Hello!
I have a (relatively) simple AD to use in shared roster.
Typical group looks like (some fields cut out, sorry for UTF-8 in user name)
dn:OU=IT,OU=APIT,DC=apit,DC=local
objectClass: top
organizationalUnit
ou: IT
distinguishedName: OU=IT,OU=APIT,DC=apit,DC=local
name: IT
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=apit,DC=local
Typical user is like
dn:CN=ПоволоцкийАБ,OU=IT,OU=APIT,DC=apit,DC=local
objectClass: top
person
organizationalPerson
user
cn: ПоволоцкийАБ
sn: Поволоцкий
title: Системный администратор
telephoneNumber: 125
givenName: Александр Борисович
distinguishedName: CN=ПоволоцкийАБ,OU=IT,OU=APIT,DC=apit,DC=local
displayName: Поволоцкий Александр Борисович
memberOf:
CN=Владельцы-создатели групповой политики,CN=Users,DC=apit,DC=local
CN=Администраторы предприятия,CN=Users,DC=apit,DC=local
CN=Администраторы схемы,CN=Users,DC=apit,DC=local
CN=Администраторы домена,CN=Users,DC=apit,DC=local
CN=Администраторы,CN=Builtin,DC=apit,DC=local
name: ПоволоцкийАБ
how do I extract that groups and users?
ejabberd extract data, I can see LDAP requests, but shows nothing in roster.
simpler setup (using department field as a group) works, so the problem is in correct filter.
You didn't specify the
You didn't specify the following information required to understand what do you need:
1. The version of ejabberd and shared roster module you use
2. The look of desired layout you want to get
3. The failing setup you have tried
Anyway, it looks like you are stuck with the inherent limitation of the vanilla msrl. Probably you will find something useful at .
1.Ejabber 2.1.9, bundled
1.Ejabber 2.1.9, bundled mod_shared_roster_ldap
2. User - sAMAccountName. group - OU=(.*) from dn
3. Lots of attempts
{ldap_base, "ou=apit,dc=apit,dc=local"},
%% {ldap_groupattr,"distinguishedName"},
%% {ldap_groupdesc,"department"},
%% {ldap_rfilter, "(objectclass=user)"},
%% {ldap_memberattr,"sAMAccountName"},
{ldap_userdesc, "cn"},
{ldap_auth_check, "off"},
{ldap_rfilter, "(objectClass=organizationalUnit)"},
%% {ldap_filter,"(ObjectClass=user)"},
%% { ldap_ufilter, "(&(objectClass=user)(department=%u))"},
{ ldap_gfilter, "(objectClass=user)" },
{ldap_groupattr,"name"},
{ldap_groupdesc,"ou"},
{ldap_memberattr,"distinguishedName"},
{ldap_memberattr_format_re,"CN=(%u),OU=(%g),OU=APIT,DC=apit,DC=local"},
%% {ldap_memberattr_format,"%u"},
{ldap_user_cache_validity, 0},
{ldap_userdesc,"displayName"}
Quote: 2. User -
2. User - sAMAccountName
;) You didn't even mention this attribute in the first post.
First, let's filter out the irrelevant bits. ldap_auth_check and ldap_user_cache_validity don't matter here, they will only be needed to tune the performance later, when you have everything working.
Next, please read the topic I mentioned above. You seem to be confused by the configuration options - there you may find an alternative description of them (well, the description there belongs to modified version of msrl, but the general rules persist).
You need to build the groups list first. This is done using ldap_rfilter and ldap_groupattr.
Next, for each group, you need to get its display name and its members (in one query!) using ldap_gfilter, ldap_groupdesc, and ldap_memberattr.
And then you will do a query per user to get their names (and uids, that needed to match what was returned in second stage) using ldap_ufilter, ldap_useruid and ldap_userdesc.
ldap_memberattr_format(_re) cannot be used to form group names, and the "_re" version must not use %u/%g syntax.
surely I'm confused.
surely I'm confused. Documentation doesn't see too clear to me.
so, using ldap_rfilter I fetch group
than with ldap_gfilter I fetch users.
How do I tell mod_s_r_ldap that group is in OU=(.*), in distinguishedName?
tarkhil wrote: using
using ldap_rfilter I fetch group
No, you fetch list of group ids.
you fetch group (and its member list) using ldap_gfilter.
You cannot tell the module to construct group name in any way, it must be the value of an attribute (not part of it).
Okay. Can't you please
Okay.
Can't you please suggest config for me?
Edit: I just realized that
Edit: I just realized that you are talking about OUs, not groups! This is impossible with the bundled module. You need that modified version mentioned above.