PDA

View Full Version : Active Directory Group Problems


sps196
01-28-2008, 03:38 PM
Hi,

I can add groups from our Active Directory LDAP setup, but it never seems to associate the users with the group. My settings are:

groupquery = (&(objectCategory=group)(samAccountName=$1))
groupqueryall = (objectClass=group)
groupmembersattribute = memberOf

If I browse to:

http://myhost/@api/deki/services/default/10/groups/GroupName

Then I can see the information for GroupName. If I leave the GroupName I was initially getting timeouts. After increasing the timeout I get a "LdapException: (4) Sizelimit Exceeded". Our LDAP server probably has a _lot_ of groups.

However, when logging in or browsing the pages I don't see this error message get generated in the log, so it doesn't look it needs the complete list of groups to work. Hence, I'm not convinced that this error message is relevant.

Has any got any ideas? How can I collect more debugging info?

I'm running the latest VM release:

"You are using MindTouch Deki Wiki 1.8.3b (rev. 8168) running on: Linux 2.6.18-5-686, PHP 5.2.0-8+etch9, mySQL 14.12 distribution 5.0.32, and Mono 1.2.2.1."
sps196
01-28-2008, 04:24 PM
Aha.. Found some more information after doing a user query. The results show the full group name, complete with spaces. But I've been unable to add the group using the full group name. Instead I added it using the alias name.

When I query the group using the alias name the CN is still listed correctly, but I suspect this is the cause of the problem.

I've munged the group names in the output below, but you should be able to see what's going on:

http://myhost/@api/deki/services/default/10/users/myuser

...
<groups>
<group name="My Groups Full Name">
<ldap-dn>
CN=My Full Group Name,OU=Distribution Groups,OU=Exchange,DC=xxx,DC=com
</ldap-dn>
</group>
</groups>
...

But to look up the group (and to add it), I have to use it's Alias Name:

http://myhost/@api/deki/services/default/10/groups/MyGroupsAlias

<group name="MyGroupsAlias">
<ldap-dn>
CN=My Groups Full Name,OU=Distribution Groups,OU=Exchange,DC=xxx,DC=com
</ldap-dn>
<date.created>2004-10-15T14:43:23Z</date.created>
</group>

So you can see the CN matches, but the group name is changing. If it was possible to add the group using the full name instead of the alias I think it would work correctly.
sps196
01-29-2008, 02:49 PM
Right, I manually altered the group_name in the groups table to match the full name and now it all works correctly.

Perhaps there is some issue with the encoding of spaces in a group name?