LDAP memberof search not available openldap out-of-box - Githubissues

galaxyproject / galaxy

Data intensive science for everyone.

https://galaxyproject.org

Other

1.38k stars 991 forks source link

LDAP memberof search not available openldap out-of-box #17375

Closed alpapan closed 7 months ago

alpapan commented 7 months ago

Galaxy Version and/or server at which you observed the bug Galaxy Version: 23.1.5.dev0 Commit: 1fe37b099f6f7da20c2483157bb2c1d94a766c67

Describe the bug

Not a bug, but a limitation of docs. Just describing it in case other admins want to be aware.

In auth_conf.xml it seems that the directive

<search-memberof-filter>galaxy_users</search-memberof-filter>

Is out of the box available to activedirectory.

For OpenLDAP the memberof_overlay module needs to be installed (and slapd config needs to be done for every user created before module activation).

See this stackoverflow and documentation to problem and guide.

On out-of-the-box openldap users are mapped against groups like so

# galaxy_users, Groups, westernsydney.edu.au
dn: cn=galaxy_users,ou=Groups,dc=westernsydney,dc=edu,dc=au
objectClass: posixGroup
cn: galaxy_users
gidNumber: xxx
description: Group account
memberUid: xxxxx

Individual users do not have a memberOf.

This is not a problem for any other application, for example Nextcloud or my own apps.

Perhaps we could document it as only supported in openldap if the memberOf overlay module is installed?

alpapan commented 7 months ago

ok, I learnt something today.

Here is my solution for openLDAPers who wish to implement it (disclaimer: don't do this if you don't know how to use LDAP and make sure you keep backups)

Add memberOf overlay module

Step 1 backup slapd

systemctl stop slapd.service && slapcat -v -l DATE_ldapbackup.ldif && slapcat -n 0 -l DATE_ldapconfigbackup.ldif && systemctl start slapd.service

Check what dbs you have

slapcat -n 0 | grep olcModuleLoad

If the above gives output, then run ldapmodify -x -D "cn=administrator CN" -W -f file.ldif where file.ldif has the following commands

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la

If it doesn't, see this link.

Now activate it ldapmodify -x -D "cn=administrator CN" -W -f file.ldif where file.ldif has the following commands

dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfRefint: TRUE

Restart slapd (not sure if needed: systemctl restart slapd.service Check if it all works.

Create a galaxy user group and populate it.

For example for galaxy_users run ldapmodify -x -D "cn=administrator CN" -W -f file.ldif where file.ldif is:

dn: cn=galaxy_users,ou=Groups,dc=yourDC
changetype: add
objectClass: groupOfNames
description: Galaxy users
cn: galaxy_users
member: cn=your persons1 dn
member: cn=your persons2 dn

NB1: the group must be class groupOfNames. User and group for pam login accounts are posix to allow for user and group IDs but only groupOfNames work with the memberOf overlay.

NB2: this group will only be used for filtering, it cannot have a presence in the unix group list (will be available under getent group).

If you do ldapsearch -x it will show the new group and members but not any memberOf definitions. This is because the overlay needs to have explicitly define like so: ldapsearch -x memberOf.

I haven't figured out how to do the auto assign of groups, it doesn't work for me but that's a story for another year.

alpapan commented 7 months ago

Please let me know if you'd like me to document this somewhere. Closing otherwise.