[Deploying Sakai] LDAP Group Mapping

Dan McCallum dmccallum at unicon.net
Mon Apr 11 08:25:16 PDT 2011

Larry's problem is that his group memberships live in one LDAP 
container, his users in another, and the references are one way, 
groups->users. So he has no way to use group information to set Sakai 
user types except by either patching the provider to issue a second 
search or implement schema changes of some sort on the LDAP side. As I 
understand it, Apple OD delegates to OpenLDAP, so an overlay (either 
dynlist or memberof) *might* work for the latter.

I don't have an OD instance, but in looking at Chapter 9 in the admin 
guide [1], it appears you're supposed to use something called "Workgroup 
Manager with inspector mode turned on" to configure slapd for OD.

- Dan

1 - 

On 04/10/2011 03:49 PM, Steve Swinsburg wrote:
> Hi Larry,
> Group mapping (as in Sakai groups) is different from user type mapping.
>  From the sounds of it you want a user's account 'type' to be mapped
> from an LDAP attribute? There are a couple of TypeMapper classes
> included, and if this is your scenario, in jldap-beans.xml you want to
> comment out the existing typemapper and uncomment the
> EntryAttributeToUserTypeMapper :
> Like so:
> <property name="userTypeMapper">
> <!-- Select one of the following beans -->
> <!-- ref bean="edu.amc.sakai.user.EmptyStringUserTypeMapper" /-->
> <ref bean="edu.amc.sakai.user.EntryAttributeToUserTypeMapper" />
> <!-- ref bean="edu.amc.sakai.user.EntryContainerRdnToUserTypeMapper" /-->
> <!-- ref bean="edu.amc.sakai.user.StringUserTypeMapper" /-->
> </property>
> Then a little further down you configure it. You can either use the
> value of the LDAP attribute 'groupMembership' directly to map to a user
> type, or you can provide a hardcoded mapping. Just uncomment the section
> you want and comment out the other one.
> cheers,
> Steve
> On 11/04/2011, at 5:55 AM, Larry Dougher wrote:
>> Hi all,
>> So, I have LDAP login working well on a instance of Sakai but I'm hung
>> up the type part of a user account which I believe is related to the
>> group membership mapping.
>> Everything is mapping correctly (First name, Last name, Email, etc)
>> except Type. What I would like is to specify with the groupmembership
>> attribute with that you see on the screenshot (Faculty, WHS students,
>> etc). So that when an LDAP user logs in and goes to account it would
>> look like this:
>> User ID: jdoe
>> First Name: John
>> Last Name: Doe
>> Email: jdoe at windsorschools.net
>> <mailto:jdoe at windsorschools.net>
>> Type: Faculty (or WHS Students, or SSS Students, whatever group they
>> are a part of)
>> I talked to a few Sakai developers and it looks like I need a memberOf
>> overlay according
>> tohttp://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance
>> however that article refers to a directory at /var/lib/ldap2.4 and it
>> doesn't exist within OS X server so that right away raises some red
>> flags. Oh yeah, running OS X Server 10.6.4. I also can't find the
>> memberof module either.
>> Any help would be greatly appreciated.
>> Thanks,
>> Larry Dougher
>> Technology Coordinator / ACSP 10.6 / ACMT
>> Windsor Southeast Supervisory Union
>> _______________________________________________
>> production mailing list
>> production at collab.sakaiproject.org
>> <mailto:production at collab.sakaiproject.org>
>> http://collab.sakaiproject.org/mailman/listinfo/production
>> TO UNSUBSCRIBE: send email to
>> production-unsubscribe at collab.sakaiproject.org
>> with a subject of "unsubscribe"
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/production
> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

More information about the production mailing list