Mailinglist Archive: opensuse-buildservice (132 mails)

< Previous Next >
[opensuse-buildservice] Can't get group information from LDAP

I install standalone version OBS in corporate environment. We use OpenLDAP for
identification. Users' authentication runs well, but webui does not even ask
information about groups. I looked at tcpdump output, OpenLDAP log &
production.log. What can be a problem? ( configuration connection with LDAP are
shown below)

ldap_mode: :on

# LDAP Servers separated by ':'.
# OVERRIDE with your company's ldap servers. Servers are picked randomly for
# each connection to distribute load.

# Max number of times to attempt to contact the LDAP servers
ldap_max_attempts: 15

# The attribute the user memberof is stored in
# ldap_user_memberof_attr: memberof

# Perform the group_user search with the member attribute of group entry or
memberof attribute of user entry
# It depends on your ldap define
# The attribute the group member is stored in
ldap_group_member_attr: member

# If you're using ldap_authenticate=:ldap then you should ensure that
# ldaps is used to transfer the credentials over SSL or use the StartTLS
ldap_ssl: :on

# Use StartTLS extension of LDAP
ldap_start_tls: :off

# LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS
# Authentication with Windows 2003 AD requires
ldap_referrals: :off

# OVERRIDE with your company's ldap search base for the users who will use OBS
ldap_search_base: ou=People, dc=mysite, dc=com
# Sam Account Name is the login name for LDAP
ldap_search_attr: uid
# The attribute the users name is stored in
ldap_name_attr: cn
# The attribute the users email is stored in
ldap_mail_attr: mail
# Credentials to use to search ldap for the username
ldap_search_user: ""
ldap_search_auth: ""

# By default any LDAP user can be used to authenticate to the OBS
# In some deployments this may be too broad and certain criteria should
# be met; eg group membership
# To allow only users in a specific group uncomment this line:
ldap_user_filter: (mail=*
# Note this is joined to the normal selection like so:
# (&(#{dap_search_attr}=#{login})#{ldap_user_filter})
# giving an ldap search of:
# (&(sAMAccountName=#{login})(memberof=CN=group,OU=Groups,DC=Domain Component))
# Also note that openLDAP must be configured to use the memberOf overlay

# ldap_authenticate says how the credentials are verified:
# :ldap = attempt to bind to ldap as user using supplied credentials
# :local = compare the credentials supplied with those in
# LDAP using #{ldap_auth_attr} & #{ldap_auth_mech}
# if :local is used then ldap_auth_mech can be
# :md5
# :cleartext
ldap_authenticate: :ldap
ldap_auth_mech: :md5
# This is a string
ldap_auth_attr: userPassword

# Whether to update the user info to LDAP server, it does not take effect
# when ldap_mode is not set.
# Since adding new entry operation are more depend on your slapd db define, it
might not
# compatiable with all LDAP server settings, you can use other LDAP client
tools for your specific usage
ldap_update_support: :off
# ObjectClass, used for adding new entry
ldap_object_class: inetOrgPerson
# Base dn for the new added entry
ldap_entry_base: ou=OBSUSERS,dc=EXAMPLE,dc=COM
# Does sn attribute required, it is a necessary attribute for most of people
# used for adding new entry
ldap_sn_attr_required: :on

# Whether to search group info from ldap, it does not take effect
# when LDAP_GROUP_SUPPOR is not set.
# Please also set below LDAP_GROUP_* configs correctly to ensure the operation
works properly
ldap_group_support: :on
# OVERRIDE with your company's ldap search base for groups
# The attribute the group name is stored in
ldap_group_title_attr: op
# The value of the group objectclass attribute, leave it as "" if objectclass
attr doesn't exist
ldap_group_objectclass_attr: iponwebPermission--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages