headers
Aitzol Naberan | 10 May 17:41

CPS3.4 + LDAP

Hi all,

I need full integration (users, groups and roles) between LDAP and CPS,
so I have started playing with CPSLDAPSetup product, and now I'm able to
authenticate user agains LDAP (still have some errors, but ...). Next I
have started to prepare the directories structure for the groups. I have
created a LDAP Backing directory called groups_ldap (with his schema and
layout), them I have replaced the original groups directory with another
Meta directory called groups. I have added the groups_ldap directory as
a Backing and I have mapped the groups_ldap attributes to groups schema.

Well, now I can do searches for groups using the directories search
interface (I can ask for a group called 'system', and I get results). If
I extend the groups info to see the users of this group, I get a list of
'DN' attributes from LDAP. How can I get usernames?

And another question, how can I get groups info for a user? I supose I
have to ask to the LDAP server, but I don't know how (a computed
attribute in the schema???? )

Thanks.
--

-- 
Aitzol Naberan Burgaña
CodeSyntax
http://www.codesyntax.com
943 82 17 80


_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Olivier Grisel | 10 May 17:59

Re: CPS3.4 + LDAP

Aitzol Naberan a écrit :

> I need full integration (users, groups and roles) between LDAP and CPS,
> so I have started playing with CPSLDAPSetup product, and now I'm able to
> authenticate user agains LDAP (still have some errors, but ...). Next I
> have started to prepare the directories structure for the groups. I have
> created a LDAP Backing directory called groups_ldap (with his schema and
> layout), them I have replaced the original groups directory with another
> Meta directory called groups. I have added the groups_ldap directory as
> a Backing and I have mapped the groups_ldap attributes to groups schema.

You probably do not need a MetaDirectory but you need a StackingDirectory to be 
able to translate primary keys (DN <-> group id).

> Well, now I can do searches for groups using the directories search
> interface (I can ask for a group called 'system', and I get results). If
> I extend the groups info to see the users of this group, I get a list of
> 'DN' attributes from LDAP. How can I get usernames?

Hum, this is tricky because DNs do not mean anything to CPS. You could add a 
computed field that does the translation however but you wont be able to search 
groups according to their members (computed fields are not evaluated in search 
mode).

> And another question, how can I get groups info for a user? I supose I
> have to ask to the LDAP server, but I don't know how (a computed
> attribute in the schema???? )

Currently this is done through read_process_expr-based computed fields in the 
members schema but this might not be the best solution. Write process 
expressions might be a better idea.

--

-- 
Olivier

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Georges Racinet | 10 May 18:15

Re: Re: CPS3.4 + LDAP


Le 10 mai 2006, à 17:59, Olivier Grisel a écrit :

> Aitzol Naberan a écrit :
>
>> I need full integration (users, groups and roles) between LDAP and 
>> CPS,
>> so I have started playing with CPSLDAPSetup product, and now I'm able 
>> to
>> authenticate user agains LDAP (still have some errors, but ...). Next 
>> I
>> have started to prepare the directories structure for the groups. I 
>> have
>> created a LDAP Backing directory called groups_ldap (with his schema 
>> and
>> layout), them I have replaced the original groups directory with 
>> another
>> Meta directory called groups. I have added the groups_ldap directory 
>> as
>> a Backing and I have mapped the groups_ldap attributes to groups 
>> schema.
>
> You probably do not need a MetaDirectory but you need a 
> StackingDirectory to be able to translate primary keys (DN <-> group 
> id).

Congrats anyway, you've come a long way. Just being curious:
	which objectClass do you use for groups, is it groupOfNames ?
	what's your plan for roles wrt to LDAP schemas ?

>
>> Well, now I can do searches for groups using the directories search
>> interface (I can ask for a group called 'system', and I get results). 
>> If
>> I extend the groups info to see the users of this group, I get a list 
>> of
>> 'DN' attributes from LDAP. How can I get usernames?
>
> Hum, this is tricky because DNs do not mean anything to CPS. You could 
> add a computed field that does the translation however but you wont be 
> able to search groups according to their members (computed fields are 
> not evaluated in search mode).
>
>> And another question, how can I get groups info for a user? I supose I
>> have to ask to the LDAP server, but I don't know how (a computed
>> attribute in the schema???? )
>
> Currently this is done through read_process_expr-based computed fields 
> in the members schema but this might not be the best solution. Write 
> process expressions might be a better idea.

And the other way round in the pure ZODB setup... There's also a write 
process expression in those default setups: if you change the groups on 
the user's entry, this will update the corresponding groups directory 
entries.

The methods doing this synthesis are defined and registered here:
https://svn.nuxeo.org/pub/CPSDirectory/trunk/FieldNamespace.py

About a pure write expression solution, I don't remember much of what 
we said about it, Olivier, was there more to it than just avoiding the 
search on read-proccess fields ?

