

              Pedro M.

                • Re: QLIK VIEW : LDAP Apache Directory Server member attribute
                  Miguel Angel Baeyens de Arce

                  Yes, yo need to be able to reverse group membership queries. With Apache Directory Studio you can get it using either command line like

                  ldapsearch -h ldap -x -b "dc=dominio,dc=prueba,dc=com" '(cn=U0001)' memberOf
                  

                  or specifying Fetch Operational Attributes in the browser options or something similar. I don't have ApacheDS now at hand.

                  Miguel

                   


                    • Re: QLIK VIEW : LDAP Apache Directory Server member attribute

                      Ok, but memberOf is not a standard attribute. Active Directory and OpenLdap have this operational attribute but Apache Directory Server doesn't have it. We never  have values in this attribute.

                      On the other hand, What are these parameters then?

                      Group / Member match property

                      Group id property name

                      Group member property name

                      Group object class value

                      Pedro M.

                        • Re: QLIK VIEW : LDAP Apache Directory Server member attribute
                          Miguel Angel Baeyens de Arce

                          Pedro,

                          In regards to every parameter:

                          • Group / Member match property: When resolving from groups to users, this parameter should be set to the member identifying property. In your example, the group entries contained the multi valued attribute “member”, which held a list of member entries which were identified by their Distinguished Name. For this case the parameter should be set to “dn” or "distinguishedName". If members are identified by an attribute, for example uid, then the parameter should be set to the name of that attribute
                          • Group id property name: The attribute in the groups that is used to identify the groups. If the field is left blank it would default to the same value as set in ID property name ("cn")
                          • Group member property name: The attribute of the groups which contains the list of the group members ("member")
                          • Group object class value: The object class of the group ("groupOfNames")

                          The memberOf overlay will update your users' attribute memberOf when they not have it populated (basically, doing the reverse group membership resolution possible). So when you have it enabled it will show when you explicitly request it in the search, because it's operational.

                          Miguel