Join Log in
Score:0
Eduardo Lucio avatar Server

LDAP - Add a filter to an LDAP URL so that only users belonging to a certain group can access the app

in flag
Eduardo Lucio

We enable an application to use LDAP.

In the configuration of the application, we need to inform a URL to connect to LDAP. We are currently providing the following URL...

ldap://10.2.0.5:389/dc=domain,dc=abc,dc=de?uid

QUESTION: We need to add a filter to the URL above so that only users belonging to the "accessgroup" group are located in order to limit the application access to only users belonging to this group.

That is, something similar to this...

curl "ldap://10.2.0.5:389/dc=domain,dc=abc,dc=de?uid?sub?(&(memberof=cn=accessgroup,ou=groups,dc=domain,dc=abc,dc=de)(uid=%s))"

We've tried hundreds of settings and nothing works... =|

GROUP

cn:
accessgroup

gidNumber:
1004

memberUid:
usera
userb
userc
userd
usere
userf
userg
userh
useri

objectClass:
top
posixGroup

USERS

cn:
User Letter A

gecos:
User Letter A

gender:
M

gidNumber:
544

givenName:
User

gotoLastSystemLogin:
01.01.1970 00:00:00

homeDirectory:
/home/usera

loginShell:
/bin/bash

mail:
[email protected]

objectClass:
top
person
organizationalPerson
inetOrgPerson
gosaAccount
posixAccount
shadowAccount
sambaSamAccount

[...]

uid:
usera

uidNumber:
1004

[...]

Thanks! =D

242
2 + 0
Score:1
avatar Server
us flag
Liam Gretton

How is your LDAP server's memberOf attribute created? Have you checked to make sure that your users actually have memberOf attributes?

In OpenLDAP for example, memberOf is only populated if you use the memberof overlay or manage them with dynamic lists.

0 + 0
Score:0
Eduardo Lucio avatar Server
in flag
Eduardo Lucio

SITUATION:

The problem is that we are trying to filter using POSIX Groups and there is no specific overlay for that. What exists is a somewhat complex and laborious workaround that can be observed here GENERATING A MEMBEROF ATTRIBUTE FOR POSIXGROUPS.

SOLUTION:

To solve this problem we implemented a simple solution that can be seen here...

psx-grp-flt - user's posixGroup memberships against pgMemberOf (memberOf)

... which basically is the following...

A simple Python 2.7 script that stores each user's posixGroup (POSIX Group) associations in their pgMemberOf (memberOf) attribute. The purpose is to enable search filters like below...

MODEL

ldapsearch -x -H 'ldap://127.0.0.1:389' -b 'ou=persons,dc=domain,dc=abc,dc=de'
-D 'cn=admin,dc=domain,dc=abc,dc=de'
-w 'mySecretValue'
'(&(pgMemberOf=cn=certaingroup,ou=groups,dc=domain,dc=abc,dc=de)(uid=certainuid))'

EXAMPLE

ldapsearch -x -H '<OPENLDAP_URI>' -b '<PERSONS_OU>,<BASE_DN>'
-D '<ADM_USER_DN>'
-w '<ADM_USER_PASSWORD>'
'(&(pgMemberOf=cn=<PSX_GROUP_CN>,<GROUPS_OU>,<BASE_DN)(uid=<PERSON_UID>))'

This script is useful for cases where we already have an OpenLDAP installed and we want to make filters available for POSIX Groups that already exists in a very simple way and without creating new types of groups. Also useful when unable to install overlays or when this process is too laborious or risky.

Thanks! =D

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.