Hi,
Within framework/security/config/jndiLdap.properties one can specify the LDAP - Active Directory integration with ldap.dn.template=cn=%u,cn=Users Problem is, this will ONLY work with the Administrator account Note: Users (which is a system folder) is specified as a cn whereas custom ou's (ie IT etc) is specified as an ou To allow this to work with normal users, one can specify via Party Manager -> Party ID (Details) -> Edit under User Names -> LDAP Distinguished Name the DN as follows i.e. cn=Christopher Johnstone,ou=IT,ou=Head Office,dc=OURDOMAIN,dc=co,dc=uk Note: The %u = ChristopherJ <- the logon username YET for authentication to work, YOU NEED to specify the FULL NAME "Christopher Johnstone" ! Can anyone please advice on a variable one can use to forward the FULL NAME and NOT the USERNAME? Secondly, as we have OUs for different departments, branches etc, ofbiz users is spread all across the site, includiing child domains. I have created a ofbiz OU with a ofbiz group within the ofbiz OU. Then made all the related users members of this ofbiz group. This would be a very efficient solution, should I get it to work... The DN specification I tried is:- cn=Christopher Johnstone,ou=ofbiz,dc=OURDOMAIN,dc=co,dc=uk Naturally, user Christopher Johnstone (ChristopherJ) is part of the OFBIZ group located within the OFBIZ ou. This does not work for me at present though. Any ideas would be greatly appreciated. I hope the addtional notes help others in due time. Thanks |
Administrator
|
As a quick note (I did not look into any details) would you be interested by
https://issues.apache.org/jira/browse/OFBIZ-1689 ? Jacques From: "Wicus" <[hidden email]> > > Hi, > > Within framework/security/config/jndiLdap.properties one can specify the > LDAP - Active Directory integration with ldap.dn.template=cn=%u,cn=Users > > Problem is, this will ONLY work with the Administrator account > > Note: Users (which is a system folder) is specified as a cn > whereas custom ou's (ie IT etc) is specified as an ou > > To allow this to work with normal users, one can specify via Party Manager > -> Party ID (Details) -> Edit under User Names -> LDAP Distinguished Name > the DN as follows i.e. > > cn=Christopher Johnstone,ou=IT,ou=Head Office,dc=OURDOMAIN,dc=co,dc=uk > > Note: The %u = ChristopherJ <- the logon username > > YET for authentication to work, YOU NEED to specify the FULL NAME > "Christopher Johnstone" ! > > Can anyone please advice on a variable one can use to forward the FULL NAME > and NOT the USERNAME? > > > > Secondly, as we have OUs for different departments, branches etc, ofbiz > users is spread all across the site, includiing child domains. > > I have created a ofbiz OU with a ofbiz group within the ofbiz OU. Then made > all the related users members of this ofbiz group. > > This would be a very efficient solution, should I get it to work... The DN > specification I tried is:- > > cn=Christopher Johnstone,ou=ofbiz,dc=OURDOMAIN,dc=co,dc=uk > > Naturally, user Christopher Johnstone (ChristopherJ) is part of the OFBIZ > group located within the OFBIZ ou. > > > This does not work for me at present though. Any ideas would be greatly > appreciated. > > I hope the addtional notes help others in due time. > > Thanks > -- > View this message in context: http://www.nabble.com/LDAP---Active-Directory-tp19217057p19217057.html > Sent from the OFBiz - User mailing list archive at Nabble.com. > |
In reply to this post by Wicus
Wicus,
Your description of the OFBiz LDAP integration is correct. The template in framework/security/config/jndiLdap.properties is intended to be used in simple installations where all OFBiz users are in a single OU. The LDAP Distinguished Name field in Party Manager is intended to be used in more complicated installations like the one you described. I disagree with you that the template "will ONLY work with the Administrator" - we use the template here and all users can log in without any problems. The problem you are encountering is specific to Active Directory. Your solution to fix it is a good idea. If I understand you correctly, you want to use the template - but instead of using %u for the user login name, you would like to use a different variable (or variables), say %l for last name, and %f for first