Needless to say, if you've come to a satisfactory setup, we'd be more 
than happy to integrate it in CPSLDAPSetup.

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Olivier Grisel | 10 May 18:27

Re: CPS3.4 + LDAP

Georges Racinet a écrit :


*



> The methods doing this synthesis are defined and registered here:
> https://svn.nuxeo.org/pub/CPSDirectory/trunk/FieldNamespace.py
> 
> About a pure write expression solution, I don't remember much of what we 
> said about it, Olivier, was there more to it than just avoiding the 
> search on read-proccess fields ?


If we you crossSetList in both schemas (members and groups) as a 
write_process_expr, one should take care of not triggering infinite loops.

--

-- 
Olivier

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Georges Racinet | 10 May 18:56

Re: Re: CPS3.4 + LDAP


Le 10 mai 2006, à 18:27, Olivier Grisel a écrit :


*



> Georges Racinet a écrit :
>
>> The methods doing this synthesis are defined and registered here:
>> https://svn.nuxeo.org/pub/CPSDirectory/trunk/FieldNamespace.py
>> About a pure write expression solution, I don't remember much of what 
>> we said about it, Olivier, was there more to it than just avoiding 
>> the search on read-proccess fields ?
>
> If we you crossSetList in both schemas (members and groups) as a 
> write_process_expr, one should take care of not triggering infinite 
> loops.


Yep that's right. IMHO, the current system isn't so bad. It's tolerable 
not being able to search members by the groups they belong to.

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Aitzol Naberan | 11 May 10:33

Re: Re: CPS3.4 + LDAP

Thanks for your replies, I will mix both mails here to answer to your
comments:

Olivier:
> You probably do not need a MetaDirectory but you need a StackingDirectory to be able to translate primary
keys (DN <-> group id)

I can get group_id from the meta directory mapping cn<->group. But it
have a problem: I can't use local_role interface to asign local roles to
a group. If I use a Stacking Directory (updated doc about directories
will be great!) I can asign local roles to a group, but I can't see
groups info in Directories search (but this is a minor problem, so I
prefer the stack directory)

Georges:
> which objectClass do you use for groups, is it groupOfNames ?
> what's your plan for roles wrt to LDAP schemas ? 

objectClass for groups is groupOfUniqueNames. For the roles I wil try
same approach (I have something done), but if you have something in mind
I will be happy to listen your ideas. Roles objectClass is also
groupOfUniqueName.

> Needless to say, if you've come to a satisfactory setup, we'd be more than happy to integrate it in
CPSLDAPSetup. 

If is there a easy way of exporting my setup I have no problem to send it.

I don't understand very well the part of the read_process_exp-based
part. Is there a way to execute a script from the schema? I say
something like doing a search in LDAP to get user groups. Is this posible?

Georges Racinet wrote:
> 
> Le 10 mai 2006, à 18:27, Olivier Grisel a écrit :
> 
>> Georges Racinet a écrit :
>>
>>> The methods doing this synthesis are defined and registered here:
>>> https://svn.nuxeo.org/pub/CPSDirectory/trunk/FieldNamespace.py
>>> About a pure write expression solution, I don't remember much of what
>>> we said about it, Olivier, was there more to it than just avoiding
>>> the search on read-proccess fields ?
>>
>>
>> If we you crossSetList in both schemas (members and groups) as a
>> write_process_expr, one should take care of not triggering infinite
>> loops.
> 
> 
> Yep that's right. IMHO, the current system isn't so bad. It's tolerable
> not being able to search members by the groups they belong to.
> 
> _______________________________________________
> cps-devel mailing list
> http://lists.nuxeo.com/mailman/listinfo/cps-devel
> 

--

-- 
Aitzol Naberan Burgaña
CodeSyntax
http://www.codesyntax.com
943 82 17 80


_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Olivier Grisel | 11 May 11:46

Re: CPS3.4 + LDAP

Aitzol Naberan a écrit :
> Thanks for your replies, I will mix both mails here to answer to your
> comments:
> 
> Olivier:
>> You probably do not need a MetaDirectory but you need a StackingDirectory to be able to translate primary
keys (DN <-> group id)
> 
> I can get group_id from the meta directory mapping cn<->group. But it
> have a problem: I can't use local_role interface to asign local roles to
> a group. If I use a Stacking Directory (updated doc about directories
> will be great!) I can asign local roles to a group, but I can't see
> groups info in Directories search (but this is a minor problem, so I
> prefer the stack directory)

You can use both as for the members directories. The stacking is needed on top 
of the ldap dir to do the dn <-> cn translation of the primary key ("id field") 
and the meta dir can be used to rename name of some fields if necessary. The 
localrole interface should only use the fields that are tagged 'id field' and 
'title field' in the top level dirs.

