Koozali.org formerly Contribs.org

LDAP search for users in a group

Offline ReetP

  • *
  • 1,387
LDAP search for users in a group
« on: June 14, 2018, 12:56:48 PM »
Can't get this to work. I am trying to get users of a specific group only.

I can get all users ok with:

"(objectClass=inetOrgPerson)"

I have tried stuff like this:

ldapsearch -x -h mail.example.com
-D "uid=auth,ou=Users,dc=example,dc=com" 
-b "dc=Users, dc=example,dc=com"
-w AuthPass
-v -ZZ
"(&(objectClass=inetOrgPerson)(memberOf=cn=it_dept,ou=Groups,dn=example,dc=com))"

And variations thereof, but I am clearly missing something here.

Can anyone point me in the right direction (I really don't get this LDAP stuff!) ?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,660
    • Firewall Services, la sécurité des réseaux
Re: LDAP search for users in a group
« Reply #1 on: June 14, 2018, 01:32:02 PM »
It's not possible with the current LDAP scheme (rfc2307). The memberOf overlay can't be enabled, and there's no equivalent. You have to do this in two queries. The first one to get the members of the group (the multi valued memberUid attr), the second query can then build a filter to display only those users
C'est la fin du monde !!! :lol:

Offline Daniel B.

  • *
  • 1,660
    • Firewall Services, la sécurité des réseaux
Re: LDAP search for users in a group
« Reply #2 on: June 14, 2018, 02:12:05 PM »
When I say not possible, I meant not possible OOB, and without relying on some non standard LDAP scheme. I needed this feature too, so I've writtent workarounds. See https://bugs.contribs.org/show_bug.cgi?id=10590

The idea is to add a new, non standard LDAP scheme in OpenLDAP which adds a new multi-valued attribute (I've called it posixMemberOf). You can see the scheme I use here: http://gitweb.firewall-services.com/?p=ipasserelle-base;a=blob_plain;f=root/etc/openldap/schema/ipasserelle.schema;hb=HEAD

Then, add a event script which maintain reverse group membership in LDAP so that each time a group is modified, the posixMemberOf attr of every user gets updated. See my script here: http://gitweb.firewall-services.com/?p=ipasserelle-base;a=blob_plain;f=root/etc/e-smith/events/actions/update-reverse-group;hb=HEAD (note: it was written a long time ago and is probably sub-optimal). This script should be linked in the events user-create user-modify group-create group-modify group-delete ldap-update bootstrap-ldap-save

Once this is done, you can limit queri result by group with something like

(&(objectClass=inetOrgPerson)(posixMemberOf=it_dept))

Doing this has a few downsides:
  • The update-reverse-group script will slow down events significantly
  • This is not standard
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 1,387
Re: LDAP search for users in a group
« Reply #3 on: June 14, 2018, 02:48:29 PM »
Thanks for all that Daniel.

It's not possible with the current LDAP scheme (rfc2307). The memberOf overlay can't be enabled, and there's no equivalent. You have to do this in two queries. The first one to get the members of the group (the multi valued memberUid attr), the second query can then build a filter to display only those users

Thanks Daniel.

Damn and blast ! Ah well, at least it isn't that I am going mad.

I can't do it in two goes - it's for gitlab and it isn't that clever, allowing only one filter for users, and I'm not keen on making a mess of the server just for this.

Oddly it seems to allow a check for membership of a group to determine if you have admin rights. It is only meant o work in the EE edition but i can see queries on the LDAP server.

You can add these settings:

group_base: ou=Groups,dc=example,dc=com
admin-group: dt-admins

I can then see a search it does which gets no responses like this:

SRCH base="ou=Groups,dc=example,dc=com" scope=2 deref=0 filter="(&(cn=owner)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"
SRCH attr=objectClass cn userPassword gidNumber memberuid modifyTimestamp modifyTimestamp

If I test that filter with ldapsearch it gets no results.

Not quite sure what is going on there !



...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Daniel B.

  • *
  • 1,660
    • Firewall Services, la sécurité des réseaux
Re: LDAP search for users in a group
« Reply #4 on: June 14, 2018, 02:57:20 PM »
Your query uses gidNumber, which is not an attribute available anonymously. You'll need to bind as a valid user (any existing user) to be able to see it, and search based on it. Eg:

Code: [Select]
ldapsearch -x -D uid=dani,ou=Users,dc=fws,dc=fr -W -H ldap://localhost "(&(cn=admins)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))"

(once you checked from the command line it's working, you'll need to configure Gitlab to auth before searching on LDAP. It most likely supports it)
C'est la fin du monde !!! :lol:

Offline Jean-Philippe Pialasse

  • *
  • 1,180
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: LDAP search for users in a group
« Reply #5 on: June 14, 2018, 05:25:56 PM »
sounds like we have one more application to implement Daniel'S hack in core....

We discussed few weeks ago of this need for Nextcloud and potentially a few other software.

As writing in ldap is very slooooooooooooooooooow there might be room for optimisaiton of the event to first check for current value and modify only if it is different from what expected.

Offline Daniel B.

  • *
  • 1,660
    • Firewall Services, la sécurité des réseaux
Re: LDAP search for users in a group
« Reply #6 on: June 14, 2018, 05:32:51 PM »
As writing in ldap is very slooooooooooooooooooow there might be room for optimisaiton of the event to first check for current value and modify only if it is different from what expected.
This is already the case (see how old and new groups are concat with \0 and then the update is only done when $oldgroups ne $newgroups). But there might be some further optimizations to do
C'est la fin du monde !!! :lol:

Offline ReetP

  • *
  • 1,387
Re: LDAP search for users in a group
« Reply #7 on: June 14, 2018, 06:07:34 PM »
LDAP makes my brain hurt... :-)

I'm amazed I have basic authent with RocketChat, now Gitlab and a few other bits (and LDAP lookup in vtiger/corebos, but not authent)

I'm not sure Gitlab CE is even meant to do group stuff - it does say in EE only, but you can see it making the calls to the server.

Just got to sort it out in MediaWiki now !
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation