Project

General

Profile

LDAP group filter

Added by Alexander Geeraerts over 11 years ago

Hello,

I tried to search but only found results regarding the synchronisation of LDAP groups to redmine.

This is not what I want to do, I simply want to limit the users who are allowed to login to members of a certain group in LDAP.
I have tried many different filter settings but none of them seem to work.

Hope I can get some help here! :)

an example filter (which does NOT work):
(&(objectClass=posixAccount)(memberOf=cn=redmine,ou=groups,dc=company,dc=com))


Replies (4)

RE: LDAP group filter - Added by Alexander Geeraerts over 11 years ago

It seems that you first have to enable the "memberof" overlay in openldap for this to work.

After enabling this overlay the following filter works perfectly:
(&(objectClass=inetOrgPerson)(memberOf=cn=redmine,ou=groups,dc=company,dc=com))

RE: LDAP group filter - Added by john val about 11 years ago

in redmine 2.1.2 i added the following entry in "ldap filter" filed

(&(objectClass=inetOrgPerson)(memberOf=cn=employees,ou=group,dc=ldap,dc=ihk,dc=com))

But when i going to save it .there is error message saying " Invalid LDAP filter"

Please advice ,

RE: LDAP group filter - Added by Perico Os Palotes over 10 years ago

Ok, below the exact instructions to get it done:

1. (OpenLDAP server) Enable memberof overlay

1.1. Create a file:

vim ~/memberof_add.ldif

With below content:

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

1.2. Create a file:

vim ~/memberof_config.ldif

With below content:

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

1.3. Load them. It will depend on your OpenLDAP configuration, so we will propose some possibilities:

sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_add.ldif
sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif

Or:

ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_add.ldif
ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_config.ldif

A restart is NOT needed if you use dynamic runtime configuration engine (slapd-config).

1.4. (Optional) Test it:

ldapsearch -D cn=admin,dc=example,dc=com -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' '(&(objectClass=posixAccount)(memberOf=cn=ldapredmine,ou=groups,dc=example,dc=com))'

2. (OpenLDAP server) Create the group. In this example the user is "ldap_user_1" and the group is "ldapredmine":

dn: cn=ldapredmine,ou=groups,dc=example,dc=com
cn: ldapredmine
description: Staff members allowed to login to redmine ticketing system
member: cn=ldap_user_1,ou=people,dc=example,dc=com
objectclass: groupOfNames
objectclass: top

Adjust "dn" and "cn"s to fit to your DIT structure

3. (Redmine) Edit the LDAP authentication mode. In my case "ldap_user_1" is a "posixAccount" objectclass:

Base DN: dc=example,dc=com
Filter: (&(objectClass=posixAccount)(memberOf=cn=ldapredmine,ou=groups,dc=example,dc=com))

I expect that this can be helpful. Feel free to copy/paste this post and use it in the module documentation.

Javier

Credits:

http://www.cbjck.de/2012/05/enabling-the-memberof-overlay-for-openldap/

RE: LDAP group filter - Added by Sunding Wei about 3 years ago

I figured out the LDAP filter, it works for me

(objectClass=user)

    (1-4/4)