LDAP: cannot find groups (users are imported successfully)
Last modified on 16 March 2015 10:15 AM
The Problem: After checking the settings at Options → User/Group Sync, users are being imported successfully but no groups appear for import via Groups → Add/Remove Groups.
Mismatching LDAP schemas
PaperCut looks up groups by finding objects that contain “members”. One implication of this is that if your group does not have any members yet, it will not be displayed by PaperCut.
Different LDAP servers / schemas use define group membership in different ways. For example, some servers list members in the “member” field, others the “memberUid” field. PaperCut is looking for a field different to your LDAP server no groups will be returned. The field PaperCut uses can be changed with the “ldap.schema.group-member-field” config key.
Another difference is how users are stored in the member field. It can be either the user’s full DN or their username. This can be changed with “ldap.schema.posix-groups” setting.
For more information on these advanced settings see: http://www.apms.com.hk/product/papercut-ng/manual/apdx-ldap.html
Too restrictive Base DN
A common reason for this is the Base DN used at Options → User/Group Sync being too restrictive. The base DN is used to limit LDAP searches to items underneath it. LDAP searches are used to find both users and groups.
E.g. if using a base DN like:
then only items under the object ‘Users’ will be found. If groups are stored at:
they will be ignored (because Groups does not exist beneath Users - it is stored under myorg). In this situation a valid base DN would be:
which will allow PaperCut to find both the users and groups.
Once a base DN has been defined you may still limit the users that are imported to one particular group by clicking Change Group under the Import users from option.