Hi Rich,
I am having the same problem with groups, so I am wondering if I have groups configured
correctly. Especially the configuration of the memberOf plugin.
I’m in the process of reconfiguring my instance of ldap, as it was misbehaving after I
tried out various configuration to get roles and groups to work.
From: Rich Megginson [mailto:rmeggins@redhat.com]
Sent: 03 September 2013 14:48
To: General discussion list for the 389 Directory server project.
Cc: Andy
Subject: Re: [389-users] Membership of Roles
On 09/01/2013 05:50 AM, Andy wrote:
Please find additional information on the configuration of the blog system
My configuration:
AuthenticationModule LDAP
LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail
LDAPAuthBindDN cn=Directory Manager (will replace with application user account once phase
one integration is completed)
LDAPAuthPassword xxxxxx
LDAPAuthSASLMechanism PLAIN (note SSL not yet configured)
ExternalUserManagement 1
ExternalGroupManagement 1
ExternalUserSyncFrequency 60
LDAPGroupNameAttribute cn
LDAPGroupIdAttribute nsUniqueId
LDAPGroupFullNameAttribute cn
LDAPGroupMemberAttribute memberof
LDAPGroupSearchBase ou=customers,dc=xxx,dc=com
LDAPGroupFilter (objectclass=ldapSubEntry)
LDAPUserIdAttribute uid
LDAPUserEmailAttribute mail
LDAPUserFullNameAttribute cn
LDAPUserGroupMemberAttribute nsrole
I think this is going to be problematic, and may not work at all. With groups, there is
an actual group entry, which lists all of the members. With roles, the role entry does
not list all of the members. So a query like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))"
will not work because there is no role entry which lists it's members in a
"member" attribute.
If you can configure it to search all of the users, you might be able to do a search like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(nsRole=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com)"
Roles will automatically populate each user's entry with the nsRole attribute. This
attribute lists all of the roles to which that user belongs. nsRole is an operational
attribute, so you must explicitly request it on the command line if you want to see it
(e.g. in an ldapsearch command).
The default settings for OpenLDAP installations are:
Stage 1
Authentication URL
ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail
Authentication DN
Authentication Password
Password
Test Username
Test email address
Test Password
Password for test user
Stage 2
Group Search Base Attribute
dc=xxx,dc=com
Group Filter Attribute
(objectClass=groupOfUniqueNames)
Attributes
OpenLDAP
User ID Attribute
entryUUID
Email Attribute
mail
User Fullname Attribute
cn
User Member Attribute
uid
GroupID Attribute
entryUUID
Group Name Attribute
cn
Group Fullname Attribute
cn
Group Member Attribute
memberUid
From: Andy [mailto:racingyacht1@gmail.com]
Sent: 31 August 2013 13:43
To: '389-users(a)lists.fedoraproject.org'
Subject: Membership of Roles
Hello
I am testing integration of 389-ds with a blogging system. I plan to use roles instead of
groups to automatically give users rights to service on the blog system. However, I am
having problems with the system identifying members of roles. I need help with defining
the correct search parameters to identify which roles a uid or cn is a member of.
From within the blog system I’m using LDAPGroupFilter
(objectclass=ldapSubEntry) to list the roles. The roles list correctly as groups within
the blog system.
From within 389 the members of roles are configured as filtered, and I
can see the configured members using the Directory Server GUI.
The blog system is not identifying members of roles when it does its search against 389.
Note, users can log into the blog system using the accounts created on 389. I don’t think
I am applying the correct search criteria to identify group membership. I need advice on
creation of the correct search criteria for membership of roles/groups.
Sample log from access
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com" scope=2
filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))
<mailto:mail=testuser16@xxxx.com%29%28objectClass=*%29%29> "
attrs="distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND
dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0 etime=0
dn="uid=1000016,ou=customers,dc=xxxx,dc=com"
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager"
method=128 version=3
[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0 etime=0
dn="cn=directory manager"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com" scope=2
filter="(&(mail=testuser16(a)xxxx.com)(objectClass=*))
<mailto:mail=testuser16@xxxx.com%29%28objectClass=*%29%29> " attrs="uid
mail cn mail distinguishedName"
[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com" scope=2
filter="(|(uid=1000016))" attrs="nsRole"
[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH
base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))"
attrs="cn cn member nsUniqueId"
[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0 etime=0
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND
[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users