> objectClass for groups is groupOfUniqueNames. For the roles I wil try
> same approach (I have something done), but if you have something in mind
> I will be happy to listen your ideas. Roles objectClass is also
> groupOfUniqueName.

Would it be possible to store the uid of the members instead of the dns in your 
groupOfUniqueNames field ?

>> Needless to say, if you've come to a satisfactory setup, we'd be more than happy to integrate it in
CPSLDAPSetup. 

There should be an export tab for each directory or better you can use the 
export tab of portal_setup and export the directories, schemas and layouts steps.

> If is there a easy way of exporting my setup I have no problem to send it.
> 
> I don't understand very well the part of the read_process_exp-based
> part. Is there a way to execute a script from the schema? I say
> something like doing a search in LDAP to get user groups. Is this posible?

Yes, as I said earlier look at the members schemas: the fields cpsGroups and 
cpsRoles are computed fields that use crossSetList and crossGetList functions 
that are available in the fields namespaces.

--

-- 
Olivier

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Aitzol Naberan | 15 May 17:42

Re: Re: CPS3.4 + LDAP


Olivier Grisel wrote:
> Aitzol Naberan a écrit :
>> I can get group_id from the meta directory mapping cn<->group. But it
>> have a problem: I can't use local_role interface to asign local roles to
>> a group. If I use a Stacking Directory (updated doc about directories
>> will be great!) I can asign local roles to a group, but I can't see
>> groups info in Directories search (but this is a minor problem, so I
>> prefer the stack directory)
> 
> 
> You can use both as for the members directories. The stacking is needed
> on top of the ldap dir to do the dn <-> cn translation of the primary
> key ("id field") and the meta dir can be used to rename name of some
> fields if necessary. The localrole interface should only use the fields
> that are tagged 'id field' and 'title field' in the top level dirs.
>
OK, I set up both directories ab¡nd now I get results from directory
search and from rocal_roles_form (still some search problem, I get all
the groups, the filter doesn't work).

>> objectClass for groups is groupOfUniqueNames. For the roles I wil try
>> same approach (I have something done), but if you have something in mind
>> I will be happy to listen your ideas. Roles objectClass is also
>> groupOfUniqueName.
> 
> 
> Would it be possible to store the uid of the members instead of the dns
> in your groupOfUniqueNames field ?
> 
I don't know if it is posible or not (sorry not a LDAP guru), but
tomorrow I will probe my setup with another LDAP and with an AD.

>>> Needless to say, if you've come to a satisfactory setup, we'd be more
>>> than happy to integrate it in CPSLDAPSetup. 
> 
> 
> There should be an export tab for each directory or better you can use
> the export tab of portal_setup and export the directories, schemas and
> layouts steps.
Are you interested in those files? If yes, where can I send you?

I have another problem, is I try to change a user's preference (ex,
webmail_acount yes/no) I get an error. It seems like CPS is trying to
write in LDAP a ZODB property (I think is something related with
CPSLDAPSetup, but I'm not so sure). Do you know something about that?

Thanks
--

-- 
Aitzol Naberan Burgaña
CodeSyntax
http://www.codesyntax.com
943 82 17 80


_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Jean-Marc Orliaguet | 15 May 19:01
Picon
Picon

Re: Re: CPS3.4 + LDAP

*



Aitzol Naberan wrote:
> Olivier Grisel wrote:
>   
>> Aitzol Naberan a écrit :
>>     
>>> I can get group_id from the meta directory mapping cn<->group. But it
>>> have a problem: I can't use local_role interface to asign local roles to
>>> a group. If I use a Stacking Directory (updated doc about directories
>>> will be great!) I can asign local roles to a group, but I can't see
>>> groups info in Directories search (but this is a minor problem, so I
>>> prefer the stack directory)
>>>       
>> You can use both as for the members directories. The stacking is needed
>> on top of the ldap dir to do the dn <-> cn translation of the primary
>> key ("id field") and the meta dir can be used to rename name of some
>> fields if necessary. The localrole interface should only use the fields
>> that are tagged 'id field' and 'title field' in the top level dirs.
>>
>>     
> OK, I set up both directories ab¡nd now I get results from directory
> search and from rocal_roles_form (still some search problem, I get all
> the groups, the filter doesn't work).
>
>   
>>> objectClass for groups is groupOfUniqueNames. For the roles I wil try
>>> same approach (I have something done), but if you have something in mind
>>> I will be happy to listen your ideas. Roles objectClass is also
>>> groupOfUniqueName.
>>>       
>> Would it be possible to store the uid of the members instead of the dns
>> in your groupOfUniqueNames field ?
>>
>>     
> I don't know if it is posible or not (sorry not a LDAP guru), but
> tomorrow I will probe my setup with another LDAP and with an AD.
>
>   


Hi, could you please publish the files or maybe update the documentation 
for LDAPUserFolderSetup when it works:-) ?. I started working on 
connecting LDAP groups to CPS some months ago and didn't get any farther 
than getting a list of group members.
thanks
_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Fabrice Robin | 16 May 09:42
Picon

Re: Re: CPS3.4 + LDAP

Hi,

You will find in attachment my LDAP setup for members and groups.
These are the settings for an openldap directory with the use of samba and posix schemas.

