Open juvancica opened 4 years ago
Hello,
I'm trying to connect TYPO3 LDAP to AD 2019. I have an tree of OUs, mimicking our organization. So, at the top is head OU, followed by department OUs and so on. Users are in all OUs.
I can import all FE_USERS users from AD using (&(objectClass=Person)(sAMAccountName={USERNAME})). Mapping is: pid = 196 tstamp = {DATE} email = name = first_name = last_name = title = company = <company> address = <streetAddress> zip = <postalCode> city = <l> country = <countryCode> telephone = <telephoneNumber></p> <p>I can also import all FE_GROUPS using (objectClass=organizationalUnit) and mapping pid=196 tstamp={DATE} title = <name></p> <p>But after I login with any user, I see the content for ALL groups. As if user is in ALL groups. </p> <p>I can create new AD GROUPS in OUs and I see the users in these groups with memberOf option. But there is no memberOf option on OUs. </p> <p>How can I map users to OUs? In a way, that user from bottom OU will see only his content, while user in top OUs would see the content from their OUs and all sub OUs...</p> <p>Thank you, </p> <p>Aleš</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/einhirn"><img src="https://avatars.githubusercontent.com/u/189249?v=4" />einhirn</a> commented <strong> 8 months ago</strong> </div> <div class="markdown-body"> <p>I don't think that this will work. As you said, OUs don't have a "memberof" attribute. Maybe you can split AD/LDAP DN and fiddle something with a script based mapping, but thinking about that makes me cringe. From what I understand, you'd need a group/subgroup structure in AD, but then you'd have to somehow list/map the nested AD groups a FE_USER is member of. There's a way to delegate the Check "Is user in group or any subgroup" to AD, but that would only work on the fly, not while importing, I guess.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>
Hello,
I'm trying to connect TYPO3 LDAP to AD 2019. I have an tree of OUs, mimicking our organization. So, at the top is head OU, followed by department OUs and so on. Users are in all OUs.
I can import all FE_USERS users from AD using (&(objectClass=Person)(sAMAccountName={USERNAME})). Mapping is: pid = 196 tstamp = {DATE} email =
name =
first_name =
last_name =
title =
company = <company>
address = <streetAddress>
zip = <postalCode>
city = <l>
country = <countryCode>
telephone = <telephoneNumber></p>
<p>I can also import all FE_GROUPS using (objectClass=organizationalUnit) and mapping
pid=196
tstamp={DATE}
title = <name></p>
<p>But after I login with any user, I see the content for ALL groups. As if user is in ALL groups. </p>
<p>I can create new AD GROUPS in OUs and I see the users in these groups with memberOf option. But there is no memberOf option on OUs. </p>
<p>How can I map users to OUs? In a way, that user from bottom OU will see only his content, while user in top OUs would see the content from their OUs and all sub OUs...</p>
<p>Thank you, </p>
<p>Aleš</p> </div>
</div>
<div class="comment">
<div class="user">
<a rel="noreferrer nofollow" target="_blank" href="https://github.com/einhirn"><img src="https://avatars.githubusercontent.com/u/189249?v=4" />einhirn</a>
commented
<strong> 8 months ago</strong> </div>
<div class="markdown-body">
<p>I don't think that this will work. As you said, OUs don't have a "memberof" attribute. Maybe you can split AD/LDAP DN and fiddle something with a script based mapping, but thinking about that makes me cringe.
From what I understand, you'd need a group/subgroup structure in AD, but then you'd have to somehow list/map the nested AD groups a FE_USER is member of. There's a way to delegate the Check "Is user in group or any subgroup" to AD, but that would only work on the fly, not while importing, I guess.</p> </div>
</div>
<div class="page-bar-simple">
</div>
<div class="footer">
<ul class="body">
<li>© <script>
document.write(new Date().getFullYear())
</script> Githubissues.</li>
<li>Githubissues is a development platform for aggregating issues.</li>
</ul>
</div>
<script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script>
<script src="/githubissues/assets/js.js"></script>
<script src="/githubissues/assets/markdown.js"></script>
<script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script>
<script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script>
<script>
hljs.highlightAll();
</script>
</body>
</html>