Hi,
It seems that the twiki 4.2.0 and
LdapContrib v2.99.4 doesn't work with hierarchical groups or nested groups in my environment. I'm running Microsoft AD LDAP server and I have groups like
objectClass: groups
dn:CN=EL_FIN,OU=Org,...
cn: EL_FIN
member: CN=EL_FIN_DIR,OU=Org,....
I'm using
GroupAttribute = 'cn'
MemberAttribute = 'member'
MemberIndirection = 1
It seems that the cacheGroupFromEntry function iterates over all groups found from the LDAP search and adds those members of the current group $groupName, which have $data->{"DN2U::$member_DN"} defined. Because groups are not user accounts, they don't have this data defined and they are skipped with the error message "oops, $member_DN not found, but member of $groupName".
Therefore the relationship between for example EL_FIN and EL_FIN_DIR is never established and the nested groups do not work for authorizations.
The patch has a bug with international group names. I didn't convert from the UTF to twiki charset and the correct lines should be
if ($memberGroupName) {
$memberGroupName = from_utf8(-string=>$memberGroupName, -charset=>$TWiki::cfg{Site}{CharSet})
unless $TWiki::cfg{Site}{CharSet} =~ /^utf-?8$/i;
--
TWiki:Main.AivoJurgenson - 29 Apr 2008
This might be related to
Item5118. TWiki's 4.2.0 code is pretty buggy currently.
--
TWiki:Main.MichaelDaum - 02 Jun 2008
No I've found the bug. Being worked on.
--
TWiki:Main.MichaelDaum - 11 Jun 2008
The provided patch has another bug itself. When normalizeGroupName is used, the patch doesn't follow normalized group names and therefore breaks the indirection. The correct way is to add
if ($this->{normalizeGroupName}) {
$memberGroupName = $this->normalizeWikiName($memberGroupName);
}
code snippet to
if ($memberGroupName) {
branch.
--
TWiki:Main.AivoJurgenson - 29 Jul 2008