If you want to use ldap groups along with normal database groups you would need to do a custom AuthFactory, UserManager, AuthFactory, Group and GroupManger. These would basically be combinations of the Db and Ldap versions of all the above classes.
From what I've seen people that have had the same LDAP issue as didn't set the search filter and username fields to point to sAmaccountName rather than uid.
Do you think that could be your issue?
Here are the relevant ldap settings I am using:
ldap.searchFilter = (sAMAccountName=) ldap.usernameField = sAMAccountName ldap.groupSearchFilter = (&(cn=jivegroup)(member=))
ldap.groupNameField = cn
ldap.groupMemberField = member
ldap.groupDescriptionField = description
I still haven't had success with the groups. I have tried re-installing from scratch several times and have tried various combinations to get it to work, but no luck. I also think I may have noticed a bug with the LDAP auth. I think it is trying to login repeatedly when the wrong password is given. I have my active directory set to lock an account after multiple failed login attempts. If I try to login to clearspace once with an incorrect password the account locks (everything is fine with the correct password). The auth tool should really only try to authenticate one time and if it fails give up. The multiple attempt bit will cause lockout headaches for anyone using AD.
Update - I figured out the problem with groups integration. My user DNs all have a \ in them from way way back when they were converted from another user directory. The \ must be seen be clearspace as an escape character and therefore breaks everything. Now I need to figure out if I can get clearspace to ignore the \, or if I can just rip the \ out of all of my user DNs, but at least the root cause has been discovered.
The issue with multiple attempts with the incorrect password still exists though.