![/!\](/moin_static19/modernized/img/alert.png "/!\"){kind=small}
Please note that most of the stuff below is superceded by changes committed to 1.5 branch at 2006-12-22 - see docs/CHANGES there.
Notes on LDAP configuration in MoinMoin 1.5.3
mikeyp added:
ldap_given_attribute = 'givenName'
ldap_surname_attribute = 'sn'
alias will be created from given, surname.
ldap_group_attr = 'memberOf' # ldap attribute to search for group membership
ldap_user_access_group = 'CN=wikiusers,DC=jaman,DC=com' # group user must be a member of
Group membership patch
I implemented a small patch on top of MoinMoin 1.5.3rc1 to check if users were members of a specific LDAP group in addition to the standard login checks. It uses LDAPObject.compare_s() to check group membership. Heres the actual diff for 1.5.3.rc1 :
[mikeyp@indigo64 MoinMoin]$ diff auth.orig.py auth.py
370a371,379
> # optional group membership verification - done with binddn credentials
> # since user might not have permissions
> try:
> if (l.compare_s(dn, cfg.ldap_group_attribute , cfg.ldap_user_access_group) != True):
> request.log("LDAP: username %s fails group membership check %s : %s ." % ( username, cfg.ldap_group_attribute, cfg.ldap_user_access_group))
> return user_obj, True
> except AttributeError, e: # group params not specified in cfg
> request.log("LDAP: skipping group membership check because no group configuration options in config")
>These changes should be easy to port to another version of MoinMon, or to merge into the main tree. The actual original and modified files are: auth.orig.py auth.py
I used this code against an Active Directory server for about 6 months with no problems.
Hi Mikey,
have a look ldap_login code from moin 1.6 to check whether this could do the job for you also. It just included additional criteria to the search call, so it just doesn't find unwanted people.
-- ThomasWaldmann 2006-12-06 08:10:01
LDAP Troubleshooting / Comments
set ldap_verbose = true
ldap errors will appear in apache error_log with Apache/mod_python
looks like log messages aren't flushed to apache log ? Theres a buffer delay. I hacked request.log() to flush for now.
When are changes to wikiconfig.py picked up ? right now, I'm bouncing apache.
Is it really necessary to dump the entire LDAP entry after search, even in verbose? It makes more sense to just log the attributes MoinMoin needs.
In fact, really only ned to request specific attributes in ldap.search_st() - this is a performance issue.
code should verify email was retrieved - is it required ??
aliasname is created from 'sn' and 'givenName' attributes. (sn, givenName). if no given name, then uses sn. This should arguably be in config options rather than hardcoding ldap attrs.. Our Ldap (Active Directory ) has displayName, cn, sn, givenName.
login name is case sensitive, but ldap is not. login as 'MikeyP' created wiki user, login as 'mikeyp' creates second user. It probably makes sense to lowercase the login before passing it to the ldap server for authentication. Have to be careful to make sure Wiki still gets the case sensitive name.