You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ofbiz.apache.org by Wicus <wi...@webmail.co.za> on 2008/08/29 11:59:58 UTC
LDAP - Active Directory
Hi,
Within framework/security/config/jndiLdap.properties one can specify the
LDAP - Active Directory integration with ldap.dn.template=cn=%u,cn=Users
Problem is, this will ONLY work with the Administrator account
Note: Users (which is a system folder) is specified as a cn
whereas custom ou's (ie IT etc) is specified as an ou
To allow this to work with normal users, one can specify via Party Manager
-> Party ID (Details) -> Edit under User Names -> LDAP Distinguished Name
the DN as follows i.e.
cn=Christopher Johnstone,ou=IT,ou=Head Office,dc=OURDOMAIN,dc=co,dc=uk
Note: The %u = ChristopherJ <- the logon username
YET for authentication to work, YOU NEED to specify the FULL NAME
"Christopher Johnstone" !
Can anyone please advice on a variable one can use to forward the FULL NAME
and NOT the USERNAME?
Secondly, as we have OUs for different departments, branches etc, ofbiz
users is spread all across the site, includiing child domains.
I have created a ofbiz OU with a ofbiz group within the ofbiz OU. Then made
all the related users members of this ofbiz group.
This would be a very efficient solution, should I get it to work... The DN
specification I tried is:-
cn=Christopher Johnstone,ou=ofbiz,dc=OURDOMAIN,dc=co,dc=uk
Naturally, user Christopher Johnstone (ChristopherJ) is part of the OFBIZ
group located within the OFBIZ ou.
This does not work for me at present though. Any ideas would be greatly
appreciated.
I hope the addtional notes help others in due time.
Thanks
--
View this message in context: http://www.nabble.com/LDAP---Active-Directory-tp19217057p19217057.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: LDAP - Active Directory
Posted by Shi Jinghai <sh...@langhua.cn>.
Perhaps you want to make your ldap looks like this (assume you're in a
university):
by university organization chart
|
-departmentA
|
-labA
|
-personA
|
-collegeB
|
-branchC
|
-personD
by application roles (each leaf is a member or aliase of organization
chart)
|
-OFBiz
|
-Catalog
|
-USER
|
-personA
|
-ADMIN
|
-personD
If so, you have to change the implement accordingly. It's not difficult
to do so.
Regards,
Shi Jinghai/Beijing Langhua Ltd.
在 2008-08-29五的 02:59 -0700,Wicus写道:
> Hi,
>
> Within framework/security/config/jndiLdap.properties one can specify the
> LDAP - Active Directory integration with ldap.dn.template=cn=%u,cn=Users
>
> Problem is, this will ONLY work with the Administrator account
>
> Note: Users (which is a system folder) is specified as a cn
> whereas custom ou's (ie IT etc) is specified as an ou
>
> To allow this to work with normal users, one can specify via Party Manager
> -> Party ID (Details) -> Edit under User Names -> LDAP Distinguished Name
> the DN as follows i.e.
>
> cn=Christopher Johnstone,ou=IT,ou=Head Office,dc=OURDOMAIN,dc=co,dc=uk
>
> Note: The %u = ChristopherJ <- the logon username
>
> YET for authentication to work, YOU NEED to specify the FULL NAME
> "Christopher Johnstone" !
>
> Can anyone please advice on a variable one can use to forward the FULL NAME
> and NOT the USERNAME?
>
>
>
> Secondly, as we have OUs for different departments, branches etc, ofbiz
> users is spread all across the site, includiing child domains.
>
> I have created a ofbiz OU with a ofbiz group within the ofbiz OU. Then made
> all the related users members of this ofbiz group.
>
> This would be a very efficient solution, should I get it to work... The DN
> specification I tried is:-
>
> cn=Christopher Johnstone,ou=ofbiz,dc=OURDOMAIN,dc=co,dc=uk
>
> Naturally, user Christopher Johnstone (ChristopherJ) is part of the OFBIZ
> group located within the OFBIZ ou.
>
>
> This does not work for me at present though. Any ideas would be greatly
> appreciated.
>
> I hope the addtional notes help others in due time.
>
> Thanks
Re: LDAP - Active Directory
Posted by Jacques Le Roux <ja...@les7arts.com>.
As a quick note (I did not look into any details) would you be interested by
https://issues.apache.org/jira/browse/OFBIZ-1689 ?
Jacques
From: "Wicus" <wi...@webmail.co.za>
>
> Hi,
>
> Within framework/security/config/jndiLdap.properties one can specify the
> LDAP - Active Directory integration with ldap.dn.template=cn=%u,cn=Users
>
> Problem is, this will ONLY work with the Administrator account
>
> Note: Users (which is a system folder) is specified as a cn
> whereas custom ou's (ie IT etc) is specified as an ou
>
> To allow this to work with normal users, one can specify via Party Manager
> -> Party ID (Details) -> Edit under User Names -> LDAP Distinguished Name
> the DN as follows i.e.
