6 Replies Latest reply on Nov 7, 2007 1:30 AM by manmurray

    AD/LDAP user group membership being reported incorrectly

      Weird one. We've got a copy of Clearspace 1.7 running in dev, pointing quite happily to a 2k3 LDAP backend for user/group management. All is working perfectly, users and groups are appearing as expected. However...

       

      We tried creating a private space for client logins, showing a restricted area containing just their own stuff. Simplified structure is something like below, with permissions in :

       

      Main space internal_staff:all clients:none

      -- Client space internal_staff:all clients:read/write

       

      So, pretty simple. The problem is that a users in the AD group can see content within the main space, even though permissions are explicitly set to block this.

       

      The user being tested is called clientA, and after double checking all AD group memberships were correct, I took a look at the users' properties page in Clearspace admin. It showed that user clientA was a member of EVERY group within the OU. In fact, all users were members of all groups - effectively making setting permissions based on group ineffectual.

       

      Checking the LDAP system properties, I tried changing

       

         ldap.groupMemberField = member (the default after install)

       

      To

       

         ldap.groupMemberField = memberOf

       

      But this limited all user group memberships to two groups, which isn't terribly useful.

       

      I don't really need to be using ldap.groupSearchFilter for restricting groups, as I want all groups within a specified OU to be able to use Clearspace.

       

      Any ideas would be very handy!

        • Re: AD/LDAP user group membership being reported incorrectly

          We have limited clearspace groups to one OU as well by changing the ldap.groupSearchFilter = (&(cn=Clearspace*)(member=)(objectClass=group))

           

          All groups we create start with Clearspace in the name... and we only create these in a single ou.

           

          I think the screen where you thought it was listing all groups for a particular user was actually the "default" group summary page. So it will list all groups - it's not a group summary for any particular user. Regardless, I have also run into issues with Active Directory groups.

           

          I tried a very basic group permission test which failed. I added a test user called clearspaceadmintest into Active Directory and then added this user into a group called "Clearspace Administrators". I set the permissions for the Main Space to make anyone in the "Clearspace Administrators" group a system admin (The admin interface found the group without a problem). I logged out of the admin tool and tried to log back in as the clearspaceadmintest user and it would not let me login.

           

          I logged back in with my working admin account and checked the group summary. The "Clearspace Administrators" group is listed with the correct number of members being reported.

           

          Not sure what's going on, but the group functionality when using an external source might have an issue.

          • Re: AD/LDAP user group membership being reported incorrectly
            aron.racho

            Hi,

             

            Would it be possible for you to post or send me screenshots of your permissions settings?

             

            Thanks,

             

            Aron

              • Re: AD/LDAP user group membership being reported incorrectly

                Hi,

                 

                The way it seems to be happening is this:

                 

                The userA is a member of two groups, group1 and group2. I can see this is correct after digging into both AD and the Group Summary tab in CS admin.

                 

                Looking at the User Summary page in CS admin give a different result: it shows that userA is a member of group1, group2, group3, group4, group5 etc. The extra groups exist, but the user is not a member of them in AD - the consequence being that userA can see more than he should, as CS thinks he's a member of all available groups.

                 

                I've got a couple of grabs which hopefully illustrate the point a little better - Aron, want to message me with a regular mail address? I can't see a way to post pics to the board (though it's been a long day, might be being blind ).

                 

                Cheers

                 

                peter