With these settings, the CPS groups are the system groups used on the network.
Any group created through CPS is created in the ZODB (groups_zodb).

Hopes it will help,
Fabrice Robin

2006/5/15, Jean-Marc Orliaguet < jmo-tTo+xxYJ+kmv1QaEFLkzfg@public.gmane.org>:
Aitzol Naberan wrote:
> Olivier Grisel wrote:
>
>> Aitzol Naberan a écrit :
>>
>>> I can get group_id from the meta directory mapping cn<->group. But it
>>> have a problem: I can't use local_role interface to asign local roles to
>>> a group. If I use a Stacking Directory (updated doc about directories
>>> will be great!) I can asign local roles to a group, but I can't see
>>> groups info in Directories search (but this is a minor problem, so I
>>> prefer the stack directory)
>>>
>> You can use both as for the members directories. The stacking is needed
>> on top of the ldap dir to do the dn <-> cn translation of the primary
>> key ("id field") and the meta dir can be used to rename name of some
>> fields if necessary. The localrole interface should only use the fields
>> that are tagged 'id field' and 'title field' in the top level dirs.
>>
>>
> OK, I set up both directories ab¡nd now I get results from directory
> search and from rocal_roles_form (still some search problem, I get all
> the groups, the filter doesn't work).
>
>
>>> objectClass for groups is groupOfUniqueNames. For the roles I wil try
>>> same approach (I have something done), but if you have something in mind
>>> I will be happy to listen your ideas. Roles objectClass is also
>>> groupOfUniqueName.
>>>
>> Would it be possible to store the uid of the members instead of the dns
>> in your groupOfUniqueNames field ?
>>
>>
> I don't know if it is posible or not (sorry not a LDAP guru), but
> tomorrow I will probe my setup with another LDAP and with an AD.
>
>

Hi, could you please publish the files or maybe update the documentation
for LDAPUserFolderSetup when it works:-) ?. I started working on
connecting LDAP groups to CPS some months ago and didn't get any farther
than getting a list of group members.
thanks
_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Fabrice Robin | 16 May 09:43
Picon

Re: Re: CPS3.4 + LDAP

Oups

2006/5/16, Fabrice Robin <robin.fabrice-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>:
Hi,

You will find in attachment my LDAP setup for members and groups.
These are the settings for an openldap directory with the use of samba and posix schemas.

With these settings, the CPS groups are the system groups used on the network.
Any group created through CPS is created in the ZODB (groups_zodb).

Hopes it will help,
Fabrice Robin

2006/5/15, Jean-Marc Orliaguet < jmo-tTo+xxYJ+kmv1QaEFLkzfg@public.gmane.org>:
Aitzol Naberan wrote:
> Olivier Grisel wrote:
>
>> Aitzol Naberan a écrit :
>>
>>> I can get group_id from the meta directory mapping cn<->group. But it
>>> have a problem: I can't use local_role interface to asign local roles to
>>> a group. If I use a Stacking Directory (updated doc about directories
>>> will be great!) I can asign local roles to a group, but I can't see
>>> groups info in Directories search (but this is a minor problem, so I
>>> prefer the stack directory)
>>>
>> You can use both as for the members directories. The stacking is needed
>> on top of the ldap dir to do the dn <-> cn translation of the primary
>> key ("id field") and the meta dir can be used to rename name of some
>> fields if necessary. The localrole interface should only use the fields
>> that are tagged 'id field' and 'title field' in the top level dirs.
>>
>>
> OK, I set up both directories ab¡nd now I get results from directory
> search and from rocal_roles_form (still some search problem, I get all
> the groups, the filter doesn't work).
>
>
>>> objectClass for groups is groupOfUniqueNames. For the roles I wil try
>>> same approach (I have something done), but if you have something in mind
>>> I will be happy to listen your ideas. Roles objectClass is also
>>> groupOfUniqueName.
>>>
>> Would it be possible to store the uid of the members instead of the dns
>> in your groupOfUniqueNames field ?
>>
>>
> I don't know if it is posible or not (sorry not a LDAP guru), but
> tomorrow I will probe my setup with another LDAP and with an AD.
>
>

Hi, could you please publish the files or maybe update the documentation
for LDAPUserFolderSetup when it works:-) ?. I started working on
connecting LDAP groups to CPS some months ago and didn't get any farther
than getting a list of group members.
thanks
_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel


Attachment (bbsone-ldap.zip): application/zip, 14 KiB
_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Olivier Grisel | 16 May 15:48

Re: CPS3.4 + LDAP

Fabrice Robin a écrit :


*



>     Hi,
> 
>     You will find in attachment my LDAP setup for members and groups.
>     These are the settings for an openldap directory with the use of
>     samba and posix schemas.
> 
>     With these settings, the CPS groups are the system groups used on
>     the network.
>     Any group created through CPS is created in the ZODB (groups_zodb).


