LDAP: cannot find groups (users are imported successfully)

KB Home   |   LDAP: cannot find groups (users are imported successfully)

Main.LDAPNoGroups History

Hide minor edits - Show changes to output

March 13, 2015, at 12:53 AM by matt - more details
Changed lines 5-6 from:
The most common reason for this is the '''Base DN''' used at ''Options -> User/Group Sync'' being too restrictive.  The base DN is used to limit LDAP searches to items underneath it.  LDAP searches are used to find both users '''and groups'''.
to:
!! Mismatching LDAP schemas

PaperCut looks up groups by finding objects that contain "members".  One implication of this is that if your group does not have any members yet, it will not be displayed by PaperCut.

Different LDAP servers / schemas use define group membership in different ways.  For example, some servers list members in the "member" field, others the "memberUid" field.  PaperCut is looking for a field different to your LDAP server no groups will be returned.  The field PaperCut uses can be changed with the "ldap.schema.group-member-field" config key.

Another difference is how users are stored in the member field.  It can be either the user's full DN or their username.  This can be changed with "ldap.schema.posix-groups" setting.

For more information on these advanced settings see: https://www.papercut.com/products/ng/manual/apdx-ldap.html

!! Too restrictive Base DN

A
common reason for this is the '''Base DN''' used at ''Options -> User/Group Sync'' being too restrictive.  The base DN is used to limit LDAP searches to items underneath it.  LDAP searches are used to find both users '''and groups'''.
Added lines 22-23:
----
[-Keywords: not visible, not available -]
Changed line 9 from:
then only items under the object 'Users' will be founds.  If groups are stored at:
to:
then only items under the object 'Users' will be found.  If groups are stored at:
Added lines 17-19:
!!Also see:
* [[MacOpenDirectoryLDAPConfiguration|+]]

Changed line 21 from:
''Categories:'' [[Category.Administration|+]], [[Category.Domains|+]], [[Category.Troubleshooting|+]]
to:
''Categories:'' [[Category.Administration|+]], [[Category.Domains|+]], [[Category.Implementation|+]], [[Category.Troubleshooting|+]]
Added lines 1-18:
(:title LDAP: cannot find groups (users are imported successfully):)

'''The Problem''': After checking the settings at ''Options -> User/Group Sync'', users are being imported successfully but no groups appear for import via ''Groups -> Add/Remove Groups''.

The most common reason for this is the '''Base DN''' used at ''Options -> User/Group Sync'' being too restrictive.  The base DN is used to limit LDAP searches to items underneath it.  LDAP searches are used to find both users '''and groups'''.

E.g. if using a base DN like:
  @@CN=Users,DC=myorg,DC=edu@@
then only items under the object 'Users' will be founds.  If groups are stored at:
  @@CN=Groups,DC=myorg,DC=edu@@
they will be ignored (because ''Groups'' does not exist beneath ''Users'' - it is stored under ''myorg'').  In this situation a valid base DN would be:
  @@DC=myorg,DC=edu@@
which will allow PaperCut to find both the users and groups.

Once a base DN has been defined you may still limit the users that are imported to one particular group by clicking '''Change Group''' under the ''Import users from'' option.

----
''Categories:'' [[Category.Administration|+]], [[Category.Domains|+]], [[Category.Troubleshooting|+]]

Comments

Share your findings and experience with other PaperCut users. Feel free to add comments and suggestions about this Knowledge Base article. Please don't use this for support requests.

Article last modified on March 13, 2015, at 12:53 AM
Printable View   |   Article History   |   Edit Article