Closed alpapan closed 7 months ago
ok, I learnt something today.
Here is my solution for openLDAPers who wish to implement it (disclaimer: don't do this if you don't know how to use LDAP and make sure you keep backups)
Step 1 backup slapd
systemctl stop slapd.service && slapcat -v -l DATE_ldapbackup.ldif && slapcat -n 0 -l DATE_ldapconfigbackup.ldif && systemctl start slapd.service
Check what dbs you have
slapcat -n 0 | grep olcModuleLoad
If the above gives output, then run ldapmodify -x -D "cn=administrator CN" -W -f file.ldif
where file.ldif has the following commands
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la
If it doesn't, see this link.
Now activate it ldapmodify -x -D "cn=administrator CN" -W -f file.ldif
where file.ldif has the following commands
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfRefint: TRUE
Restart slapd (not sure if needed: systemctl restart slapd.service
Check if it all works.
For example for galaxy_users run ldapmodify -x -D "cn=administrator CN" -W -f file.ldif
where file.ldif is:
dn: cn=galaxy_users,ou=Groups,dc=yourDC
changetype: add
objectClass: groupOfNames
description: Galaxy users
cn: galaxy_users
member: cn=your persons1 dn
member: cn=your persons2 dn
NB1: the group must be class groupOfNames. User and group for pam login accounts are posix to allow for user and group IDs but only groupOfNames work with the memberOf overlay.
NB2: this group will only be used for filtering, it cannot have a presence in the unix group list (will be available under getent group
).
If you do ldapsearch -x
it will show the new group and members but not any memberOf definitions.
This is because the overlay needs to have explicitly define like so: ldapsearch -x memberOf
.
I haven't figured out how to do the auto assign of groups, it doesn't work for me but that's a story for another year.
Please let me know if you'd like me to document this somewhere. Closing otherwise.
Galaxy Version and/or server at which you observed the bug Galaxy Version: 23.1.5.dev0 Commit: 1fe37b099f6f7da20c2483157bb2c1d94a766c67
Describe the bug
Not a bug, but a limitation of docs. Just describing it in case other admins want to be aware.
In
auth_conf.xml
it seems that the directiveIs out of the box available to activedirectory.
For OpenLDAP the memberof_overlay module needs to be installed (and slapd config needs to be done for every user created before module activation).
See this stackoverflow and documentation to problem and guide.
On out-of-the-box openldap users are mapped against groups like so
Individual users do not have a
memberOf
.This is not a problem for any other application, for example Nextcloud or my own apps.
Perhaps we could document it as only supported in openldap if the memberOf overlay module is installed?