Thanks, I have opened a ticket to add a such a configuration option in CPSLDAPSetup:

http://svn.nuxeo.org/trac/pub/ticket/1648

Don't have time to do it now, though.

--

-- 
Olivier

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
jacques.champliaud | 17 May 14:26

Re: CPS3.4 + LDAP

Olivier Grisel <ogrisel@...> writes:

> 
> Fabrice Robin a écrit :
> 
> >     Hi,
> > 
> >     You will find in attachment my LDAP setup for members and groups.
> >     These are the settings for an openldap directory with the use of
> >     samba and posix schemas.
> > 
> >     With these settings, the CPS groups are the system groups used on
> >     the network.
> >     Any group created through CPS is created in the ZODB (groups_zodb).
> 
> Thanks, I have opened a ticket to add a such a configuration option in
CPSLDAPSetup:
> 
> http://svn.nuxeo.org/trac/pub/ticket/1648
> 
> Don't have time to do it now, though.

I have tried to make CPSLDAPSetup work, my schemas are derived partly from the
bbs-one's schemas ( which I cannot import (at least easily due to a problem 
witha  <property name="schemas"/> line in some schemas )
In my schemas, objectClass for groups is groupOfUniqueNames

Three levels of directories for groups: Meta, stack and ldap
Ok it is almost working well :
I get the correct groups name list whit security/Manage Local Roles

but ...
1)when the mapping in the metadirectory called groups is set to:
id in groups_stack : uniqueMember <==>  id in groups : members
then the members list is correctly displayed in CPS directories view but
a userbeing member of a group with corrects rights on a workspace 
can't view this workspace

2) when the mapping is set to :
id in groups_stack : uniqueMember <==>  id in groups : dummy
then the members list can't be retrieved CPS complains about a 
missing members key but a user being member of a group with 
corrects rights on a workspace can view it

Any idea to make this work correctly ?

I had to copy/paste the groups directory to mycompanygroups 
and set the mapping to:
id in groups_stack : uniqueMember <==>  id in mycompanygroups : members

This way everything works but the groups membership list.

names of members in the mycompanygroups's view are correctly displayed
thank's to a external python script called from 
portal_schemas/groups_ldap/f__uniqueMember  Read
expression:python:portal.members_list(uniqueMember)
members_list being a function accepting a list type argument in the form
['uid=fname1.name1,ou=people,dc=mycomp,dc=fr',
'uid=fname2.name2,ou=people,dc=mycomp,dc=fr']
and returning a list in the form
['fname1.name1','fname2.name2']
(curiously this function is called 10 times by cps when listing
the members of a group,no matter the number of members this group
contains.)
these 10 times being made of 5 times two calls, first call with the real list
(uid=...) second call with the returned list to the first call 
(I'm not sure I'm clear)

CPSMailaccess works too.
my webmail config:
 Access field (field:value) :  WebmailAllow:allow

 WebmailAllow is a Directory string ldap attribute created for this 
purpose and containing the word "allow" if the user can use the webmail

 but you can set a simpler condition if you don't mind giving the 
webmail access to all of you users, for instance:
 Access field (field:value) :  uid:!a_dummy_string_that_is_not_a_real_uid
be prepared to use the undo button when playing with this condition as cps
breaks and there's no way to get back to the webmail config form.

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Olivier Grisel | 17 May 15:48

Re: CPS3.4 + LDAP

jacques.champliaud a écrit :
> Olivier Grisel <ogrisel@...> writes:
> 
>> Fabrice Robin a écrit :
>>
>>>     Hi,
>>>
>>>     You will find in attachment my LDAP setup for members and groups.
>>>     These are the settings for an openldap directory with the use of
>>>     samba and posix schemas.
>>>
>>>     With these settings, the CPS groups are the system groups used on
>>>     the network.
>>>     Any group created through CPS is created in the ZODB (groups_zodb).
>> Thanks, I have opened a ticket to add a such a configuration option in
> CPSLDAPSetup:
>> http://svn.nuxeo.org/trac/pub/ticket/1648
>>
>> Don't have time to do it now, though.
> 
> I have tried to make CPSLDAPSetup work, my schemas are derived partly from the
> bbs-one's schemas ( which I cannot import (at least easily due to a problem 
> witha  <property name="schemas"/> line in some schemas )

You will need CPS trunk or CPS 3.4.1 (that should get released by the end of the 
week) to have proper multi schema support for the directories.

> In my schemas, objectClass for groups is groupOfUniqueNames
> 
> Three levels of directories for groups: Meta, stack and ldap
> Ok it is almost working well :
> I get the correct groups name list whit security/Manage Local Roles
> 
> but ...
> 1)when the mapping in the metadirectory called groups is set to:
> id in groups_stack : uniqueMember <==>  id in groups : members
> then the members list is correctly displayed in CPS directories view but
> a userbeing member of a group with corrects rights on a workspace 
> can't view this workspace
> 
> 2) when the mapping is set to :
> id in groups_stack : uniqueMember <==>  id in groups : dummy
> then the members list can't be retrieved CPS complains about a 
> missing members key but a user being member of a group with 
> corrects rights on a workspace can view it
> 
> Any idea to make this work correctly ?

See later.

> I had to copy/paste the groups directory to mycompanygroups 
> and set the mapping to:
> id in groups_stack : uniqueMember <==>  id in mycompanygroups : members
> 
> This way everything works but the groups membership list.
> 
> names of members in the mycompanygroups's view are correctly displayed
> thank's to a external python script called from 
> portal_schemas/groups_ldap/f__uniqueMember  Read
> expression:python:portal.members_list(uniqueMember)
> members_list being a function accepting a list type argument in the form
> ['uid=fname1.name1,ou=people,dc=mycomp,dc=fr',
> 'uid=fname2.name2,ou=people,dc=mycomp,dc=fr']
> and returning a list in the form
> ['fname1.name1','fname2.name2']

Beware that read_process_expr are not computed in search mode (searchEntries 
API). That might be related to your problem of having the members of group get 
the right locaroles.

--

-- 
Olivier

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
jacques.champliaud | 17 May 21:52

Re: CPS3.4 + LDAP

Olivier Grisel <ogrisel@...> writes:

> 
> jacques.champliaud a écrit :
> > Olivier Grisel <ogrisel <at> ...> writes:
> > 
> >> Fabrice Robin a écrit :
> >>
> >>>     Hi,
> >>>
> >>>     You will find in attachment my LDAP setup for members and groups.
> >>>     These are the settings for an openldap directory with the use of
> >>>     samba and posix schemas.
> >>>
> >>>     With these settings, the CPS groups are the system groups used on
> >>>     the network.
> >>>     Any group created through CPS is created in the ZODB (groups_zodb).
> >> Thanks, I have opened a ticket to add a such a configuration option in
> > CPSLDAPSetup:
> >> http://svn.nuxeo.org/trac/pub/ticket/1648
> >>
> >> Don't have time to do it now, though.
> > 
> > I have tried to make CPSLDAPSetup work, my schemas are derived partly from
the
> > bbs-one's schemas ( which I cannot import (at least easily due to a 
problem 
> > witha  <property name="schemas"/> line in some schemas )
> 
> You will need CPS trunk or CPS 3.4.1 (that should get released by the end of
the
> week) to have proper multi schema support for the directories.
> 
> > In my schemas, objectClass for groups is groupOfUniqueNames
> > 
> > Three levels of directories for groups: Meta, stack and ldap
> > Ok it is almost working well :
> > I get the correct groups name list whit security/Manage Local Roles
> > 
> > but ...
> > 1)when the mapping in the metadirectory called groups is set to:
> > id in groups_stack : uniqueMember <==>  id in groups : members
> > then the members list is correctly displayed in CPS directories view but
> > a userbeing member of a group with corrects rights on a workspace 
> > can't view this workspace
> > 
> > 2) when the mapping is set to :
> > id in groups_stack : uniqueMember <==>  id in groups : dummy
> > then the members list can't be retrieved CPS complains about a 
> > missing members key but a user being member of a group with 
> > corrects rights on a workspace can view it
> > 
> > Any idea to make this work correctly ?
> 
> See later.
> 
> > I had to copy/paste the groups directory to mycompanygroups 
> > and set the mapping to:
> > id in groups_stack : uniqueMember <==>  id in mycompanygroups : members
> > 
> > This way everything works but the groups membership list.
> > 
> > names of members in the mycompanygroups's view are correctly displayed
> > thank's to a external python script called from 
> > portal_schemas/groups_ldap/f__uniqueMember  Read
> > expression:python:portal.members_list(uniqueMember)
> > members_list being a function accepting a list type argument in the form
> > ['uid=fname1.name1,ou=people,dc=mycomp,dc=fr',
> > 'uid=fname2.name2,ou=people,dc=mycomp,dc=fr']
> > and returning a list in the form
> > ['fname1.name1','fname2.name2']
> 
> Beware that read_process_expr are not computed in search mode (searchEntries
> API). That might be related to your problem of having the members of 
group get 
> the right locaroles.
> 

