LDAP Groups

Share » Forums » Install & configuration » LDAP Groups

Tuesday 19 August 2008 4:06:37 am - 1 reply

1 reply

Author	Message
Gunnstein Lye	Tuesday 14 July 2009 2:10:11 am I wasn't aware of this post until now. Sorry for my very late reply, you probably don't need it anymore. I'm posting it anyway in case it can help others. Q: If the user has not a mail attribute, login fails. A: By default, eZ Publish requires all users to have a valid email address. You can change this in site.ini though: [UserSettings] # Authenticate match, a list of authenticate fields to use # Available are login and email AuthenticateMatch=login # Controls whether a unique email is required for all users, # if set to true and email is set in AuthenticateMatch then only # one email address instance is allowed on the site. # Set to false to disable it RequireUniqueEmail=false Q: Is there any way to automatically create the groups the user belongs to, and also add him to some specific ez groups for default roles and permissions? A: No, the default group for LDAP users will only be used if no match is found for the more advanced methods (see below). The user will either be placed in the default group for LDAP users (see setting in ldap.ini) or in the group given by his placement on the LDAP server (if there is a match, see below). LDAP settings and functionality LDAPGroupMappingType can be one of three: - UseGroupAttribute - SimpleMapping - GetGroupsTree What all three have in common is that eZ Publish will only assign users to groups automatically. It will not assign roles to groups automatically. The eZ Publish system administrator must create the roles you need, and assign them to user groups. UseGroupAttribute: This setting will make one eZ Publish group assignment per LDAP group, as a flat structure. Users will therefore have the same group names in LDAP and in eZ Publish. You must set LDAPUserGroupAttribute, it must be set to the attribute of the LDAP user object that identifies the group(s) the user belongs to. SimpleMapping: This setting allows you to have different group names in LDAP and in eZ Publish. The user groups in eZ Publish can have any structure you like (flat or tree). You must set LDAPUserGroupMap, LDAPGroupNameAttribute, and LDAPGroupMemberAttribute. - LDAPUserGroupMap maps LDAP group names to eZ Publish group names. - LDAPGroupNameAttribute must be set to the group attribute that contains the name of LDAP group objects. - LDAPGroupMemberAttribute must be set to the user attribute that contains the group(s) the user belongs to. GetGroupsTree: This setting replicates the structure of the LDAP group tree in eZ Publish groups. You must set LDAPGroupNameAttribute, and LDAPGroupMemberAttribute. - LDAPGroupNameAttribute must be set to the group attribute that contains the name of LDAP group objects. - LDAPGroupMemberAttribute must be set to the user attribute that contains the group(s) the user belongs to.

Author

Message

Tuesday 14 July 2009 2:10:11 am

I wasn't aware of this post until now. Sorry for my very late reply, you probably don't need it anymore. I'm posting it anyway in case it can help others.

Q: If the user has not a mail attribute, login fails.
A: By default, eZ Publish requires all users to have a valid email address. You can change this in site.ini though:

[UserSettings]
# Authenticate match, a list of authenticate fields to use
# Available are login and email
AuthenticateMatch=login
# Controls whether a unique email is required for all users,
# if set to true and email is set in AuthenticateMatch then only
# one email address instance is allowed on the site.
# Set to false to disable it
RequireUniqueEmail=false

Q: Is there any way to automatically create the groups the user belongs to, and also add him to some specific ez groups for default roles and permissions?
A: No, the default group for LDAP users will only be used if no match is found for the more advanced methods (see below). The user will either be placed in the default group for LDAP users (see setting in ldap.ini) or in the group given by his placement on the LDAP server (if there is a match, see below).

LDAP settings and functionality

LDAPGroupMappingType can be one of three:
- UseGroupAttribute
- SimpleMapping
- GetGroupsTree
What all three have in common is that eZ Publish will only assign users to groups automatically. It will not assign roles to groups automatically. The eZ Publish system administrator must create the roles you need, and assign them to user groups.

UseGroupAttribute:
This setting will make one eZ Publish group assignment per LDAP group, as a flat structure. Users will therefore have the same group names in LDAP and in eZ Publish.
You must set LDAPUserGroupAttribute, it must be set to the attribute of the LDAP user object that identifies the group(s) the user belongs to.

SimpleMapping:
This setting allows you to have different group names in LDAP and in eZ Publish. The user groups in eZ Publish can have any structure you like (flat or tree). You must set LDAPUserGroupMap, LDAPGroupNameAttribute, and LDAPGroupMemberAttribute.
- LDAPUserGroupMap maps LDAP group names to eZ Publish group names.
- LDAPGroupNameAttribute must be set to the group attribute that contains the name of LDAP group objects.
- LDAPGroupMemberAttribute must be set to the user attribute that contains the group(s) the user belongs to.

GetGroupsTree:
This setting replicates the structure of the LDAP group tree in eZ Publish groups.
You must set LDAPGroupNameAttribute, and LDAPGroupMemberAttribute.
- LDAPGroupNameAttribute must be set to the group attribute that contains the name of LDAP group objects.
- LDAPGroupMemberAttribute must be set to the user attribute that contains the group(s) the user belongs to.

You must be logged in to post messages in this topic!

design implementation by Netgen / design by Xvision

LDAP Groups

Forums menu