3 Replies Latest reply on Sep 29, 2008 8:53 PM by infinitiguy

    Restricting LDAP users by AD group membership, users populate on 1st login

      Setting up Clearspace 1.8 with LDAP/AD authentication, and the config below (filtering users based on a group membership in AD, only members of "Clearspace_Users" are included, groups for Clearspace are managed locally) is working fine to restrict our user base from our full 400-user domain down to the 20 or so named users we want to have in Clearspace. That's the good news.


      The problem is that with this config, until a user logs in to Clearspace for the first time, they don't appear in the user list, even though they're present in the AD group. This makes it difficult to preconfigure space memberships, manage content permissions, etc.


      Is there any way to filter users based on group membership (or on another arbitrary AD/LDAP attribute, like a custom field or a comment) and have them auto-populate in Clearspace? The first time I tried LDAP setup, I got all the users in AD (dragging performance down quite a bit so this is better, but not perfect.







      ldap.baseDN  =  cn=users,dc=mjmcreative,dc=com  

      ldap.connectionPoolEnabled  =  true  

      ldap.emailField  =  mail  

      ldap.followReferrals  =  false  

      ldap.groupDescriptionField  =  description  

      ldap.groupMemberField  =  member  

      ldap.groupNameField  =  cn  

      ldap.host  =  domaincontroller1.mjmcreative.com  

      ldap.ldapDebugEnabled  =  false  

      ldap.nameField  =  cn  

      ldap.port  =  389  

      ldap.searchFilter  =  (&(sAMAccountName=)(memberOf=cn=Clearspace_Users, ou=Security_Groups,dc=mjmcreative,dc=com))  

      ldap.usernameField  =  sAMAccountName

        • Re: Restricting LDAP users by AD group membership, users populate on 1st lo

          Got word from support (thanks Curtis!):


          If you wanted to pull in everyone you currently have in LDAP search here...

          ldap.searchFilter  =  (&(sAMAccountName=)(memberOf=cn=Clearspace_Users, ou=Security_Groups,dc=mjmcreative,dc=com))  

          Just remove the bold values in these fields during the setup process.  (By stopping clearspace & setting the <setup>false</setup> )

          ldap.groupDescriptionField  =  *description  *

          ldap.groupMemberField  =  *member   *

          ldap.groupNameField  =  *cn   *


          With those group settings blank Clearspace will bring in all of the users within the restricted search filter you have assigned.

            • Re: Restricting LDAP users by AD group membership, users populate on 1st lo

              One more adjustment here --


              We figured out why the group-filtered user list wasn't prepopulating -- our control group was in Security_Users, not the Users container. It was working for authentication but not for the group filter.


              Amended config:

              ldap.baseDN     =  dc=mjmcreative,dc=com      -- note that Users is now omitted

              ldap.searchFilter  =  (memberOf=cn=Clearspace_Users, ou=Security_Groups, dc=mjmcreative,dc=com) -- leaving CU group in Security_Groups

              ldap.groupSearchFilter  =    (&(objectCategory=group)(name=Clearspace*))


              At this point it seems to be behaving as expected. Users who don't reside in the Users OU are also showing up.

            • Re: Restricting LDAP users by AD group membership, users populate on 1st login

              sort of unrelated question.  I'm new to clearspace and still trying to figure out the in's and out's of the product.  I went through the setup wizard and configured ldap authentication.  I'm new to my company so I don't know how the ldap groups are structured so for the time being I left groups as local(instead of ldap).


              Two questions.


              First, the config file that you posted(the one with the ldap info).  Where does that live within tomcat?  I'm using clearspace 2.5.1 standalone.  I'd like to be able to take a look at the raw configs that the wizard generated for me.


              Second, is there a way to get clearcase to look at LDAP for group membership(and assign communities/spaces those group memberships)?


              TIA for the help.