XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    LDAP Authentication with OpenLDAP backend?

    Scheduled Pinned Locked Moved Management
    1 Posts 1 Posters 43 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yag
      last edited by

      Hello!

      Anyone that had success with the ldap-auth plugin and OpenLDAP as LDAP provider? User authentication works fine, but my problem arises during group synchronization.

      Per my understanding you need to synchronize groups to be able to make all LDAP users administrators. I seem to have a mismatch between user & group sync. As previously stated, i can login with my LDAP user, but the group membership is only partially recognized.

      Under "Settings > Groups" i can see my group "lab-users" and it says 1 member, but under "Settings > Users" my user appears, but it states that the user is member of 0 groups.

      I have set administrative rights on every object inside XO on the "lab-users" group, but when i login with my user i cant access anything. But if i try putting the ACLs on the user object instead, i can administrate everything

      Plugin settings:

      User filter: (&(objectClass=inetOrgPerson)(uid={{name}})) 
ID Attribute: uid

Group filter: (&(objectClass=posixGroup)(cn=lab-users))
ID Attribute: gidNumber
Display name attribute: cn

Group attribute: uniqueMember
User attribute: uid

      LDAP attributes:

      User filter: ldapsearch -H ldaps://openldap.myorg.tld -D 'cn=admin,dc=my,dc=organisation,dc=tld' -w 'REDACTED' -b 'dc=my,dc=organisation,dc=tld' "(&(objectClass=inetOrgPerson)(uid=jacjor))"
---
# jacjor, people, my.organisation.tld
dn: uid=jacjor,ou=people,dc=my,dc=organisation,dc=tld 
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
uid: jacjor
...
---

Group filter: ldapsearch -H ldaps://openldap.myorg.tld -D 'cn=admin,dc=my,dc=organisation,dc=tld' -w 'REDACTED' -b 'dc=my,dc=organisation,dc=tld' "(&(objectClass=posixGroup)(cn=lab-users))"

---

# lab-users, groups, my.organisation.tld
dn: cn=lab-users,ou=groups,dc=my,dc=organisation,dc=tld
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
cn: lab-users
gidNumber: 2008
uniqueMember:
uniqueMember: uid=jacjor,ou=people,dc=my,dc=organisation,dc=tld
uniqueMember: uid=lab-test,ou=people,dc=my,dc=organisation,dc=tld

      Am i missing something here? I guess that the group sync cannot access the "uid" attribute, but how to fix this? Can i use anything else. I have tried with both ID attributes as "dn" instead but with no luck.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post