[
https://issues.apache.org/jira/browse/CONNECTORS-1749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Guylaine Bassette updated CONNECTORS-1749:
------------------------------------------
Description:
The group parameters are mandatory in MCF, but some LDAP servers don't require
such parameters to answer to queries related to a user in order to get back
authorization tokens. With such LDAP servers, you therefore do not need to
input group related information to have a working search.
But there is a negative aspect: there are scenarios where you may NOT know any
group related information since it is not needed for those LDAP servers. But
since MCF requires these parameters, anything that you put in, in order for MCF
to validate the configuration, will be sent to the LDAP server that will
generate an error answer because the group parameters are incorrect: Error code
52 - Object Not Found Error.
h2. Debug, help for configuration
Regarding the LDAP Authority configuration:
!image-2023-11-14-08-28-57-668.png!
When you have completed the first part in green, it is equivalent to this
command line with the tool ldapsearch:
{{}}
{{ldapsearch -x -H ldap://ldap.francelabs.com:389 -D
"uid=myuser,ou=People,dc=francelabs,dc=com" -b "ou=people,dc=francelabs,dc=com"
"(&(objectClass=inetOrgPerson)(uid=any_user_uid))"}}
Even if you get the expected result with this query, you might think that it is
not important to fill in the red part concerning the group attributes. But you
need to have a working query for the group part. Indeed, if the groups query is
invalid and if you obtain an error code 52 into ldapsearch and MCF logs, it
means that this query is the issue.
Try the default query of MCF :
{{}}
{{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b
"ou=groups,dc=francelabs,dc=com" "(&(objectClass=groupOfNames))"}}
If you obtain an error code 52 and even if you are not interested by retrieving
the groups, you MUST have a query that works. So change the query until the
error code disappears.
{{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b "dc=francelabs,dc=com"
"(&(objectClass=groupOfNames))"}}
You will obtain some objects. Choose one with the OU that you want and enter
this OU into MCF configuration. Example :
{{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b
"ou=system,dc=francelabs,dc=com" "(&(objectClass=groupOfNames))"}}
was:
The group parameters are mandatory in MCF, but some LDAP servers don't require
such parameters to answer to queries related to a user in order to get back
authorization tokens. With such LDAP servers, you therefore do not need to
input group related information to have a working search.
But there is a negative aspect: there are scenarios where you may NOT know any
group related information since it is not needed for those LDAP servers. But
since MCF requires these parameters, anything that you put in, in order for MCF
to validate the configuration, will be sent to the LDAP server that will
generate an error answer because the group parameters are incorrect: Error code
52 - Object Not Found Error.
h2. Debug, help for configuration
Regarding the LDAP Authority configuration:
When you have completed the first part in green, it is equivalent to this
command line with the tool ldapsearch:
{{ldapsearch -x -H ldap://ldap.francelabs.com:389 -D
"uid=myuser,ou=People,dc=francelabs,dc=com" -b "ou=people,dc=francelabs,dc=com"
"(&(objectClass=inetOrgPerson)(uid=any_user_uid))"}}
Even if you get the expected result with this query, you might think that it is
not important to fill in the red part concerning the group attributes. But when
you try to
If this part is OK, you need to have a working query for the group part.
Indeed, if the groups query is invalid and if you obtain an error code 52 into
ldapsearch and MCF logs, it means that this query is the issue.
Try the default query of MCF :
{{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b
"ou=groups,dc=francelabs,dc=com" "(&(objectClass=groupOfNames))"}}
If you obtain an error code 52 and even if you are not interested by retrieving
the groups, you MUST have a query that works. So change the query until the
error code disappears.
{{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b "dc=francelabs,dc=com"
"(&(objectClass=groupOfNames))"}}
You will obtain some objects. Choose one with the OU that you want and enter
this OU into MCF configuration. Example :
{{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b
"ou=system,dc=francelabs,dc=com" "(&(objectClass=groupOfNames))"}}
> LDAP Authority: make Group parameters optional
> ----------------------------------------------
>
> Key: CONNECTORS-1749
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1749
> Project: ManifoldCF
> Issue Type: Improvement
> Components: LDAP authority
> Reporter: Guylaine Bassette
> Priority: Minor
> Attachments: image-2023-11-14-08-28-57-668.png
>
>
> The group parameters are mandatory in MCF, but some LDAP servers don't
> require such parameters to answer to queries related to a user in order to
> get back authorization tokens. With such LDAP servers, you therefore do not
> need to input group related information to have a working search.
>
> But there is a negative aspect: there are scenarios where you may NOT know
> any group related information since it is not needed for those LDAP servers.
> But since MCF requires these parameters, anything that you put in, in order
> for MCF to validate the configuration, will be sent to the LDAP server that
> will generate an error answer because the group parameters are incorrect:
> Error code 52 - Object Not Found Error.
> h2. Debug, help for configuration
> Regarding the LDAP Authority configuration:
> !image-2023-11-14-08-28-57-668.png!
> When you have completed the first part in green, it is equivalent to this
> command line with the tool ldapsearch:
> {{}}
> {{ldapsearch -x -H ldap://ldap.francelabs.com:389 -D
> "uid=myuser,ou=People,dc=francelabs,dc=com" -b
> "ou=people,dc=francelabs,dc=com"
> "(&(objectClass=inetOrgPerson)(uid=any_user_uid))"}}
> Even if you get the expected result with this query, you might think that it
> is not important to fill in the red part concerning the group attributes. But
> you need to have a working query for the group part. Indeed, if the groups
> query is invalid and if you obtain an error code 52 into ldapsearch and MCF
> logs, it means that this query is the issue.
> Try the default query of MCF :
> {{}}
> {{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b
> "ou=groups,dc=francelabs,dc=com" "(&(objectClass=groupOfNames))"}}
> If you obtain an error code 52 and even if you are not interested by
> retrieving the groups, you MUST have a query that works. So change the query
> until the error code disappears.
> {{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b "dc=francelabs,dc=com"
> "(&(objectClass=groupOfNames))"}}
> You will obtain some objects. Choose one with the OU that you want and enter
> this OU into MCF configuration. Example :
>
> {{ldapsearch -x -H ldap://ldap.francelabs.com:389 -b
> "ou=system,dc=francelabs,dc=com" "(&(objectClass=groupOfNames))"}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