>
> cn=Christopher Johnstone,ou=IT,ou=Head Office,dc=OURDOMAIN,dc=co,dc=uk
>
> Note: The %u = ChristopherJ <- the logon username
>
> YET for authentication to work, YOU NEED to specify the FULL NAME
> "Christopher Johnstone" !
>
> Can anyone please advice on a variable one can use to forward the FULL NAME
> and NOT the USERNAME?
>
>
>
> Secondly, as we have OUs for different departments, branches etc, ofbiz
> users is spread all across the site, includiing child domains.
>
> I have created a ofbiz OU with a ofbiz group within the ofbiz OU. Then made
> all the related users members of this ofbiz group.
>
> This would be a very efficient solution, should I get it to work... The DN
> specification I tried is:-
>
> cn=Christopher Johnstone,ou=ofbiz,dc=OURDOMAIN,dc=co,dc=uk
>
> Naturally, user Christopher Johnstone (ChristopherJ) is part of the OFBIZ
> group located within the OFBIZ ou.
>
>
> This does not work for me at present though. Any ideas would be greatly
> appreciated.
>
> I hope the addtional notes help others in due time.
>
> Thanks
> --
> View this message in context: http://www.nabble.com/LDAP---Active-Directory-tp19217057p19217057.html
> Sent from the OFBiz - User mailing list archive at Nabble.com.
>
Re: LDAP - Active Directory
Posted by Wicus <wi...@webmail.co.za>.
Thanks all,
Will get back to this a bit later, as I am unfortunately a little strapped
for time at present.
--
View this message in context: http://www.nabble.com/LDAP---Active-Directory-tp19217057p19255474.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
Re: LDAP - Active Directory
Posted by Adrian Crum <ad...@yahoo.com>.
Wicus,
Your description of the OFBiz LDAP integration is correct.
The template in framework/security/config/jndiLdap.properties is intended to be used in simple installations where all OFBiz users are in a single OU.
The LDAP Distinguished Name field in Party Manager is intended to be used in more complicated installations like the one you described.
I disagree with you that the template "will ONLY work with the Administrator" - we use the template here and all users can log in without any problems.
The problem you are encountering is specific to Active Directory. Your solution to fix it is a good idea.
If I understand you correctly, you want to use the template - but instead of using %u for the user login name, you would like to use a different variable (or variables), say %l for last name, and %f for first name. If that is the case, you could modify your local copy to do that and test your idea. If it is successful, then you can submit a patch to Jira and I will get it committed.
-Adrian
--- On Fri, 8/29/08, Wicus <wi...@webmail.co.za> wrote:
> From: Wicus <wi...@webmail.co.za>
> Subject: LDAP - Active Directory
> To: user@ofbiz.apache.org
> Date: Friday, August 29, 2008, 2:59 AM
> Hi,
>
> Within framework/security/config/jndiLdap.properties one
> can specify the
> LDAP - Active Directory integration with
> ldap.dn.template=cn=%u,cn=Users
>
> Problem is, this will ONLY work with the Administrator
> account
>
> Note: Users (which is a system folder) is specified as a cn
>
> whereas custom ou's (ie IT etc) is specified
> as an ou
>
> To allow this to work with normal users, one can specify
> via Party Manager
> -> Party ID (Details) -> Edit under User Names ->
> LDAP Distinguished Name
> the DN as follows i.e.
>
> cn=Christopher Johnstone,ou=IT,ou=Head
> Office,dc=OURDOMAIN,dc=co,dc=uk
>
> Note: The %u = ChristopherJ <- the logon username
>
> YET for authentication to work, YOU NEED to specify the
> FULL NAME
> "Christopher Johnstone" !
>
> Can anyone please advice on a variable one can use to
> forward the FULL NAME
> and NOT the USERNAME?
>
>
>
> Secondly, as we have OUs for different departments,
> branches etc, ofbiz
> users is spread all across the site, includiing child
> domains.
>
> I have created a ofbiz OU with a ofbiz group within the
> ofbiz OU. Then made
> all the related users members of this ofbiz group.
>
> This would be a very efficient solution, should I get it to
> work... The DN
> specification I tried is:-
>
> cn=Christopher Johnstone,ou=ofbiz,dc=OURDOMAIN,dc=co,dc=uk
>
> Naturally, user Christopher Johnstone (ChristopherJ) is
> part of the OFBIZ
> group located within the OFBIZ ou.
>
>
> This does not work for me at present though. Any ideas
> would be greatly
> appreciated.
>
> I hope the addtional notes help others in due time.
>
> Thanks
> --
> View this message in context:
> http://www.nabble.com/LDAP---Active-Directory-tp19217057p19217057.html
> Sent from the OFBiz - User mailing list archive at
> Nabble.com.