LDAP group filter

Added by Alexander Geeraerts about 8 years ago

Hello,

I tried to search but only found results regarding the synchronisation of LDAP groups to redmine.

This is not what I want to do, I simply want to limit the users who are allowed to login to members of a certain group in LDAP.
I have tried many different filter settings but none of them seem to work.

Hope I can get some help here! :)

an example filter (which does NOT work):
(&(objectClass=posixAccount)(memberOf=cn=redmine,ou=groups,dc=company,dc=com))

Replies (3)

RE: LDAP group filter - Added by Alexander Geeraerts about 8 years ago

It seems that you first have to enable the "memberof" overlay in openldap for this to work.

After enabling this overlay the following filter works perfectly:
(&(objectClass=inetOrgPerson)(memberOf=cn=redmine,ou=groups,dc=company,dc=com))

RE: LDAP group filter - Added by john val almost 8 years ago

in redmine 2.1.2 i added the following entry in "ldap filter" filed

(&(objectClass=inetOrgPerson)(memberOf=cn=employees,ou=group,dc=ldap,dc=ihk,dc=com))

But when i going to save it .there is error message saying " Invalid LDAP filter"

Please advice ,

RE: LDAP group filter - Added by Perico Os Palotes about 7 years ago

Ok, below the exact instructions to get it done:

1. (OpenLDAP server) Enable memberof overlay

1.1. Create a file:

vim ~/memberof_add.ldif

With below content:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

1.2. Create a file:

vim ~/memberof_config.ldif

With below content:

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

1.3. Load them. It will depend on your OpenLDAP configuration, so we will propose some possibilities:

sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_add.ldif
sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif

Or:

ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_add.ldif
ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_config.ldif

A restart is NOT needed if you use dynamic runtime configuration engine (slapd-config).

1.4. (Optional) Test it:

ldapsearch -D cn=admin,dc=example,dc=com -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' '(&(objectClass=posixAccount)(memberOf=cn=ldapredmine,ou=groups,dc=example,dc=com))'

2. (OpenLDAP server) Create the group. In this example the user is "ldap_user_1" and the group is "ldapredmine":

dn: cn=ldapredmine,ou=groups,dc=example,dc=com
cn: ldapredmine
description: Staff members allowed to login to redmine ticketing system
member: cn=ldap_user_1,ou=people,dc=example,dc=com
objectclass: groupOfNames
objectclass: top

Adjust "dn" and "cn"s to fit to your DIT structure

3. (Redmine) Edit the LDAP authentication mode. In my case "ldap_user_1" is a "posixAccount" objectclass:

Base DN: dc=example,dc=com
Filter: (&(objectClass=posixAccount)(memberOf=cn=ldapredmine,ou=groups,dc=example,dc=com))

I expect that this can be helpful. Feel free to copy/paste this post and use it in the module documentation.

Javier

Credits:

http://www.cbjck.de/2012/05/enabling-the-memberof-overlay-for-openldap/

(1-3/3)