Caution: This documentation is for eZ Publish legacy, from version 3.x to 5.x.
For 5.x documentation covering Platform see eZ Documentation Center, for difference between legacy and Platform see 5.x Architecture overview.


The LDAP user manager cronjob

The cronjobs/ldapusermanage.php script synchronizes data from the LDAP server to eZ Publish. But this is no longer needed, as issue #15530 has been fixed and data is now synchronized with every login. The cronjob is only needed if you don't have the fix for #15530 yet, and user data has been changed in LDAP or eZ Publish. The script is likely to be deprecated and removed soon, and therefore it is recommended to avoid using it.

An alternative way (though not recommended) of synchronizing user objects is to delete them, since they will be recreated on the next login with synchronized data. Please not that this solution can be destructive - any object relations, object ownership information, and sub nodes of the user node will not be recreated.

LDAP login handler improvements (Issue #15490)

As mentioned before (see LDAP Group Mapping Type: UseGroupAttribute), it will be possible to set the LDAPUserGroupAttributeType to "dn" in eZ Publish 4.3. When LDAPUserGroupAttributeType is set to "dn", the LDAPUserGroupAttribute should be set to an LDAP attribute that holds the DN of the group(s) to which the user belongs. If the user belongs to multiple groups, then this attribute should be set multiple times in the LDAP user object - it should not contain multiple DNs (This is how LDAP attributes are normally used). The 'dn' value comes in addition to the existing allowed values 'name' and 'id', which are not changed.

Also UseGroupAttribute mode can now create groups. Previously when LDAPGroupMappingType was set to "UseGroupAttribute", no groups would be created. If the indicated group(s) were not found, the user(s) would be placed in the default group. With the addition of the LDAPCreateMissingGroups setting, the creation of groups is now supported. This setting is disabled by default, for backwards compatibility. When it is enabled, missing groups will be created.
This enhancement will be implemented in eZ Publish 4.3.0

Bug fixes

#15530: Existing ezp users are not synchronized with LDAP users

When using the LDAP login handler, the following problems affect LDAP users that exist in eZ Publish:

  • If the user data is changed on the LDAP server, this change is not reflected in the eZ Publish user object
  • If the user data of the eZ Publish user object is changed, this change remains after next login.

In other words, existing eZ Publish users are not synchronized with data from LDAP. This should occur with every login for the user that logs in.
Fixed in: 4.3.0, 4.2.1, 4.1.5, 4.0.8

#15485: Deleted LDAP user nodes are not recreated

When a LDAP user has multiple nodes and one of them is removed, it will not be recreated on the next login. On the other hand, when all the nodes are removed (meaning that the object is also gone) then all nodes are correctly recreated.
Fixed in: 4.3.0, 4.2.1, 4.1.5, 4.0.8

#14389: In ezldapuser.php, LDAPLoginAttribute and LDAPGroupNameAttribute ini variables with upper case caracters unread

When LDAPLoginAttribute and LDAPGroupNameAttribute contain upper case caracters the login fails.
Fixed in: 4.3.0, 4.2.1, 4.1.5, 4.0.8


The LDAPDebugTrace setting was added in version 4.1 beta 1. When this is enabled, it will write LDAP login data to notice.log. This can help you figure out a configuration problem.

Ester Heylen (30/09/2009 1:47 pm)

Ester Heylen (30/09/2009 1:55 pm)


There are no comments.