[389-users] Membership of Roles

Rich Megginson rmeggins at redhat.com
Tue Sep 3 13:48:09 UTC 2013 

On 09/01/2013 05:50 AM, Andy wrote:
>
> Please find additional information on the configuration of the blog system
>
> My configuration:
>
> AuthenticationModule LDAP
>
> LDAPAuthURL ldap://xxxxx:389/dc=sf4u,dc=com?mail
>
> LDAPAuthBindDN cn=Directory Manager (will replace with application 
> user account once phase one integration is completed)
>
> LDAPAuthPassword xxxxxx
>
> LDAPAuthSASLMechanism PLAIN  (note SSL not yet configured)
>
> ExternalUserManagement 1
>
> ExternalGroupManagement 1
>
> ExternalUserSyncFrequency 60
>
> LDAPGroupNameAttribute cn
>
> LDAPGroupIdAttribute nsUniqueId
>
> LDAPGroupFullNameAttribute cn
>
> LDAPGroupMemberAttribute memberof
>
> LDAPGroupSearchBase ou=customers,dc=xxx,dc=com
>
> LDAPGroupFilter (objectclass=ldapSubEntry)
>
> LDAPUserIdAttribute uid
>
> LDAPUserEmailAttribute mail
>
> LDAPUserFullNameAttribute cn
>
> LDAPUserGroupMemberAttribute nsrole
>

I think this is going to be problematic, and may not work at all. With 
groups, there is an actual group entry, which lists all of the members.  
With roles, the role entry does not list all of the members.  So a query 
like
SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 
filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))"

will not work because there is no role entry which lists it's members in 
a "member" attribute.

If you can configure it to search all of the users, you might be able to 
do a search like

SRCH base="ou=customers,dc=xxxx,dc=com" scope=2 
filter="(nsRole=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com)"

Roles will automatically populate each user's entry with the nsRole 
attribute.  This attribute lists all of the roles to which that user 
belongs.  nsRole is an operational attribute, so you must explicitly 
request it on the command line if you want to see it (e.g. in an 
ldapsearch command).

> The default settings for OpenLDAP installations are:
>
> *Stage 1*
>
> 	
>
> **
>
> *Authentication URL*
>
> 	
>
> ldap://<FQDN of LDAP server>:389/dc=xxxx,dc=com?mail
>
> *Authentication DN*
>
> 	
>
> *Authentication Password*
>
> 	
>
> Password
>
> *Test Username*
>
> 	
>
> Test email address
>
> *Test Password*
>
> 	
>
> Password for test user
>
> *Stage 2*
>
> 	
>
> **
>
> Group Search Base Attribute
>
> 	
>
> dc=xxx,dc=com
>
> Group Filter Attribute
>
> 	
>
> (objectClass=groupOfUniqueNames)
>
> *Attributes*
>
> 	
>
> *OpenLDAP*
>
> User ID Attribute
>
> 	
>
> entryUUID
>
> Email Attribute
>
> 	
>
> mail
>
> User Fullname Attribute
>
> 	
>
> cn
>
> User Member Attribute
>
> 	
>
> uid
>
> GroupID Attribute
>
> 	
>
> entryUUID
>
> Group Name Attribute
>
> 	
>
> cn
>
> Group Fullname Attribute
>
> 	
>
> cn
>
> Group Member Attribute
>
> 	
>
> memberUid
>
> *From:*Andy [mailto:racingyacht1 at gmail.com]
> *Sent:* 31 August 2013 13:43
> *To:* '389-users at lists.fedoraproject.org'
> *Subject:* Membership of Roles
>
> Hello
>
> I am testing integration of 389-ds with a blogging system. I plan to 
> use roles instead of groups to automatically give users rights to 
> service on the blog system. However, I am having problems with the 
> system identifying members of roles. I need help with defining the 
> correct search parameters to identify which roles a uid or cn is a 
> member of.
>
> From within the blog system I’m using LDAPGroupFilter 
> (objectclass=ldapSubEntry) to list the roles. The roles list correctly 
> as groups within the blog system.
>
> From within 389 the members of roles are configured as filtered, and I 
> can see the configured members using the Directory Server GUI.
>
> The blog system is not identifying members of roles when it does its 
> search against 389. Note, users can log into the blog system using the 
> accounts created on 389. I don’t think I am applying the correct 
> search criteria to identify group membership. I need advice on 
> creation of the correct search criteria for membership of roles/groups.
>
> Sample log from access
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=0 BIND dn="cn=Directory 
> Manager" method=128 version=3
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=0 RESULT err=0 tag=97 
> nentries=0 etime=0 dn="cn=directory manager"
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=1 SRCH base="dc=xxxx,dc=com" 
> scope=2 filter="(&(mail=testuser16 at xxxx.com)(objectClass=*)) 
> <mailto:mail=testuser16 at xxxx.com%29%28objectClass=*%29%29>" 
> attrs="distinguishedName"
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=1 RESULT err=0 tag=101 
> nentries=1 etime=0
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=2 BIND 
> dn="uid=1000016,ou=Customers,dc=xxxx,dc=com" method=128 version=3
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=2 RESULT err=0 tag=97 
> nentries=0 etime=0 dn="uid=1000016,ou=customers,dc=xxxx,dc=com"
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=3 BIND dn="cn=Directory 
> Manager" method=128 version=3
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=3 RESULT err=0 tag=97 
> nentries=0 etime=0 dn="cn=directory manager"
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=4 SRCH base="dc=xxxx,dc=com" 
> scope=2 filter="(&(mail=testuser16 at xxxx.com)(objectClass=*)) 
> <mailto:mail=testuser16 at xxxx.com%29%28objectClass=*%29%29>" attrs="uid 
> mail cn mail distinguishedName"
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=4 RESULT err=0 tag=101 
> nentries=1 etime=0
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=5 SRCH base="dc=xxxx,dc=com" 
> scope=2 filter="(|(uid=1000016))" attrs="nsRole"
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=5 RESULT err=0 tag=101 
> nentries=1 etime=0
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=6 SRCH 
> base="ou=customers,dc=xxxx,dc=com" scope=2 
> filter="(&(|(member=cn=xxxxrolecommentertest,ou=customers,dc=xxxx,dc=com))(objectClass=ldapSubEntry))" 
> attrs="cn cn member nsUniqueId"
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=6 RESULT err=0 tag=101 
> nentries=0 etime=0
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=7 UNBIND
>
> [31/Aug/2013:11:09:39 +0100] conn=265 op=7 fd=68 closed - U1
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130903/65068547/attachment.html>

More information about the 389-users mailing list