[EMAIL PROTECTED] a écrit : > Let me preface by thanking the nuxeo community for such a great product and a > great forum. I am trying to set this up as a proof-of-concept for my new > biotech company. If I can prove the concept, we will, in all likelihood, > purchase commercial support from Nuxeo. However, I want to be able to at > least get it running and using Active Directory for user and group > authentication and authorization before committing to the product. I > appreciate your help in making this trial a success so we can build a > mutually beneficial relationship. > > OK, I have analyzed my server.log file and also done a tcpdump between my > Nuxeo server and my Active Directory domain controller (the one which Nuxeo > looks to for LDAP info). > > I am 99% sure that my problem revolves around the ldapReference and > inverseReference definitions in my default-ldap-groups-directory-bundle.xml > and possibly the inverseReference field in my > default-ldap-users-directory-bundle.xml file. > > Specifically, my Active Directory's ldap attributes are different than the > default ones used in those *Reference fields. For example, there are no > memberUrl fields, no members fields, no groupOfUniqueNames, etc. I have > static "member" fields in my group definition, one for each member. I have > "memberOf" fields in my user and group definitions to point to which groups > each group or user belongs to. > > I have tried fixing the ldapReference and inverseReference fields to match my > Active Directory user and group schemas, but unfortunately I can't find > enough documentation on the specifics of how ldapReference and > inverseReference work, so I'm not sure if I'm doing it right. Please advise > how those fields should be set for use with an Active Directory schema. Here > is a sample ldif export for a user and a group from my Active Directory, so > you can see which fields I'm trying to map to:
Ok, according to your LDIF file the users' entries hold the list of the DNs of group entries they belong to which is the opposite of the standard groupOfUniqueNames scheme. Hence you should make the "groups" field of the userDirectory hold the the "ldapReference" to resolve those DNs while the "members" field of the groupDirectory should be resolved by an inverseReference pointing to the previously mentioned ldapReference. -- Olivier _______________________________________________ ECM mailing list [email protected] http://lists.nuxeo.com/mailman/listinfo/ecm
