Recherche
Le nuxeo-platform-shibboleth-groups-web-5.4.0.jar livré par nuxeo est bugué. La requête faite au LDAP pour retrouver les groupes est de la forme cn=%*
Voici :
Ajout dans nxserver/config de ce ldap-config.xml (le suffixe -config.xml est important pour que le fichier soit pris en compte) :
...
<component name="sample.ldap.config">
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<require>org.nuxeo.ecm.directory.sql.storage</require>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="servers">
<server name="default">
<ldapUrl>ldap://srv.univ.fr:389</ldapUrl>
</server>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="userDirectory">
<server>default</server>
<schema>user</schema>
<idField>username</idField>
<passwordField>password</passwordField>
<searchBaseDn>ou=people,dc=univ,dc=fr</searchBaseDn>
<searchClass>person</searchClass>
<searchScope>onelevel</searchScope>
<readOnly>true</readOnly>
<cacheTimeout>3600</cacheTimeout>
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=people,dc=univ,dc=fr</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>person</creationClass>
<creationClass>organizationalPerson</creationClass>
<creationClass>inetOrgPerson</creationClass>
<rdnAttribute>uid</rdnAttribute>
<fieldMapping name="username">eduPersonPrincipalName</fieldMapping>
<fieldMapping name="firstName">givenName</fieldMapping>
<fieldMapping name="lastName">sn</fieldMapping>
<fieldMapping name="company">supannetablissement</fieldMapping>
<fieldMapping name="email">mail</fieldMapping>
<references>
<inverseReference field="groups" directory="groupDirectory"
dualReferenceField="members" />
</references>
</directory>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="groupDirectory">
<server>default</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>ou=groups,dc=univ,dc=fr</searchBaseDn>
<searchFilter>(|(objectClass=groupOfNames)(objectClass=groupOfURLs))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>true</readOnly>
<cacheTimeout>3600</cacheTimeout>
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=groups,dc=univ,dc=fr</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>groupOfUniqueNames</creationClass>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<ldapReference field="members" directory="userDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<ldapReference field="subGroups" directory="groupDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="uniqueMember"
dynamicAttributeId="memberURL" />
<inverseReference field="parentGroups"
directory="groupDirectory" dualReferenceField="subGroups" />
</references>
</directory>
</extension>
</component>
{note}
<fieldMapping name="username">eduPersonPrincipalName</fieldMapping> doit être en phase avec la configuration de l'authentification Shib
{note}
Remarques
</directory>
</extension>
<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory"
point="directories">
<directory name="groupDirectory">
<server>default</server>
<schema>group</schema>
<idField>groupname</idField>
<searchBaseDn>ou=groups,dc=univ,dc=fr</searchBaseDn>
<searchFilter>(|(objectClass=groupOfNames)(objectClass=groupOfURLs))</searchFilter>
<searchScope>subtree</searchScope>
<readOnly>true</readOnly>
<cacheTimeout>3600</cacheTimeout>
<cacheMaxSize>1000</cacheMaxSize>
<creationBaseDn>ou=groups,dc=univ,dc=fr</creationBaseDn>
<creationClass>top</creationClass>
<creationClass>groupOfUniqueNames</creationClass>
<rdnAttribute>cn</rdnAttribute>
<fieldMapping name="groupname">cn</fieldMapping>
<references>
<ldapReference field="members" directory="userDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="member"
dynamicAttributeId="memberURL" />
<ldapReference field="subGroups" directory="groupDirectory"
forceDnConsistencyCheck="false"
staticAttributeId="uniqueMember"
dynamicAttributeId="memberURL" />
<inverseReference field="parentGroups"
directory="groupDirectory" dualReferenceField="subGroups" />
</references>
</directory>
</extension>
</component>
Remarque |
---|
<fieldMapping name="username">eduPersonPrincipalName</fieldMapping> doit être en phase avec la configuration de l'authentification Shib |
...