Monday 07 June 2010 1:14:25 am

Hi Nicolas,

thank you for your hint.

It still won't work but it was good to find out that there might be an issue in ldap documentation on ez.no.

Here are my current settings in ldap.ini:

# Group mapping settings:
# Root node id where LDAP groups are created, node id: 5 is used if blank
LDAPGroupMappingType=SimpleMapping
LDAPGroupClass=group
#LDAPUserGroupClass=group
LDAPUserGroupAttribute=cn
LDAPGroupMemberAttribute=member
LDAPUserGroupMap[]
LDAPUserGroupMap[eZPublish1]=eZPublish1
LDAPUserGroupMap[eZPublish2]=eZPublish2

As you can see I have two different settings to set the class of a user group:

• LDAPUserGroupClasss (as it is described in documentation sites: http://ez.no/doc/ez_publish/technical_manual/4_x/features/ldap_login_handler/ldap_group_mapping_type#SimpleMapping )
• LDAPGroupClass (as it can be found in ldap.ini)

There is no "LDAPUserGroupClass" setting in ldap.ini. I gave it a try anyway and I got the same result as with "LDAPGroupClass": users are still stored in Members-Folder.

I take a look into my error.log and found following enty:

 [ Jun 07 2010 10:03:59 ] [127.0.0.1] eZLDAPUser.php, function getUserGroupsTree():
Missing one of required parameters.

I will try to find out which parameter is needed and tell it here.

Thank you for your help.

Philip

Linux is like a wigwam; no windows, now gates, and apache inside!

Tuesday 15 June 2010 2:22:17 am

I got it!

After some 'try & error' I found the correct settings for ldap.ini. Here is how it works now:

1. Create users in your ActiveDirectory (AD)
2. Create groups that should be used with eZ Publish in your AD
3. Create the same groups in eZ Publish
4. Link users with groups in your AD

If you use "SimpleMapping" method now the user will be created in the same group as he is in your AD.

Here are all ini settings you need to have in your ldap.ini.append.php (based on Windows Active Directory):

[LDAPSettings]
# Enable tracing the the ldap login, outputs extensive debug info for use during setup
# NOTE: Do not keep this enabled on production setup as login name and passwords will be 
# logged to logfiles or outputted if DebugOutput settings are enabled. 
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=3
# Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not.
# set to 1 to enable
LDAPFollowReferrals=0
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=<YOUR SERVER IP>
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--example,DC--com
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=administrator@example.com
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=<YOUR ADMIN PASS>
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]=objectCategory--person
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=sAMAccountName

## LDAP GROUP SETTINGS
LDAPGroupBaseDN=DC--example,DC--com
LDAPGroupMappingType=SimpleMapping
LDAPGroupClass=group
LDAPGroupNameAttribute=cn
LDAPGroupMemberAttribute=member
LDAPUserGroupMap[]
LDAPUserGroupMap[eZPublish1]=eZPublish1
LDAPUserGroupMap[eZPublish2]=eZPublish2

Finally I have to say that the example on documentation page for "SimpleMapping" is absolutly wrong!

Thank you Nicolas for your help!

Philip

Linux is like a wigwam; no windows, now gates, and apache inside!