LDAP - Add a filter to an LDAP URL so that only users belonging to a certain group can access the app

Question

We enable an application to use LDAP.

In the configuration of the application, we need to inform a URL to connect to LDAP. We are currently providing the following URL...

ldap://10.2.0.5:389/dc=domain,dc=abc,dc=de?uid

QUESTION: We need to add a filter to the URL above so that only users belonging to the "accessgroup" group are located in order to limit the application access to only users belonging to this group.

That is, something similar to this...

curl "ldap://10.2.0.5:389/dc=domain,dc=abc,dc=de?uid?sub?(&(memberof=cn=accessgroup,ou=groups,dc=domain,dc=abc,dc=de)(uid=%s))"

We've tried hundreds of settings and nothing works... =|

GROUP

cn:
accessgroup

gidNumber:
1004

memberUid:
usera
userb
userc
userd
usere
userf
userg
userh
useri

objectClass:
top
posixGroup

USERS

cn:
User Letter A

gecos:
User Letter A

gender:
M

gidNumber:
544

givenName:
User

gotoLastSystemLogin:
01.01.1970 00:00:00

homeDirectory:
/home/usera

loginShell:
/bin/bash

mail:
user.letter.a@domain.abc.de

objectClass:
top
person
organizationalPerson
inetOrgPerson
gosaAccount
posixAccount
shadowAccount
sambaSamAccount

[...]

uid:
usera

uidNumber:
1004

[...]

Thanks! =D

Answer 1

How is your LDAP server's memberOf attribute created? Have you checked to make sure that your users actually have memberOf attributes?

In OpenLDAP for example, memberOf is only populated if you use the memberof overlay or manage them with dynamic lists.

Answer 2

SITUATION:

The problem is that we are trying to filter using POSIX Groups and there is no specific overlay for that. What exists is a somewhat complex and laborious workaround that can be observed here GENERATING A MEMBEROF ATTRIBUTE FOR POSIXGROUPS.

SOLUTION:

To solve this problem we implemented a simple solution that can be seen here...

psx-grp-flt - user's posixGroup memberships against pgMemberOf (memberOf)

... which basically is the following...

A simple Python 2.7 script that stores each user's posixGroup (POSIX Group) associations in their pgMemberOf (memberOf) attribute. The purpose is to enable search filters like below...

MODEL

ldapsearch -x -H 'ldap://127.0.0.1:389' -b 'ou=persons,dc=domain,dc=abc,dc=de'
-D 'cn=admin,dc=domain,dc=abc,dc=de'
-w 'mySecretValue'
'(&(pgMemberOf=cn=certaingroup,ou=groups,dc=domain,dc=abc,dc=de)(uid=certainuid))'

EXAMPLE

ldapsearch -x -H '<OPENLDAP_URI>' -b '<PERSONS_OU>,<BASE_DN>'
-D '<ADM_USER_DN>'
-w '<ADM_USER_PASSWORD>'
'(&(pgMemberOf=cn=<PSX_GROUP_CN>,<GROUPS_OU>,<BASE_DN)(uid=<PERSON_UID>))'

This script is useful for cases where we already have an OpenLDAP installed and we want to make filters available for POSIX Groups that already exists in a very simple way and without creating new types of groups. Also useful when unable to install overlays or when this process is too laborious or risky.

Thanks! =D