Ok, so I completly removed the field uniqueMember from
portal_schemas/groups_ldap object. A user being member of a group with 
corrects rights on a workspace can *still* view this workspace. 
This means that CPS can retrieve the membership of a user without 
using the groups portal_directories... and as the ldap entry 
of a user don't list the groups he belongs to...
I suspect this is due to the python expression :
python:util.dirCrossGetList('groups', 'members', data.get('uid'))
in the Read: expression of portal_schemas/members_ldap/f__cpsGroups

Am I correct ?

But even this way, as the members of a group are listed in the fields
uniqueMember of the ldap groups schema where is the uniqueMember field
mentionned in CPS ?
And how can I use it to limit the groups a member can list 
( the Entry Local Roles GroupMember python:entry_id in
getUserEntry().get('groups', []) doesn't work )
Thanks

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Aitzol Naberan | 23 May 08:18

Re: Re: CPS3.4 + LDAP

And what about roles?

I have tryed same aproach as in groups, but it doesn't work, all users
get all roles...

It will be the same as in groups... or not?

jacques.champliaud wrote:

*



> Olivier Grisel <ogrisel@...> writes:
> 
> 
>>jacques.champliaud a écrit :
>>
>>>Olivier Grisel <ogrisel <at> ...> writes:
>>>
>>>
>>>>Fabrice Robin a écrit :
>>>>
>>>>
>>>>>    Hi,
>>>>>
>>>>>    You will find in attachment my LDAP setup for members and groups.
>>>>>    These are the settings for an openldap directory with the use of
>>>>>    samba and posix schemas.
>>>>>
>>>>>    With these settings, the CPS groups are the system groups used on
>>>>>    the network.
>>>>>    Any group created through CPS is created in the ZODB (groups_zodb).
>>>>
>>>>Thanks, I have opened a ticket to add a such a configuration option in
>>>
>>>CPSLDAPSetup:
>>>
>>>>http://svn.nuxeo.org/trac/pub/ticket/1648
>>>>
>>>>Don't have time to do it now, though.
>>>
>>>I have tried to make CPSLDAPSetup work, my schemas are derived partly from
> 
> the
> 
>>>bbs-one's schemas ( which I cannot import (at least easily due to a 
> 
> problem 
> 
>>>witha  <property name="schemas"/> line in some schemas )
>>
>>You will need CPS trunk or CPS 3.4.1 (that should get released by the end of
> 
> the
> 
>>week) to have proper multi schema support for the directories.
>>
>>
>>>In my schemas, objectClass for groups is groupOfUniqueNames
>>>
>>>Three levels of directories for groups: Meta, stack and ldap
>>>Ok it is almost working well :
>>>I get the correct groups name list whit security/Manage Local Roles
>>>
>>>but ...
>>>1)when the mapping in the metadirectory called groups is set to:
>>>id in groups_stack : uniqueMember <==>  id in groups : members
>>>then the members list is correctly displayed in CPS directories view but
>>>a userbeing member of a group with corrects rights on a workspace 
>>>can't view this workspace
>>>
>>>2) when the mapping is set to :
>>>id in groups_stack : uniqueMember <==>  id in groups : dummy
>>>then the members list can't be retrieved CPS complains about a 
>>>missing members key but a user being member of a group with 
>>>corrects rights on a workspace can view it
>>>
>>>Any idea to make this work correctly ?
>>
>>See later.
>>
>>
>>>I had to copy/paste the groups directory to mycompanygroups 
>>>and set the mapping to:
>>>id in groups_stack : uniqueMember <==>  id in mycompanygroups : members
>>>
>>>This way everything works but the groups membership list.
>>>
>>>names of members in the mycompanygroups's view are correctly displayed
>>>thank's to a external python script called from 
>>>portal_schemas/groups_ldap/f__uniqueMember  Read
>>>expression:python:portal.members_list(uniqueMember)
>>>members_list being a function accepting a list type argument in the form
>>>['uid=fname1.name1,ou=people,dc=mycomp,dc=fr',
>>>'uid=fname2.name2,ou=people,dc=mycomp,dc=fr']
>>>and returning a list in the form
>>>['fname1.name1','fname2.name2']
>>
>>Beware that read_process_expr are not computed in search mode (searchEntries
>>API). That might be related to your problem of having the members of 
> 
> group get 
> 
>>the right locaroles.
>>
> 
> 
> 
> Ok, so I completly removed the field uniqueMember from
> portal_schemas/groups_ldap object. A user being member of a group with 
> corrects rights on a workspace can *still* view this workspace. 
> This means that CPS can retrieve the membership of a user without 
> using the groups portal_directories... and as the ldap entry 
> of a user don't list the groups he belongs to...
> I suspect this is due to the python expression :
> python:util.dirCrossGetList('groups', 'members', data.get('uid'))
> in the Read: expression of portal_schemas/members_ldap/f__cpsGroups
> 
> Am I correct ?
> 
> But even this way, as the members of a group are listed in the fields
> uniqueMember of the ldap groups schema where is the uniqueMember field
> mentionned in CPS ?
> And how can I use it to limit the groups a member can list 
> ( the Entry Local Roles GroupMember python:entry_id in
> getUserEntry().get('groups', []) doesn't work )
> Thanks
> 
>  
> 
> 
> _______________________________________________
> cps-devel mailing list
> http://lists.nuxeo.com/mailman/listinfo/cps-devel
> 


--

-- 
Aitzol Naberan Burgaña
CodeSyntax
http://www.codesyntax.com
943 82 17 80


_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |
headers
Fabrice Robin | 17 May 15:47
Picon

Re: Re: CPS3.4 + LDAP

I should have tell that:

1- The provided example bbsone-ldap.zip only works with CPSDirectory version from the Trunk SVN.
"schemas" property did not exist in MetaDirectory.py from the CPS-3.4.0 tagged CPSDirectory version. It had been added later.

2- A patch, provided early on this list, must be installed in order to get/set photo for members.

Regards,
Fabrice


2006/5/17, jacques. champliaud < jacques.champliaud-GANU6spQydw@public.gmane.org>:
Olivier Grisel <ogrisel <at> ...> writes:

>
> Fabrice Robin a écrit :
>
> >     Hi,
> >
> >     You will find in attachment my LDAP setup for members and groups.
> >     These are the settings for an openldap directory with the use of
> >     samba and posix schemas.
> >
> >     With these settings, the CPS groups are the system groups used on
> >     the network.
> >     Any group created through CPS is created in the ZODB (groups_zodb).
>
> Thanks, I have opened a ticket to add a such a configuration option in
CPSLDAPSetup:
>
> http://svn.nuxeo.org/trac/pub/ticket/1648
>
> Don't have time to do it now, though.

I have tried to make CPSLDAPSetup work, my schemas are derived partly from the
bbs-one's schemas ( which I cannot import (at least easily due to a problem
witha  <property name="schemas"/> line in some schemas )
In my schemas, objectClass for groups is groupOfUniqueNames

Three levels of directories for groups: Meta, stack and ldap
Ok it is almost working well :
I get the correct groups name list whit security/Manage Local Roles

but ...
1)when the mapping in the metadirectory called groups is set to:
id in groups_stack : uniqueMember <==>  id in groups : members
then the members list is correctly displayed in CPS directories view but
a userbeing member of a group with corrects rights on a workspace
can't view this workspace

2) when the mapping is set to :
id in groups_stack : uniqueMember <==>  id in groups : dummy
then the members list can't be retrieved CPS complains about a
missing members key but a user being member of a group with
corrects rights on a workspace can view it

Any idea to make this work correctly ?

I had to copy/paste the groups directory to mycompanygroups
and set the mapping to:
id in groups_stack : uniqueMember <==>  id in mycompanygroups : members

This way everything works but the groups membership list.

names of members in the mycompanygroups's view are correctly displayed
thank's to a external python script called from
portal_schemas/groups_ldap/f__uniqueMember  Read
expression:python:portal.members_list(uniqueMember)
members_list being a function accepting a list type argument in the form
['uid=fname1.name1,ou=people,dc=mycomp,dc=fr',
'uid=fname2.name2,ou=people,dc=mycomp,dc=fr']
and returning a list in the form
['fname1.name1','fname2.name2']
(curiously this function is called 10 times by cps when listing
the members of a group,no matter the number of members this group
contains.)
these 10 times being made of 5 times two calls, first call with the real list
(uid=...) second call with the returned list to the first call
(I'm not sure I'm clear)


CPSMailaccess works too.
my webmail config:
Access field (field:value) :  WebmailAllow:allow

WebmailAllow is a Directory string ldap attribute created for this
purpose and containing the word "allow" if the user can use the webmail

but you can set a simpler condition if you don't mind giving the
webmail access to all of you users, for instance:
Access field (field:value) :  uid:!a_dummy_string_that_is_not_a_real_uid
be prepared to use the undo button when playing with this condition as cps
breaks and there's no way to get back to the webmail config form.











_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel

_______________________________________________
cps-devel mailing list
http://lists.nuxeo.com/mailman/listinfo/cps-devel
Permalink | Reply |

Gmane