LDAP Group Mapping Type
UseGroupAttribute
This mode requires that group membership is specified in the LDAP user object, i.e. the user object contains an attribute specifying the groups. When you use this, you must set LDAPUserGroupAttribute to the LDAP attribute that holds the group information. Also, LDAPUserGroupAttributeType must be either 'id' or 'name'.
If 'id' is used, then the LDAPUserGroupAttribute attribute must contain an ID (example: 42) that will match an existing eZ Publish group with the name 'LDAP 42'. If 'name' is used, then the LDAPUserGroupAttribute attribute must contain the name of an existing eZ Publish group. Starting with eZ Publish 4.3, there is a third option 'dn', meaning that the LDAPUserGroupAttribute attribute must contain a DN referring to the group the user belongs to. (Note that in LDAP, some attributes may be set multiple times, as opposed to having the same attribute containing multiple values.)
Some examples:
ldap.ini settings |
LDAPGroupMappingType=UseGroupAttribute |
LDAP user objects |
uid: janedoe
uid: johndoe |
Maps users to eZ Publish groups |
janedoe: 'LDAP 22' johndoe: 'LDAP 22', 'LDAP 42' |
ldap.ini settings |
LDAPGroupMappingType=UseGroupAttribute |
LDAP user objects |
uid: janedoe
uid: johndoe |
Maps users to eZ Publish groups |
janedoe: 'Editors' johndoe: 'Editors', 'Technical writers' |
ldap.ini settings |
LDAPGroupMappingType=UseGroupAttribute |
LDAP user objects |
uid: janedoe
uid: johndoe |
Maps users to eZ |
janedoe: 'Editors' johndoe: 'Editors', 'Technical writers' |
In eZ Publish 4.2 and older, all three LDAPUserGroupAttributeType alternatives require that the groups exist in eZ Publish, they will not be created by the login handler. However, starting with eZ Publish 4.3, if LDAPCreateMissingGroups is enabled, it will create groups as needed. This setting is disabled by default, for backwards compatibility. When not creating groups, the handler will fall back to using the default group.
SimpleMapping
This mode requires that group membership is specified in the LDAP group object, i.e. the group object contains an attribute specifying the users that are members. When you use this, you must set LDAPGroupClass, LDAPGroupNameAttribute, LDAPGroupMemberAttribute, and LDAPUserGroupMap.
LDAPGroupClass must be set to the class of LDAP group objects. LDAPGroupNameAttribute must be set to the attribute of the LDAP group that contains the name of the group. LDAPGroupMemberAttribute must be set to the attribute of the LDAP group that contains the names of the users that are members. LDAPUserGroupMap is a simple mapping from LDAP group names to eZ Publish group names. Example: 'LDAPUserGroupMap[myldapgroup]=myezgroup'. You may also set LDAPGroupBaseDN and LDAPGroupDescriptionAttribute. LDAPGroupBaseDN may be set to the base DN of your groups tree, to limit the amount of data to search through. LDAPGroupDescriptionAttribute may be set to the attribute of the LDAP group that contains the description of the group, if any. This will set the same description in the eZ Publish group. This mode requires that the groups exist in eZ Publish, because they will not be created automatically. This allows the eZ Publish groups to have different names than the corresponding LDAP groups.
The LDAPCreateMissingGroups setting does not apply in this mode.
An example:
ldap.ini settings |
LDAPGroupMappingType=SimpleMapping |
LDAP group objects |
cn: editor
cn: techwriter |
Maps users to eZ Publish groups |
janedoe: 'Editors' johndoe: 'Editors', 'Technical writers' |
GetGroupsTree
This mode requires that group membership is specified in the LDAP group object, i.e. the group object contains an attribute specifying the users that are members. When you use this, you must set LDAPGroupClass, LDAPGroupNameAttribute and LDAPGroupMemberAttribute.
LDAPGroupClass must be set to the class of LDAP group objects. LDAPGroupNameAttribute must be set to the attribute of the LDAP group that contains the name of the group. LDAPGroupMemberAttribute must be set to the attribute of the LDAP group that contains the names of the users that are members. You may also set LDAPGroupBaseDN and LDAPGroupDescriptionAttribute. LDAPGroupBaseDN may be set to the base DN of your groups tree, to limit the amount of data to search through. LDAPGroupDescriptionAttribute may be set to the attribute of the LDAP group that contains the description of the group, if any. This will set the same description in the eZ Publish group. This mode will create groups in eZ Publish automatically. The groups will be given the same name in eZ Publish as they have in LDAP.
An example:
ldap.ini settings |
LDAPGroupMappingType=GetGroupsTree |
LDAP group objects |
cn: editor
cn: techwriter |
Maps users to eZ Publish groups |
janedoe: 'editors' johndoe: 'editors', 'techwriter' |
Default group
The default LDAP group is not created automatically, you should create one and call it e.g. 'LDAP Users'. If the group mapping fails, the user will instead be placed in the default group, as specified in the LDAPUserGroupType and LDAPUserGroup[] settings.
LDAPUserGroupType can be either 'id' or 'name'. If 'id' is used, LDAPUserGroup[] must contain the content object ID of the default group. If 'name' is used, LDAPUserGroup[] must contain the name of the default group. The default group is not used when group mapping succeeds.
Ester Heylen (30/09/2009 10:15 am)
Ester Heylen (01/10/2009 7:09 am)
Comments