name. If that is the case, you could modify your local copy to do that and test your idea. If it is successful, then you can submit a patch to Jira and I will get it committed. -Adrian --- On Fri, 8/29/08, Wicus <[hidden email]> wrote: > From: Wicus <[hidden email]> > Subject: LDAP - Active Directory > To: [hidden email] > Date: Friday, August 29, 2008, 2:59 AM > Hi, > > Within framework/security/config/jndiLdap.properties one > can specify the > LDAP - Active Directory integration with > ldap.dn.template=cn=%u,cn=Users > > Problem is, this will ONLY work with the Administrator > account > > Note: Users (which is a system folder) is specified as a cn > > whereas custom ou's (ie IT etc) is specified > as an ou > > To allow this to work with normal users, one can specify > via Party Manager > -> Party ID (Details) -> Edit under User Names -> > LDAP Distinguished Name > the DN as follows i.e. > > cn=Christopher Johnstone,ou=IT,ou=Head > Office,dc=OURDOMAIN,dc=co,dc=uk > > Note: The %u = ChristopherJ <- the logon username > > YET for authentication to work, YOU NEED to specify the > FULL NAME > "Christopher Johnstone" ! > > Can anyone please advice on a variable one can use to > forward the FULL NAME > and NOT the USERNAME? > > > > Secondly, as we have OUs for different departments, > branches etc, ofbiz > users is spread all across the site, includiing child > domains. > > I have created a ofbiz OU with a ofbiz group within the > ofbiz OU. Then made > all the related users members of this ofbiz group. > > This would be a very efficient solution, should I get it to > work... The DN > specification I tried is:- > > cn=Christopher Johnstone,ou=ofbiz,dc=OURDOMAIN,dc=co,dc=uk > > Naturally, user Christopher Johnstone (ChristopherJ) is > part of the OFBIZ > group located within the OFBIZ ou. > > > This does not work for me at present though. Any ideas > would be greatly > appreciated. > > I hope the addtional notes help others in due time. > > Thanks > -- > View this message in context: > http://www.nabble.com/LDAP---Active-Directory-tp19217057p19217057.html > Sent from the OFBiz - User mailing list archive at > Nabble.com. |
In reply to this post by Wicus
Perhaps you want to make your ldap looks like this (assume you're in a
university): by university organization chart | -departmentA | -labA | -personA | -collegeB | -branchC | -personD by application roles (each leaf is a member or aliase of organization chart) | -OFBiz | -Catalog | -USER | -personA | -ADMIN | -personD If so, you have to change the implement accordingly. It's not difficult to do so. Regards, Shi Jinghai/Beijing Langhua Ltd. 在 2008-08-29五的 02:59 -0700,Wicus写道: > Hi, > > Within framework/security/config/jndiLdap.properties one can specify the > LDAP - Active Directory integration with ldap.dn.template=cn=%u,cn=Users > > Problem is, this will ONLY work with the Administrator account > > Note: Users (which is a system folder) is specified as a cn > whereas custom ou's (ie IT etc) is specified as an ou > > To allow this to work with normal users, one can specify via Party Manager > -> Party ID (Details) -> Edit under User Names -> LDAP Distinguished Name > the DN as follows i.e. > > cn=Christopher Johnstone,ou=IT,ou=Head Office,dc=OURDOMAIN,dc=co,dc=uk > > Note: The %u = ChristopherJ <- the logon username > > YET for authentication to work, YOU NEED to specify the FULL NAME > "Christopher Johnstone" ! > > Can anyone please advice on a variable one can use to forward the FULL NAME > and NOT the USERNAME? > > > > Secondly, as we have OUs for different departments, branches etc, ofbiz > users is spread all across the site, includiing child domains. > > I have created a ofbiz OU with a ofbiz group within the ofbiz OU. Then made > all the related users members of this ofbiz group. > > This would be a very efficient solution, should I get it to work... The DN > specification I tried is:- > > cn=Christopher Johnstone,ou=ofbiz,dc=OURDOMAIN,dc=co,dc=uk > > Naturally, user Christopher Johnstone (ChristopherJ) is part of the OFBIZ > group located within the OFBIZ ou. > > > This does not work for me at present though. Any ideas would be greatly > appreciated. > > I hope the addtional notes help others in due time. > > Thanks |
Free forum by Nabble | Edit this page |