On ti, 12 maalis 2019, Boudjoudad Abdelkader via FreeIPA-users wrote:
>Hi,
>I'm trying to check if user is in a given group name in LDAP but it doesn't
>work, here is the configuration:
>- vi /etc/raddb/mods-enabled/ldap
How do you connect to the LDAP server? You need to use authenticated
bind to see member attributes.
>ldap {
>...
>base_dn = 'cn=users,cn=accounts,dc=server,dc=example,dc=com'
>...
>}
>group {
>base_dn = "${..base_dn}"
>filter = '(objectClass=posixGroup)'
>scope = 'sub'
>name_attribute = cn
>membership_filter =
>"(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
>membership_attribute = memberOf
> cacheable_name = 'yes'
> cacheable_dn = 'yes'
># cache_attribute = 'LDAP-Cached-Membership'
>
>The result:
>rlm_ldap (ldap): Reserved connection (2)
>(0) Using user DN from request
>"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com"
>(0) Checking for user in group objects
>(0) EXPAND
>(&(cn=ipausers)(objectClass=posixGroup)(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}})))
>(0) -->
>(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3com)(memberUid=ttest2)))
>(0) Performing search in
>"cn=users,cn=accounts,dc=server,dc=example,dc=com" with filter
>"(&(cn=ipausers)(objectClass=posixGroup)(|(member=uid\3dttest2\2ccn\3dusers\2ccn\3daccounts\2cdc\3dserver\2cdc\3dexample\2cdc\3dcom)(memberUid=ttest2)))",
>scope "sub"
>(0) Waiting for search result...
>(0) Search returned no results
>(0) Checking user object's memberOf attributes
>(0) Performing unfiltered search in
>"uid=ttest2,cn=users,cn=accounts,dc=server,dc=example,dc=com", scope "base"
>(0) Waiting for search result...
>(0) No group membership attribute(s) found in user object
>
>What i'm missing ?
>Thanks,
>_______________________________________________
>FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland