Can I use groups from my ldap server?

[bartelt]

I have configured my installation (1.1.2) to authenticate via ldap. I also configured the 'groupDNquery' in indico.conf. However, I don't have access to any of the ldap groups. When I go to 'manage groups' only the ones I created in indico are available. CERN obviously has some external DB of groups. Is that purely a CERN extension, or is it available out of the box? thanks

[bartelt]

Hi. Can I just get a yes or no answer to my question?
Are ldap groups available in indico 1.1.2?
thanks

[arescope]

Hi,

Apologizes for the delay.

You cannot list in the Administration because that could perform a big query to the ldap server but you can search for them.

Best regards

[bartelt]

Thanks. I have tried searching for groups and it always fails. In contrast, I can search for a group in the same ldap server using a simple script which succeeds. When I try searching for the same group in indico, it finds nothing (using same base, etc.).
There is nothing in the log file.

[arescope]

Could you please try:

• In Administration->Administrator list try to add a new group.
• You should check 'Search CERN user database' and see if it is finding a group.

[bartelt]

Are you looking at the same version that I am using (1.1.2)?

In Administration->Administrator list try to add a new group.
You should check 'Search CERN user database' and see if it is finding a group.

I have "Server Admin" -> "General Settings" and under "Administrator List" I have the option to add an administrator. There is no option to add a group here.

Under "Server Admin" -> "Users and Groups" -> "Manage Groups" I can add a group (as I said earlier, the only groups I can find are those that I created via Indico). There is no checkbox for "Search CERN user database" in my installation.

[bartelt]

I never got a response to this. Any help appreciated.

John

[jbenito]

Dear John,

I am sorry for the delay in our answer. We have been extremely busy with the deployment (at CERN) of the new version of Indico, v1.2.

We do have experience with LDAP but only in the current version here at CERN, v1.2. Previously, while running v1.1.2 in production, we didn't use LDAP.

On the other hand, there are many Indico Administrators (from another labs) that use LDAP, that's why I would recommend you to send an email explaining your problem to our email list: project-indico-administrators@…. I am sure, there will be another administrators around the world who might have faced a similar problem.

Just in case it helps, here below you can see our current LDAP config, but beware! the config structure is from v1.2 and hence it is different from that one in v1.1.2:

AuthenticatorList = [('LDAP', {'peopleDNQuery': ('cn={0}', 'DC=cern, DC=ch'),
                               'groupDNQuery': ('cn={0}', 'OU=Workgroups,DC=cern,DC=ch'),
                               'accessCredentials': ('CN=indico,OU=Users,OU=Organic Units,DC=cern,DC=ch', 'XXXXXXX'),
                               'useTLS': False,
                               'uri': 'ldap://cerndc.cern.ch',
                               'groupStyle': 'ActiveDirectory',
                               'SSOActive': True,
                               'LogoutCallbackURL': 'https://login.cern.ch/adfs/ls/?wa=wsignout1.0',
                               'SSOMapping': {'email': 'ADFS_EMAIL',
                                               'login': 'ADFS_LOGIN',
                                               'personId': 'ADFS_PERSONID',
                                               'phone': 'ADFS_PHONENUMBER',
                                               'fax': 'ADFS_FAXNUMBER',
                                               'lastname': 'ADFS_LASTNAME',
                                               'firstname': 'ADFS_FIRSTNAME',
                                               'institute': 'ADFS_HOMEINSTITUTE'},
                               'ResetPasswordMessage': 'If you do not remember your password, please visit https://account.cern.ch/account/Externals/ResetPassword.aspx or contact the CERN helpdesk (helpdesk_at_cern.ch).'
                           }
                     )]

[jbenito]

BTW, for the time being I will close this ticket since it seems more a matter of configuration. Please, could you move the discussion to project-indico-administrators? and if we find out that there is a bug, I will re-open the ticket.

Thank you.