bscw mit ldap anbindung

[thedarkass]

hallo,

ich habe ein bscw server hier und der soll eine ldap anbindung bekommne.

mein system ist fedora core 2 mit dem standart httpd und dem neusten bscw.

mein problem ist, wie kann ich die config_ldap.py richtig einstellen?

mein ldap server ist hier zu erreichen:

-> blade.stg.hdg-viss.net

man hat mir gesagt, das ich dafür kein account brauche.

der source von der config_ldap.py:

# LDAP default data

# hosts

# Map from base-DNs to LDAP-hosts

# For distinguished names, use lower case only and no spaces before

# or behind ','. Portnumbers might be specified as 'host.domain:port'

# (the default LDAP port number is 389).

# You might also use a triple ('host.domain:port', DefaultDN, password)

# for the default binding if an anonymous binding to the LDAP-server

# is not possible (e.g. for seaching DN's).

#

# hosts = {

# The default binding is an anonymous binding:

# 'o=snakeoil,c=de': 'ldap.snakeoil.de',

#

# The default binding is explicitly specified:

# 'o=snakeoil2,c=de': (

# 'ldap.snakeoil.de:389', 'cn=default,o=snakeoil,c=de', 'passwd'),

# }

hosts = {

}

# auto_registration

# DN patterns and Search patterns for auto_registration during login.

# If a user is not registered at BSCW but her DN can be found on an LDAP

# server with one of the patterns listed in auto_registration, then BSCW

# makes an attempt to register the user automatically and assigns

# (binds) the DN to the user object if the registration process succeeds.

# Two patterns are possible here (%s is ubstituted by the login name):

# a pattern that expands to the DN directly or a pair that specifies

# the LDAP server and a search expression. The latter results in a

# 2-step process for the required bindig: At first the DN is looked up

# on the LDAP-server using the default binding. Then a bind is tried

# with the retulting DN (must be unique) and the given password.

#

# auto_registration = (

# # A DN pattern:

# 'cn=%s,o=snakeoil,c=de',

#

# # Two search patterns for binding in a 2-step process:

# ('o=snakeoil2,c=de', '(mail=*%s@*)')

# ('o=snakeoil2,c=de', '(uid=%s)') # LDAP

# ('o=snakeoil2,c=de', '(sAMAccountName=%s)') # MS Active Directory

# )

auto_registration = (

)

# auto_registration_email

# Use auto_registration_email = 'reg_done' if you want the standard

# registration mail sent to an automatically registered user

auto_registration_email = None

# auto_registration_roles

# Define initial roles for automatically registered users.

# The list consists of pairs ('attribute=value', role).

# Note: at the moment the 'attribute=value' string is only looked up

# in the DN (user.ldap_bind) of the user. The LDAP attributes of

# the user are ignored. This might be changed in the future.

auto_registration_roles = [

]

