How does LDAP handle supplementary/secondary user groups?

linux ldap openldap
11,036

Solution 1

LDAP is just a directory of information. How that information gets stored and retrieved is up to the application. In this case, posix users and groups are modeled after the /etc/passwd and /etc/group files. Each user entry lists the gid for its primary group. Each group lists all of its members(usually less the ones listing it as their primary group).

Samba and the various nss plugins to store user and group info in LDAP all do a search to find the groups a user is a member of at log in. The memberUid attribute should be indexed to make group membership searches fast. For a given user account, the search filter is something like:

(&(objectclass=posixGroup)(memberUid=$user))

If you wanted to see the users in a particular group, you could search with:

(&(objectclass=posixGroup)(cn=$group))

This assumes that all of your groups are of the posixGroup objectClass.

Solution 2

I'm not a big OpenLDAP user, but if this were an Active Directory environment I'd use the "memberOf" attribute present in each user account object. In the OpenLDAP world, it looks like the memberOf overlay will do what you're looking for. I suspect this question will tell you what you need to know to get this going.

Share:
11,036

Related videos on Youtube

Mr. Shickadance
Author by

Mr. Shickadance

Updated on September 18, 2022

Comments

  • Mr. Shickadance
    Mr. Shickadance over 1 year

    I've seen similar questions related to configuring Apache to authenticate via LDAP, but this basic question still has me confused.

    In my setup, I created users who all have the same primary GID, then I added users to various (supplementary/secondary) groups. I have tested these user accounts, and in most situations everything works fine - my permissions based on supplementary group membership is working. I used the smbldap-tools package to configure my users and groups, and specifically I used smbldap-usermod -G +NEW_GROUP user to add users to the supplementary groups.

    If I do getent group I see those supplementary groups and their members. Good.

    If I look at the LDAP entry for one of the supplementary groups, I see all the users listed just as expected.

    However, when I look at each user's LDAP entry, only a gidNumber corresponding to the primary group is listed. That is, the LDAP entries for each user only list the primary group, and have no mention of secondary groups.

    How does Samba/LDAP (using smbldap-tools) handle supplementary/secondary groups?

    Further, how could I form a search filter to identify members of a supplementary group?

  • daff
    daff over 12 years
    The OP is apparently using POSIX groups (such groups have a gidNUmber and are of objectClass posixGroup), which can not be used with the memberOf overlay.
  • daff
    daff over 12 years
    The problem with posixGroup is, unfortunately, that it is not possible to get, with a single filter/query, every group of which a user is part. You can ask for the user's primary group (which is stored in the user object itself) and you can ask a group for all its users, but everything else needs to be done at a higher (or lower?) level, e.g. the scripting language used (Bash, Python, Perl, ...). Ideally there would be a memberOf overlay that supports posixGroup and memberUid, but there doesn't seem to be one.
  • Ricardo Gomes
    Ricardo Gomes over 12 years
    That wasn't the original question. However, if you are writing a program, what is the harm in making two queries?
  • Ricardo Gomes
    Ricardo Gomes over 12 years
    See serverfault.com/questions/224750/… for instructions on setting up groups so memberof works.
  • Pyperdown
    Pyperdown about 11 years
    So, what does one do? Ditch posixGroup? What does one use in its place?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What are the other alternative to test a LDAP connection on linux machine
Using LDAPSEARCH to return all Groups and OU's in an Active Directory domain
ldap_modify: No such object (32)
LDAP+SAMBA login issues
Difference between openldap 2.3 and 2.4
How to copy a LDAP entry and all the subtree on a Linux/openldap server?
Allowing LDAP users to change password
How do I modify the value of an attribute with OpenLDAP?
Find users currently logged in using ldap?
How to change expired LDAP user password under linux?