LDAP group access control problem

Hi,

I have a problem with the LDAP group mapping funciotnalities...even if all seems to be ok (user authentication, mapping between groups and users, etc...) I cannot use the LDAP group for managing the access control (ALLOWWEBCHANGE, etc..)

I have already checked the FINALPREFERENCES around foswiki but all seems to be ok...

Thanks in advance

-- LorenzoNicolodi - 02 Nov 2009

Can you provide a little bit more details, please?

Where did you set ALLOWWEBCHANGE? How does the setting exactly look like?

-- MichaelDaum - 03 Nov 2009

I have set ALLOWWEBCHANGE in the WebPreferences of the web I want to manage...

Here are the access management settings of the web:

• Set DENYWEBVIEW =
• Set ALLOWWEBVIEW =
• Set DENYWEBCHANGE =
• Set ALLOWWEBCHANGE = SupportGruppe
• Set DENYWEBRENAME =
• Set ALLOWWEBRENAME = AdminUser,SupportGruppe

Do you need other info?

Thanks a lot!

-- LorenzoNicolodi - 05 Nov 2009

Where is SupportGruppe defined: in LDAP or in the Main web of your Foswiki?

Try %USERINFO{"SupportGruppe"}% to see what it knows about it. Also check your Main.WikiGroups.

-- MichaelDaum - 05 Nov 2009

The SupportGruppe is defined in the AD ... the groups are retrieved in the right way from the AD and the association group <--> users is ok (in Main.WikiGroups I see, for example, SupportGruppe on the left and the right users' name in camel-case e.g. NameSurname on the right)...

Anyway, using %USERINFO{"SupportGruppe"}%, it retrieves the users in the format name@mycompany.com ... which is quite strange....isn't it?

-- LorenzoNicolodi - 05 Nov 2009

At the bottom of the Main.WikiGroups page I have seen this sentence:

Note: A group topic name must be a WikiWord and must end in ...Group. New topics are based on GroupTemplate

Does the fact that my group names end with Grouppe instead of Group matter?

-- LorenzoNicolodi - 05 Nov 2009

This sentence is irrelevant as all of your groups come from LDAP. Please check the {GroupAttribute} and {MemberIndirection} settings and your apache error.log for anything related.

-- MichaelDaum - 05 Nov 2009

I have double checked these values...the GroupAttribute is correct, I suppose, because the names of the groups in the groups' table are right and the name of the users are right too..and I have already put the flag on MemberIndirection...

-- LorenzoNicolodi - 05 Nov 2009

Any new suggestion?

-- LorenzoNicolodi - 10 Nov 2009

I have discovered something new..

I have my user which belongs to the SupportGruppe described above and for troubleshooting purpose I have inserted in a page two macros, getting the following results:

%USERINFO{"SupportGruppe"}% --> in this case I get the something line "unknown, SupportGruppe, user1@mycompany.com, user2@mycompany.com, [email protected]"

%USERINFO{ format="EMAIL $emails USERNAME $username WIKINAME $wikiname WIKIUSERNAME $wikiusername GROUPS $groups" }% --> In this case I get all the information apart from the $groups (nothing is displayed after the word "GROUPS")

Are these info useful?

Thanks a lot!

-- LorenzoNicolodi - 13 Nov 2009