[GeoNetwork-users] LDAP organisation

silst · March 7, 2011, 5:58pm

Hello all,
we are using ldap in our organisation and we would like use ldap with
geonetwork.
As far as i understand the parameters in the config system :
Hôte (host) : ip or dns name of the ldap server,
port : usually 389
profil par défaut (default profil): registered user

Uid attribute : "uid"
question : is it the filter for searching the name of one person as he
gives his user and password login ?

Distinguished names
Base : dc=gov,dc=pf
Question , is it where to search the root first ?
User : ou=person
Question, is it where users belong in a group ?

These 3 last parameters are for searching in the ldap tree users ?
i have test these parameters and , i conclude that when a person login,
he must belong within the group "person" , whom belong to the
"dc=gov,dc=pf" with a DN uid=xxx,ou=person,dc=gov,dc=pf
Am i right ?

When the ldap authentication succeed , one row in the user table
(postgres) is created with the User's attributes parameters respectively
in the columns name and profile.

Pierre_Mauduit · March 7, 2011, 7:12pm

Hi,

Uid attribute : "uid"

question : is it the filter for searching the name of one person as he
gives his user and password login ?

IIRC, the LDAP GeoNetwork will function this way :

"I'm user pmauduit, and I try to authenticate using pmauduit/secret on
GeoNetwork", the GN will look for 'uid=pmauduit,....' into the LDAP tree" ;
I think GeoNetwork will use the regular userPassword attribute for password
check. You could have used "cn" attribute, depending on your LDAP setup.

Distinguished names
Base : dc=gov,dc=pf
Question , is it where to search the root first ?

User : ou=person

Question, is it where users belong in a group ?

I think GN will try to lookup your current users into
"ou=person,dc=gov,dc=pf", right. But I'm pretty sure (long time that I've
not toyed around with LDAP / GeoNetwork) that the "group" notion from the
LDAP is disconnected from the one into GeoNetwork.

These 3 last parameters are for searching in the ldap tree users ?

i have test these parameters and , i conclude that when a person login,
he must belong within the group "person" , whom belong to the
"dc=gov,dc=pf" with a DN uid=xxx,ou=person,dc=gov,dc=pf
Am i right ?

I guess so ; the last parameter ("profile") is used to store the profile of
your users on the LDAP side. i.e. if profile attribute == Admin, then your
user is admin on GN, if == Reviewer, then he is reviewer, etc...

When the ldap authentication succeed , one row in the user table
(postgres) is created with the User's attributes parameters respectively
in the columns name and profile.

Right, there is a kind of synchronisation, since the user successfully
connected the first time is then copied into the postgresql user table. But
I guess you will have to connect as administrator in order to correctly
affect your users to your GeoNetwork groups (since as I said, the two
notions - ldap groups vs geonetwork groups - are disconnected).

Hth,

--
Pierre Mauduit

Camptocamp France SAS
Savoie Technolac, BP 352
73377 Le Bourget du Lac Cedex
Tel : + 33 (0)4 79 44 44 92
http://www.camptocamp.com
pierre.mauduit@anonymised.com

samsaba · October 3, 2012, 7:05pm

Hello everyone,

I have managed to set up the LDAP authentication against LDAP directory (G
2.6.4) all profiles choices (Editor, RegisteredUser, Reviewer) are being
created fine. (Profiles are labeled and retrieved from the LDAP directory).

I am unable to create a *UserAdmin **profile*, even though I have added it
as one of the choices of the default profiles to pick from in the LDAP
Authentication interface (in system configuration - edited the config.xsl).

Why those 3 profiles are being created but UserAdmin is not.
Can I do it? if yes what else am I missing?

Sam

--
View this message in context: http://osgeo-org.1560.n6.nabble.com/LDAP-organisation-tp3861036p5006219.html
Sent from the GeoNetwork users mailing list archive at Nabble.com.