# use_ldap_passwords

#

# defines how BSCW handles users with LDAP binding and local BSCW users

# (without LDAP binding):

#

# - If use_ldap_passwords is 1 then FOR ALL USERS passwords are verified

# against the LDAP-server. Hence an existing user who is not found

# on an LDAP server cannot login to the system anymore.

# - If use_ldap_passwords is 2 then the user password is verified

# against the LDAP-server for users with a LDAP binding or users

# found on an LDAP server. Hence an existing local BSCW user who is

# not found on an LDAP server and who don't have a LDAP binding can

# still login to the system.

# - If use_ldap_passwords is 3 then the user password is verified

# against the LDAP-server only for users that have a LDAP binding

#

# Note: BSCW does password checking by LDAP only if the BSCW server and

# not the HTTP server does authentication, e.g. when cookie

# authentication is enabeled or BSCW gets the HTTP_AUTHORIZATION value).

# Because this is not a very fast way to do authentication, it is

# strongly recommended to configure the HTTP server to do LDAP

# authentication (e.g. via the Apache HTTP server auth_ldap module)

# instead of setting use_ldap_passwords = 1 which requires all users to

# pass LDAP authentication.

#

# Note: If the Apache HTTP Server auth_ldap module is used

# use_ldap_passwords must be set to 3, otherwise the BSCW change

# password action interferes with the auth_ldap modules internal

# password cache.

use_ldap_passwords = 2

# ldap_searches

# A list of member search options (id, pattern) or (id, pattern, rdnlist)

# for the workspace invite member action (op_addmb):

# + id is an unique identifier for the search and must be translated

# in packages/ldap/messages/*/lg_msgconfig.py

#

# + pattern is a LDAP query where '%(query)s' is replaced by the user

# input of the addmb search form

#

# + rdnlist defines an optional filter for a relative DN type, which allows

# to additionally remove query results which do not match the

# given RDN value list

#

# Examples of LDAP queries:

#

# + search subtree of defined base DN(s) for the given query:

# ('mb_search_ldap_uid', 'cn=*%(query)s*'),

# ('mb_search_ldap_uid', '(|(cn=*%(query)s*)(uid=*%(query)s*))'),

# ('mb_search_ldap_uid', '(sAMAccountName=*%(query)s*)'), # MS Active Directory

#

# + search subtree of defined base DN(s) for query 'ou=*%(query)s*'

# and remove results which relative DN of type 'ou' does not match

# the given list ['sales', 'external']:

# ('mb_search_ldap_org', '(ou=*%(query)s*)', ('ou', ['sales', 'extern'])),

ldap_searches = [

('mb_search_ldap_uid', '(|(cn=*%(query)s*)(uid=*%(query)s*))'),

]

# List of alternate class names for persons (users)

person_classes = ['person'] # LDAP class 'person'

#person_classes = ['user'] # MS Active Directory class 'user'

# Attribute translations LDAP (or MS Active Directory) -> BSCW

update_bscw = (

('cn', 'fullname'), # LDAP class 'person'

#('displayname', 'fullname'), # MS Active Directory class 'user'

('o', 'org'), # LDAP class 'person'

('telephonenumber', 'phone'),

('facsimiletelephonenumber', 'fax'),

('homephone', 'homephone'),

('mobile', 'mobile'),

('labeledURI', 'home_url'),

('postaladdress', 'post'), # LDAP 'person' class

)

# Allow BSCW to update user details in LDAP

# If update_bscw_edit is False BSCW will not perform any LDAP

# attribute updates and the action chdetails does not allow to edit

# personal details

update_bscw_edit = True

# Allow BSCW to update user password in LDAP

update_pwd = True

# BSCW user <-> LDAP attribute mapping

# optional filter function:

# if value in 'ldap_attr' is a 2-tuple the filter function tuple[0]

# is applied on all LDAP results for attribute tuple[1]. The filter

# function returns the filtered attribute or None if the attribute should

# be skipped.

# filter function:

#def smtp(v):

# """smtp(mailaddress) -> filtered mailaddress string or None

# """

# if v.startswith('SMTP:'):

# return v[5:]

# return None

ldap_attr = {

# LDAP class 'person'

'user': 'uid',

'fullname': 'cn',

'mailaddress': 'mail',

# MS Active Directory class 'user'

#'user': 'sAMAccountName',

#'fullname': 'displayName',

#'mailaddress': 'userPrincipalName',

#'mailaddress': (smtp, 'proxyAddresses'),

}

# The following stuff is used by op_ldap.py it might not be supported in

# the future

# Supported attributes. They will be displayed in the given order

attributes = (

'cn', 'sn', 'givenname', 'initials', 'title',

'o', 'ou',

'telephonenumber', 'facsimiletelephonenumber',

'homephone', 'mobile',

'labeledURI', 'postaladdress', 'streetaddress',

'mail', 'uid',

'description',

'c', 'st', 'l',

)

# The following attributes are ignored

ignore = ('photo', 'jpegphoto', )

# The following attributes allow multiline textarrays (line separator \n)

textarrays_allowed = ('iattr', )

# The following attributes have faked multiline textarrays (line separator

# is textsep)

textarrays_faked = ('streetaddress', 'description', 'postaladdress', )

textsep = ' $ '