LDAP group filter
Added by Alexander Geeraerts over 9 years ago
Hello,
I tried to search but only found results regarding the synchronisation of LDAP groups to redmine.
This is not what I want to do, I simply want to limit the users who are allowed to login to members of a certain group in LDAP.
I have tried many different filter settings but none of them seem to work.
Hope I can get some help here! :)
an example filter (which does NOT work):
(&(objectClass=posixAccount)(memberOf=cn=redmine,ou=groups,dc=company,dc=com))
Replies (4)
RE: LDAP group filter
-
Added by Alexander Geeraerts over 9 years ago
It seems that you first have to enable the "memberof" overlay in openldap for this to work.
After enabling this overlay the following filter works perfectly:
(&(objectClass=inetOrgPerson)(memberOf=cn=redmine,ou=groups,dc=company,dc=com))
RE: LDAP group filter
-
Added by john val over 9 years ago
in redmine 2.1.2 i added the following entry in "ldap filter" filed
(&(objectClass=inetOrgPerson)(memberOf=cn=employees,ou=group,dc=ldap,dc=ihk,dc=com))
But when i going to save it .there is error message saying " Invalid LDAP filter"
Please advice ,
RE: LDAP group filter
-
Added by Perico Os Palotes almost 9 years ago
Ok, below the exact instructions to get it done:
1. (OpenLDAP server) Enable memberof overlay
1.1. Create a file:
vim ~/memberof_add.ldif
With below content:
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof
1.2. Create a file:
vim ~/memberof_config.ldif
With below content:
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
1.3. Load them. It will depend on your OpenLDAP configuration, so we will propose some possibilities:
sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_add.ldif
sudo ldapadd -c -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif
Or:
ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_add.ldif
ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_config.ldif
A restart is NOT needed if you use dynamic runtime configuration engine (slapd-config).
1.4. (Optional) Test it:
ldapsearch -D cn=admin,dc=example,dc=com -x -W -b 'dc=example,dc=com' -H 'ldap://127.0.0.1:389/' '(&(objectClass=posixAccount)(memberOf=cn=ldapredmine,ou=groups,dc=example,dc=com))'
2. (OpenLDAP server) Create the group. In this example the user is "ldap_user_1" and the group is "ldapredmine":
dn: cn=ldapredmine,ou=groups,dc=example,dc=com
cn: ldapredmine
description: Staff members allowed to login to redmine ticketing system
member: cn=ldap_user_1,ou=people,dc=example,dc=com
objectclass: groupOfNames
objectclass: top
Adjust "dn" and "cn"s to fit to your DIT structure
3. (Redmine) Edit the LDAP authentication mode. In my case "ldap_user_1" is a "posixAccount" objectclass:
Base DN: dc=example,dc=com
Filter: (&(objectClass=posixAccount)(memberOf=cn=ldapredmine,ou=groups,dc=example,dc=com))
I expect that this can be helpful. Feel free to copy/paste this post and use it in the module documentation.
Javier
Credits:
http://www.cbjck.de/2012/05/enabling-the-memberof-overlay-for-openldap/
RE: LDAP group filter
-
Added by Sunding Wei over 1 year ago
I figured out the LDAP filter, it works for me
(objectClass=user)
(1-4/4)