First, thanks to your reactivity.
Le 20 mars 2013 à 11:45, Arthur Schiwon <[email protected]> a écrit :
> On 03/20/2013 10:31 AM, Pierre Malard wrote:
>> Le 18 mars 2013 à 12:22, Arthur Schiwon <[email protected]> a écrit :
>>> On 03/15/2013 06:36 PM, Pierre Malard wrote:
>>>> We have an operational OC 4.5.7 on Debian which work relatively fine. We
>>>> have a LDAP athentification based on email address.
>>>> I have configured OC to search the LDAP login on "mail" LDAP field and
>>>> the LDAP group on "inetOrgPerson" class and "departmentNumber" field on
>>>> advanced tab.
>>>>
>>>> Everything seem to work normaly: our users can log, I can see all LDAP
>>>> groups. My onliest problem is to attach a user to a LDAP group.
>>>
>>> This can be done solely via LDAP. ownCloud does not write to LDAP.
>>>
>>>> Initialy, I have thaught the relation LDAP user <-> LDAP group will be
>>>> automatic. It's not the case. Their is no "LDAP user" in the
>>>> "ldap_group_members" MySQL table. If I try to force, nothing.
>>>
>>> I.e. for no user the LDAP groups were fetched?
>>> Is the "Group-Member association" attribute configured correctly?
>>> http://doc.owncloud.org/server/4.5/admin_manual/auth_ldap.html#advanced-settings
>>
>> Ok, I make a mistake and our LDAP db can't, as this, be used by owncloud to
>> use "departmentNumber" field as "group" association because
>> "departmentNumber" is neither "uniqueMember", "memberUid" or "member" LDAP
>> field's type.
>
> Which LDAP server are you using?
> The attribute to select here is how group memberships are indicated in LDAP.
>
> Example of a group:
> # Coyotes, groups, mydomain.com
> dn: cn=Coyotes,cn=groups,dc=mydomain,dc=com
> uniqueMember: uid=alice,cn=users,dc=mydomain,dc=com
> uniqueMember: uid=007,cn=users,dc=mydomain,dc=com
> uniqueMember: uid=jane,cn=Agents,dc=mydomain,dc=com
Initialy, our LDAP mail database were only to have a different user's database
just for email loggin, just used by our email services and all services around
(webmail, contact, agenda, …). We doesn't went to give any other access and the
group notion were not really relevant. So, the "departmentNumber" were
sufficiant ad the mail address is the eart of our system. We just have used the
inetOrgPerson fields which were really usefull.
So, we have a "ship" RFC3377 with qmail schema. We just have 2 table: "Mails"
which contains users email loggins and "relaydomains" which contains the DNS
domains which are serve by us.
>
>> As I understand your answer, our only way is to modify our LDAP db with a
>> real group/user association within the LDAP meaning of the term. I thought
>> we could "deduce" this association inside OwnCloud since "departmentNumber"
>> LDAP field is, in fact, such an association in LDAP.
>
> If you only want to give access to users with a certain attribute, modify
> login as user list filter, e.g.
> Login filter: (&(uid=%uid)(departmentNumber=123456))
> List filter: departmentNumber=123456
Ok, it's a possible patch but we have more than one "departmentNumber"...
So, as I said, the only way is to activate a "Group" table in our LDAP bd.
Thanks to your help.
----
Pierre Malard
A propos de nos chers économistes :
«Les habiles, dans notre siècle, se sont décernés a eux-mêmes la
qualification d’homme d’état. [...] ces politiques, ingénieux
a mettre aux fictions profitables un masque de nécessité.»
Victor Hugo : “Les misérables”, La pléiade, Gallimard, P. 843
|\ _,,,---,,_
/,`.-'`' -. ;-;;,_
|,4- ) )-,_. ,\ ( `'-'
'---''(_/--' `-'\_)
perl -e '$_=q#: 3|\ 5-,3-3,2-: 3/,`.'"'"'`'"'"' 5-. ;-;;,-: |,A- ) )-,_. ,\
( `'"'"'-'"'"': '"'"'-3'"'"'2(-/--'"'"' `-'"'"'\-):
22PLM::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'
- --> Ce message n’engage que son auteur <--
_______________________________________________
Owncloud mailing list
[email protected]
https://mail.kde.org/mailman/listinfo/owncloud
