XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    LDAP Authentication with OpenLDAP backend?

    Scheduled Pinned Locked Moved Management
    7 Posts 3 Posters 290 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y Offline
      yag
      last edited by

      Hello!

      Anyone that had success with the ldap-auth plugin and OpenLDAP as LDAP provider? User authentication works fine, but my problem arises during group synchronization.

      Per my understanding you need to synchronize groups to be able to make all LDAP users administrators. I seem to have a mismatch between user & group sync. As previously stated, i can login with my LDAP user, but the group membership is only partially recognized.

      Under "Settings > Groups" i can see my group "lab-users" and it says 1 member, but under "Settings > Users" my user appears, but it states that the user is member of 0 groups.

      I have set administrative rights on every object inside XO on the "lab-users" group, but when i login with my user i cant access anything. But if i try putting the ACLs on the user object instead, i can administrate everything

      Plugin settings:

      User filter: (&(objectClass=inetOrgPerson)(uid={{name}})) 
ID Attribute: uid

Group filter: (&(objectClass=posixGroup)(cn=lab-users))
ID Attribute: gidNumber
Display name attribute: cn

Group attribute: uniqueMember
User attribute: uid

      LDAP attributes:

      User filter: ldapsearch -H ldaps://openldap.myorg.tld -D 'cn=admin,dc=my,dc=organisation,dc=tld' -w 'REDACTED' -b 'dc=my,dc=organisation,dc=tld' "(&(objectClass=inetOrgPerson)(uid=jacjor))"
---
# jacjor, people, my.organisation.tld
dn: uid=jacjor,ou=people,dc=my,dc=organisation,dc=tld 
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
uid: jacjor
...
---

Group filter: ldapsearch -H ldaps://openldap.myorg.tld -D 'cn=admin,dc=my,dc=organisation,dc=tld' -w 'REDACTED' -b 'dc=my,dc=organisation,dc=tld' "(&(objectClass=posixGroup)(cn=lab-users))"

---

# lab-users, groups, my.organisation.tld
dn: cn=lab-users,ou=groups,dc=my,dc=organisation,dc=tld
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
cn: lab-users
gidNumber: 2008
uniqueMember:
uniqueMember: uid=jacjor,ou=people,dc=my,dc=organisation,dc=tld
uniqueMember: uid=lab-test,ou=people,dc=my,dc=organisation,dc=tld

      Am i missing something here? I guess that the group sync cannot access the "uid" attribute, but how to fix this? Can i use anything else. I have tried with both ID attributes as "dn" instead but with no luck.

      Y 1 Reply Last reply Reply Quote 0
      • Y Offline
        yag @yag
        last edited by

        @yag Bumping this thread. Anyone?

        1 Reply Last reply Reply Quote 0
        • olivierlambertO Offline
          olivierlambert Vates 🪐 Co-Founder CEO
          last edited by

          Hi!

          We used it since a while internally (before switching to OIDC) but I think we did not use group sync. I wonder if @nathanael-h could take a look to spot anything obvious.

          Y 1 Reply Last reply Reply Quote 0
          • Y Offline
            yag @olivierlambert
            last edited by

            @olivierlambert Thanks for the reply! I am open to run without Group Sync aswell, but i have not found a way to give my LDAP users operator access to Orchestra without group sync, so if you know how you did that i am eager to know that aswell 😄

            1 Reply Last reply Reply Quote 0
            • nathanael-hN Offline
              nathanael-h Vates 🪐 DevOps Team
              last edited by

              Hi @yag ! I will look more on the LDAP group sync topic. But just to share with you how we manage users on a lab : as shared by Olivier we use OIDC, and once the user is created (on first login) we can manually define him as an admin (Permissions column on Users page). Isn't this working with LDAP users as well?

              1 Reply Last reply Reply Quote 0
              • nathanael-hN Offline
                nathanael-h Vates 🪐 DevOps Team
                last edited by

                Hi again, I tried to reproduce the issue, but obviously as I do not have the same LDAP server and content as yours it is not easy. So I setup the plugin as follow:

                User filter: (|(objectclass=posixAccount))
ID Attribute: uid

Group filter: (objectclass=posixGroup)
ID Attribute: gidNumber
Display name attribute: cn

Group attribute: memberUid
User attribute: uid

                With this I can see :

                • All the groups synced from LDAP to XO
                • Users inside the groups (from the groups page)
                • Users belong to un number of groups (from the users page)

                I also tuned the config as follow:

                User filter: (&(objectclass=posixAccount)(uid={{name}})
ID Attribute: uid

Group filter: (&(objectclass=posixGroup)(cn=group1))
ID Attribute: gidNumber
Display name attribute: cn

Group attribute: memberUid
User attribute: uid
                • Only the group1 is synced
                • User and group matching works as expected.

                Then is the two cases, I could create ACL that grant admin priviliges on one or more objects to a group and so its users.

                Can you trigger a group sync and look for error in logs?

                1 Reply Last reply Reply Quote 1
                • olivierlambertO Offline
                  olivierlambert Vates 🪐 Co-Founder CEO
                  last edited by

                  (Thanks @nathanael-h , might even worth getting a part of this in our current doc with an example, adding @thomas-dkmt in the loop)

                  1 Reply Last reply Reply Quote 1
                  • First post
                    Last post