Hi! I install standalone version OBS in corporate environment. We use OpenLDAP for identification. Users' authentication runs well, but webui does not even ask information about groups. I looked at tcpdump output, OpenLDAP log & production.log. What can be a problem? ( configuration connection with LDAP are shown below) ldap_mode: :on # LDAP Servers separated by ':'. # OVERRIDE with your company's ldap servers. Servers are picked randomly for # each connection to distribute load. ldap_servers: ldap.mysite.com # Max number of times to attempt to contact the LDAP servers ldap_max_attempts: 15 # The attribute the user memberof is stored in # ldap_user_memberof_attr: memberof # Perform the group_user search with the member attribute of group entry or memberof attribute of user entry # It depends on your ldap define # The attribute the group member is stored in ldap_group_member_attr: member # If you're using ldap_authenticate=:ldap then you should ensure that # ldaps is used to transfer the credentials over SSL or use the StartTLS extension ldap_ssl: :on # Use StartTLS extension of LDAP ldap_start_tls: :off # LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS #ldap_port: # Authentication with Windows 2003 AD requires ldap_referrals: :off # OVERRIDE with your company's ldap search base for the users who will use OBS ldap_search_base: ou=People, dc=mysite, dc=com # Sam Account Name is the login name for LDAP ldap_search_attr: uid # The attribute the users name is stored in ldap_name_attr: cn # The attribute the users email is stored in ldap_mail_attr: mail # Credentials to use to search ldap for the username ldap_search_user: "" ldap_search_auth: "" # By default any LDAP user can be used to authenticate to the OBS # In some deployments this may be too broad and certain criteria should # be met; eg group membership # # To allow only users in a specific group uncomment this line: ldap_user_filter: (mail=*@mysite.com) # # Note this is joined to the normal selection like so: # (&(#{dap_search_attr}=#{login})#{ldap_user_filter}) # giving an ldap search of: # (&(sAMAccountName=#{login})(memberof=CN=group,OU=Groups,DC=Domain Component)) # # Also note that openLDAP must be configured to use the memberOf overlay # ldap_authenticate says how the credentials are verified: # :ldap = attempt to bind to ldap as user using supplied credentials # :local = compare the credentials supplied with those in # LDAP using #{ldap_auth_attr} & #{ldap_auth_mech} # if :local is used then ldap_auth_mech can be # :md5 # :cleartext ldap_authenticate: :ldap ldap_auth_mech: :md5 # This is a string ldap_auth_attr: userPassword # Whether to update the user info to LDAP server, it does not take effect # when ldap_mode is not set. # Since adding new entry operation are more depend on your slapd db define, it might not # compatiable with all LDAP server settings, you can use other LDAP client tools for your specific usage ldap_update_support: :off # ObjectClass, used for adding new entry ldap_object_class: inetOrgPerson # Base dn for the new added entry ldap_entry_base: ou=OBSUSERS,dc=EXAMPLE,dc=COM # Does sn attribute required, it is a necessary attribute for most of people objectclass, # used for adding new entry ldap_sn_attr_required: :on # Whether to search group info from ldap, it does not take effect # when LDAP_GROUP_SUPPOR is not set. # Please also set below LDAP_GROUP_* configs correctly to ensure the operation works properly ldap_group_support: :on # OVERRIDE with your company's ldap search base for groups ldap_group_search_base: site=jenkins.mysite.com,ou=devops,ou=Technology,ou=MYSITE,ou=Projects # The attribute the group name is stored in ldap_group_title_attr: op # The value of the group objectclass attribute, leave it as "" if objectclass attr doesn't exist ldap_group_objectclass_attr: iponwebPermission-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org