ejabberd - Comments for "AD group integration, again"

Edit: I just realized that

mikekaganski — Thu, 29 Mar 2012 13:35:09 +0000

Edit: I just realized that you are talking about OUs, not groups! This is impossible with the bundled module. You need that modified version mentioned above.

Okay. Can't you please

tarkhil — Thu, 29 Mar 2012 12:37:06 +0000

Okay.

Can't you please suggest config for me?

tarkhil wrote: using

mikekaganski — Thu, 29 Mar 2012 11:30:15 +0000

tarkhil wrote:

using ldap_rfilter I fetch group

No, you fetch list of group ids.

you fetch group (and its member list) using ldap_gfilter.

You cannot tell the module to construct group name in any way, it must be the value of an attribute (not part of it).

surely I'm confused.

tarkhil — Thu, 29 Mar 2012 11:19:09 +0000

surely I'm confused. Documentation doesn't see too clear to me.

so, using ldap_rfilter I fetch group

than with ldap_gfilter I fetch users.

How do I tell mod_s_r_ldap that group is in OU=(.*), in distinguishedName?

Quote: 2. User -

mikekaganski — Thu, 29 Mar 2012 11:11:48 +0000

Quote:

2. User - sAMAccountName

;) You didn't even mention this attribute in the first post.

First, let's filter out the irrelevant bits. ldap_auth_check and ldap_user_cache_validity don't matter here, they will only be needed to tune the performance later, when you have everything working.

Next, please read the topic I mentioned above. You seem to be confused by the configuration options - there you may find an alternative description of them (well, the description there belongs to modified version of msrl, but the general rules persist).

You need to build the groups list first. This is done using ldap_rfilter and ldap_groupattr.
Next, for each group, you need to get its display name and its members (in one query!) using ldap_gfilter, ldap_groupdesc, and ldap_memberattr.
And then you will do a query per user to get their names (and uids, that needed to match what was returned in second stage) using ldap_ufilter, ldap_useruid and ldap_userdesc.

ldap_memberattr_format(_re) cannot be used to form group names, and the "_re" version must not use %u/%g syntax.

1.Ejabber 2.1.9, bundled

tarkhil — Thu, 29 Mar 2012 08:32:23 +0000

1.Ejabber 2.1.9, bundled mod_shared_roster_ldap

2. User - sAMAccountName. group - OU=(.*) from dn

3. Lots of attempts

{ldap_base, "ou=apit,dc=apit,dc=local"},
%% {ldap_groupattr,"distinguishedName"},
%% {ldap_groupdesc,"department"},
%% {ldap_rfilter, "(objectclass=user)"},
%% {ldap_memberattr,"sAMAccountName"},

{ldap_userdesc, "cn"},
{ldap_auth_check, "off"},
{ldap_rfilter, "(objectClass=organizationalUnit)"},
%% {ldap_filter,"(ObjectClass=user)"},
%% { ldap_ufilter, "(&(objectClass=user)(department=%u))"},
{ ldap_gfilter, "(objectClass=user)" },
{ldap_groupattr,"name"},
{ldap_groupdesc,"ou"},
{ldap_memberattr,"distinguishedName"},
{ldap_memberattr_format_re,"CN=(%u),OU=(%g),OU=APIT,DC=apit,DC=local"},
%% {ldap_memberattr_format,"%u"},
{ldap_user_cache_validity, 0},
{ldap_userdesc,"displayName"}

You didn't specify the

mikekaganski — Wed, 28 Mar 2012 22:10:50 +0000

You didn't specify the following information required to understand what do you need:
1. The version of ejabberd and shared roster module you use
2. The look of desired layout you want to get
3. The failing setup you have tried

Anyway, it looks like you are stuck with the inherent limitation of the vanilla msrl. Probably you will find something useful at this issue page.