[389-users] Membership of Roles

Andy racingyacht1 at gmail.com
Sun Sep 1 11:50:22 UTC 2013 

Please find additional information on the configuration of the blog system

 

My configuration:

 

AuthenticationModule LDAP

LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail

LDAPAuthBindDN cn=Directory Manager (will replace with application user
account once phase one integration is completed)

LDAPAuthPassword xxxxxx

LDAPAuthSASLMechanism PLAIN  (note SSL not yet configured)

ExternalUserManagement 1

ExternalGroupManagement 1

ExternalUserSyncFrequency 60

LDAPGroupNameAttribute cn

LDAPGroupIdAttribute nsUniqueId

LDAPGroupFullNameAttribute cn

LDAPGroupMemberAttribute memberof

LDAPGroupSearchBase ou=customers,dc=xxx,dc=com

LDAPGroupFilter (objectclass=ldapSubEntry)

LDAPUserIdAttribute uid

LDAPUserEmailAttribute mail

LDAPUserFullNameAttribute cn

LDAPUserGroupMemberAttribute nsrole

 

The default settings for OpenLDAP installations are:


Stage 1

 


Authentication URL

ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail


Authentication DN

	

Authentication Password

Password 


Test Username

Test email address


Test Password

Password for test user

 

 


Stage 2

 


Group Search Base Attribute

dc=xxx,dc=com


Group Filter Attribute

(objectClass=groupOfUniqueNames)

 

 


Attributes

OpenLDAP


User ID Attribute

entryUUID


Email Attribute

mail


User Fullname Attribute

cn


User Member Attribute

uid


GroupID Attribute

entryUUID


Group Name Attribute

cn


Group Fullname Attribute

cn


Group Member Attribute

memberUid

 

 

From: Andy [mailto:racingyacht1 at gmail.com] 
Sent: 31 August 2013 13:43
To: '389-users at lists.fedoraproject.org'
Subject: Membership of Roles

 

Hello

I am testing integration of 389-ds with a blogging system. I plan to use
roles instead of groups to automatically give users rights to service on the
blog system. However, I am having problems with the system identifying
members of roles. I need help with defining the correct search parameters to
identify which roles a uid or cn is a member of.

 

>From within the blog system I'm using LDAPGroupFilter
(objectclass=ldapSubEntry) to list the roles. The roles list correctly as
groups within the blog system. 

>From within 389 the members of roles are configured as filtered, and I can
see the configured members using the Directory Server GUI.

 

The blog system is not identifying members of roles when it does its search
against 389. Note, users can log into the blog system using the accounts
created on 389. I don't think I am applying the correct search criteria to
identify group membership. I need advice on creation of the correct search
criteria for membership of roles/groups. 

 

 

Sample log from access

 

[31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory Manager"
method=128 version=3

[31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"

[31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16 at xxxx.com)(objectClass=*))"
attrs="distinguishedName"

[31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 nentries=1
etime=0

[31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND
dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3

[31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"

[31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory Manager"
method=128 version=3

[31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 nentries=0
etime=0 dn="cn=directory manager"

[31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(&(mail=testuser16 at xxxx.com)(objectClass=*))" attrs="uid
mail cn mail distinguishedName"

[31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 nentries=1
etime=0

[31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com"
scope=2 filter="(|(uid=1000016))" attrs="nsRole"

[31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 nentries=1
etime=0

[31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH
base="ou=customers,dc=xxxx,dc=com" scope=2
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(o
bjectClass=ldapSubEntry))" attrs="cn cn member nsUniqueId"

[31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 nentries=0
etime=0

[31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND

[31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130901/5256b9f7/attachment.html>

More information about the 389-users mailing list