AD group members not allowed in

**maphew** · 11-07-2008 06:53 PM

From http://wiki/deki-cp/authentication.php I learn that the domain URI is http://wiki/@api/deki/services/default/10 (and the SID is sid://mindtouch.com/2007/05/BETA/ldap-authentication) [strike]but when I try and open the URI I get the error "This error (HTTP 405 Method Not Allowed) means that Internet Explorer was able to connect to the website, but the site has a programming error."[/strike]

[Later] Once again, I'm proving I can't read. You said "append users/username". The results for that show an empty <group /> like tag.

Code:

- <user name="my_ad_shortname" displayname="Matt Wilkie">
  <ldap-dn>CN=Matt.Wilkie,OU=users,OU=Environment,OU=Users and Groups,DC=DOMAIN,DC=ca</ldap-dn> 
  <date.created>2002-03-09T18:00:22Z</date.created> 
  <firstname>Matt</firstname> 
  <lastname>Wilkie</lastname> 
  <phonenumber>555-1212</phonenumber> 
  <email>me@work</email> 
  <description>Job Title</description> 
  <groups /> 
  </user>

**maphew** · 11-07-2008 07:52 PM

AHA! I'm on the right track, but don't know as yet how to solve it. The username query via services only works when "my_ad_shortname" is used. This works: http://wiki/@api/deki/services/defau...users/username
this fails: http://wiki/@api/deki/services/defau...sers/User_Name
however the latter is what is being used for signing pages etc.

Here are the authentication parameters (http://wiki/deki-cp/authentication.php?params=edit%2F10)

Code:

displayname-pattern: {givenname} {sn}
userquery: samAccountName=$1
hostname: pdc.my.domain.ca
searchbase: dc=my,dc=domain,dc=ca
bindingdn: ldapuser@my.domain.ca
groupmembershipquery: (&(uniqueMember=$1)(objectClass=groupOfUniqueNames))
bindingpw: secretpassword
groupquery: (&(objectCategory=group)(sAMAccountName=$1))

**maphew** · 11-07-2008 08:39 PM

SOLUTION: remove 'groupmembershipquery' key from the ldap authentication service at http://wiki/deki-cp/authentication.php?params=edit%2F10

Thanks to this phrase "Only use this if you're having issues returning groups that a user belongs to." from http://wiki.developer.mindtouch.com/...Authentication, but in my case proved to be DON"T use this if you're having trouble returning groups!

Ohter threads useful in understanding what was happening:
http://forums.developer.mindtouch.co...ead.php?t=3551
http://forums.developer.mindtouch.co...ead.php?t=3219

**MaxM** · 11-07-2008 10:59 PM

Glad you got it figured out! The groupmembershipquery is generally only useful for openldap or edirectory where there's no memberof attribute on users to take advantage of. So now when looking up users in the external service you see their groups show up as well?

**maphew** · 11-07-2008 11:05 PM

Originally Posted by MaxM

Glad you got it figured out!

yes me too.

It's been the last stopper for rolling out the wiki for "real" work.

So now when looking up users in the external service you see their groups show up as well?

Yes that's right.

Thread: AD group members not allowed in

Thread Tools

Search Thread

Display

[solved]

Posting Permissions