Openldap and user filter

Alessio · August 31, 2009, 3:23pm

Hello,

I’m having some problems configuring openfire user filter to choose which users are allowed to login,

i’ve already searched for a solution in other posts but during the web-setup process i always get an error in testing the connection for the allowed users (maybe because they are all referred to AD and not openldap).

I have OpenLdap, here my structure:

BASE DN: dc=mycompany,dc=it

all company users are stored in: OU=USERS,dc=mycompany,dc=it

users allowed to connect to the server are in: CN=jabber,OU=APP,dc=mycompany,dc=it

cn=jabber is a groupOfnames in which member field i can see all uids allowed for the application.

I can’t find the right syntax to tell the server to search in the groupofnames field.

Any help?

Thanks a lot

NO_MESSAGES_OR_FRIEN · August 31, 2009, 5:30pm

use a user filter like this:

(&(objectClass=organizationalPerson)(memberOf=cn=jabber,ou=_APP_,dc=mycompany,dc=it))

Alessio · September 1, 2009, 8:25am

Thanks for the quick reply, unfortunately it seems this filter doesn’t work,

during the web setup if i put it in the filter field and test it, it returns an error saying that no user is found

My version of openldap is 2.2.26, pretty old, may this version does not support this kind of filter?

Thanks

Kosh · September 4, 2009, 2:53am

You will need to update OpenLDAP to use a filter with memberOf (which the only way to do what you want without some really kludgy cron jobs)

use the “memberof” overlay, the below config should work after that.

slapd.conf:

moduleload memberof.la

overlay memberof
memberof-group-oc groupOfNames
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-refint true
memberof-dangling error

The other option is to filter based on something else that is in each of the users objects (like department or something similar).

It’s a huge kludge (and if this is your corporate directory this is even worse) but that would work.

Alessio · September 7, 2009, 1:20pm

thank you for the reply…

I installed a newer version of ldap and changed slapd.conf according to the settings mentioned, but i still can’t get it to work

I found in my ldap logs this line: bdb_index_read: failed (-30990)

“memberof” index is set in the slapd.conf and the db regenerated

I searched through the web but i can’t find a solution

Any clue?

Kosh · September 7, 2009, 10:03pm

I don’t have an index for memberof, I’m not sure if you can index an operational attribute, but I could be wrong.

Try removing the memberof index, if you’re happy enough to do it slapcat/export all the ldap entries and reimport them (users first, then groups) and then try doing a search from the command line for ‘(memberOf=)’ and see if any are returned, also try returning a single entity that should have a memberOf attribute and see if it exists (you will need to specify memberOf on the command line as it doesn’t get returned by default).

Something that might help you is the Apache Directory Studio project has an eclipse plugin that does an awesome LDAP interface, I use it alot and much prefer it to jXplorer or LDAPBrowser. (Right Clicking on a users entry and selecting “Fetch Operational Attributes” will show you if any memberOf fields are listed against a user)

Check out http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%2 0Maintenance as well, Note that memberof is only updated when the groups are modified and that it is an operational attribute so when searching or returning entries it is only shown if specifically requested (but can be searched against the same as any other attribute, just isn’t returned as part of the entry).

Message was edited by: Kosh Added Link to OpenLDAP Overlays Guide