Forums / Setup & design / AD group mapping in Exponential

"Please Note:

At the specific request of Ibexa we are changing this projects name to "Exponential" or "Exponential (CMS)" effective as of August, 11th 2025.
This project is not associated with the original eZ Publish software or its original developer, eZ Systems or Ibexa".

AD group mapping in Exponential

Previous topic

Setup & design

Next topic

Author	Message
nicholas king	Thursday 29 July 2010 2:24:21 am Hello, I am currently really struggling to get AD and Exponential group mappings to work. At the moment a user enters their details into the login boxes, Exponential delves into AD finds the user and creates and adds them to the members group in Exponential. I have trawled the documentation and forums and tried all the things suggested and still i cannot stop users from going into the members group. Currently i can confirm that:- The Active directory Exponential connection is currently working. Exponential puts all AD users who log in into the members directory. my settings inside ldap.ini.append.php are as follows:- #?ini charset="iso-8859-1"? # Exponential configuration file for connection and authentication of users via LDAP # [LDAPSettings] LDAPDebugTrace=enabled # Enable tracing the the ldap login, outputs extensive debug info for use during setup # NOTE: Do not keep this enabled on production setup as login name and passwords will be # logged to logfiles or outputted if DebugOutput settings are enabled. LDAPDebugTrace=enabled # Set LDAP version number LDAPVersion=3 # Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not. # set to 1 to enable LDAPFollowReferrals=0 # Set to true if use LDAP server LDAPEnabled=true # LDAP host LDAPServer=gcwwdc01.example.co.uk # Port nr for LDAP, default is 389 LDAPPort=389 # Specifies the base DN for the directory. LDAPBaseDn=DC--example,DC--co,DC--uk # If the server does not allow anonymous bind, specify the user name for the bind here. LDAPBindUser=<intranetuser> # If the server does not allow anonymous bind, specify the password for the bind here. LDAPBindPassword=<intranetpassword> # Could be sub, one, base. LDAPSearchScope=sub # Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters LDAPEqualSign=-- # Add extra search requirment. Uncomment it if you don't need it. # Example LDAPSearchFilters[]=objectClass--inetOrgPerson LDAPSearchFilters[]=objectCategory--person # LDAP attribute for login. Normally, uid LDAPLoginAttribute=sAMAccountName LDAPDebugTrace=enabled LDAPUserGroupType=name LDAPUserGroupAttribute=intranetAdmin LDAPGroupBaseDN = DC--example, DC--co, DC--uk LDAPGroupMappingType=SimpleMapping LDAPGroupClass=group LDAPUserGroupAttribute=cn LDAPUserGroupMap[] LDAPUserGroupMap[intranetAdmin]=intranetAdmin Any help suggestions would be really appreciated many thanks Nicholas
Robin Muilwijk	Friday 27 August 2010 1:14:27 pm Hi Nicholas, Do you have this working already? I'm no expert on this, but can you check http://ez.no/doc/ez_publish/technical_manual/4_x/reference/configuration_files/ldap_ini/ldapsettings/ldapusergrouptype You use LDAPUserGroupType=name, and the link/doc page says you then need to set LDAPUsergroup, where instead you set the LDAPUserGroupAttribute ? This is the only inconsistency I've been able to find, as LDAP n00b ;) Regards Robin Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation. LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk
Nicolas Pastorino	Monday 30 August 2010 12:24:14 am Hi Nicholas, You can also have a look here : http://share.ez.no/forums/install-configuration/ldap-user-groups-activedirectory-ez-publish Cheers ! -- Nicolas Pastorino Director Community - eZ Member of the Community Project Board eZ Publish Community on twitter: http://twitter.com/ezcommunity t : http://twitter.com/jeanvoye G+ : http://plus.tl/jeanvoye

Author

Message

nicholas king

Thursday 29 July 2010 2:24:21 am

Hello,
I am currently really struggling to get AD and Exponential group mappings to work. At the moment a user enters their details into the login boxes, Exponential delves into AD finds the user and creates and adds them to the members group in Exponential.

I have trawled the documentation and forums and tried all the things suggested and still i cannot stop users from going into the members group.

Currently i can confirm that:-

*The Active directory Exponential connection is currently working.
*Exponential puts all AD users who log in into the members directory.

my settings inside ldap.ini.append.php are as follows:-

#?ini charset="iso-8859-1"?
# Exponential configuration file for connection and authentication of users via LDAP
#
[LDAPSettings]
LDAPDebugTrace=enabled
# Enable tracing the the ldap login, outputs extensive debug info for use during setup
# NOTE: Do not keep this enabled on production setup as login name and passwords will be
# logged to logfiles or outputted if DebugOutput settings are enabled.
LDAPDebugTrace=enabled
# Set LDAP version number
LDAPVersion=3
# Determines whether the LDAP library automatically follows referrals returned by LDAP servers or not.
# set to 1 to enable
LDAPFollowReferrals=0
# Set to true if use LDAP server
LDAPEnabled=true
# LDAP host
LDAPServer=gcwwdc01.example.co.uk
# Port nr for LDAP, default is 389
LDAPPort=389
# Specifies the base DN for the directory.
LDAPBaseDn=DC--example,DC--co,DC--uk
# If the server does not allow anonymous bind, specify the user name for the bind here.
LDAPBindUser=<intranetuser>
# If the server does not allow anonymous bind, specify the password for the bind here.
LDAPBindPassword=<intranetpassword>
# Could be sub, one, base.
LDAPSearchScope=sub
# Use the equla sign to replace "=" when specify LDAPBaseDn or LDAPSearchFilters
LDAPEqualSign=--
# Add extra search requirment. Uncomment it if you don't need it.
# Example LDAPSearchFilters[]=objectClass--inetOrgPerson
LDAPSearchFilters[]=objectCategory--person
# LDAP attribute for login. Normally, uid
LDAPLoginAttribute=sAMAccountName
LDAPDebugTrace=enabled
LDAPUserGroupType=name
LDAPUserGroupAttribute=intranetAdmin
LDAPGroupBaseDN = DC--example, DC--co, DC--uk
LDAPGroupMappingType=SimpleMapping
LDAPGroupClass=group
LDAPUserGroupAttribute=cn
LDAPUserGroupMap[]
LDAPUserGroupMap[intranetAdmin]=intranetAdmin

Any help suggestions would be really appreciated

many thanks

Nicholas

Robin Muilwijk

Friday 27 August 2010 1:14:27 pm

Hi Nicholas,

Do you have this working already? I'm no expert on this, but can you check http://ez.no/doc/ez_publish/technical_manual/4_x/reference/configuration_files/ldap_ini/ldapsettings/ldapusergrouptype

You use LDAPUserGroupType=name, and the link/doc page says you then need to set LDAPUsergroup, where instead you set the LDAPUserGroupAttribute ?

This is the only inconsistency I've been able to find, as LDAP n00b ;)

Regards Robin

Board member, eZ Publish Community Project Board - Member of the share.ez.no team - Key values: Openness and Innovation.

LinkedIn: http://nl.linkedin.com/in/robinmuilwijk // Twitter: http://twitter.com/i_robin // Skype: robin.muilwijk

Nicolas Pastorino

Monday 30 August 2010 12:24:14 am

Hi Nicholas,

You can also have a look here :
http://share.ez.no/forums/install-configuration/ldap-user-groups-activedirectory-ez-publish

Cheers !

--
Nicolas Pastorino
Director Community - eZ
Member of the Community Project Board

eZ Publish Community on twitter: http://twitter.com/ezcommunity

t : http://twitter.com/jeanvoye
G+ : http://plus.tl/jeanvoye