Hi,
It seems that the twiki 4.2.0 and LdapContrib v2.99.4 doesn't work with hierarchical groups or nested groups in my environment. I'm running Microsoft AD LDAP server and I have groups like
objectClass: groups
dn:CN=EL_FIN,OU=Org,...
cn: EL_FIN
member: CN=EL_FIN_DIR,OU=Org,....
I'm using
GroupAttribute? = 'cn'
MemberAttribute? = 'member'
MemberIndirection? = 1
It seems that the cacheGroupFromEntry function iterates over all groups found from the LDAP search and adds those members of the current group $groupName, which have $data->{"DN2U::$member_DN"} defined. Because groups are not user accounts, they don't have this data defined and they are skipped with the error message "oops, $member_DN not found, but member of $groupName".
Therefore the relationship between for example EL_FIN and EL_FIN_DIR is never established and the nested groups do not work for authorizations.
- LdapContrib.patch: quick and dirty patch to lib/TWiki/Contrib/LdapContrib.pm
if ($memberGroupName) {
$memberGroupName = from_utf8(-string=>$memberGroupName, -charset=>$TWiki::cfg{Site}{CharSet})
unless $TWiki::cfg{Site}{CharSet} =~ /^utf-?8$/i;
-- TWiki:Main.AivoJurgenson - 29 Apr 2008
This might be related to Item5118? . TWiki's 4.2.0 code is pretty buggy currently.
-- TWiki:Main.MichaelDaum - 02 Jun 2008
No I've found the bug. Being worked on.
-- TWiki:Main.MichaelDaum - 11 Jun 2008
The provided patch has another bug itself. When normalizeGroupName is used, the patch doesn't follow normalized group names and therefore breaks the indirection. The correct way is to add
if ($this->{normalizeGroupName}) {
$memberGroupName = $this->normalizeWikiName($memberGroupName);
}
code snippet to if ($memberGroupName) { branch.
-- TWiki:Main.AivoJurgenson - 29 Jul 2008
The latest version has got rudimentary support for nested groups. Please test.
-- MichaelDaum - 07 Jan 2009
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. 
