Creating Admin Role for an existing user

[gauravpathak]

Hi @kakwa I am trying to login to ldapcherry as admin but I am not getting any idea about it. I want to create and delete users from admin account. Currently, i am able to login as normal user.

I have already setup openldap server, i have used phpldapadmin to setup some users and groups and organizational unit. The structure is something like below:

How should I add or use admin account for ldapcherry?

[vishwakumba]

Create the LDAPCherry Admin role in /etc/ldapcherry/roles.yml

For example:

hello_world_admin_role:
    display_name: Hello_World_Admin_Users
    description: Hello World Admin Users
    LC_admins: True
    backends_groups:
        ad:
            - hello-world

• Ensure hello-world group has ben created in your LDAP Server
• Add the user that you would like to use as an LDAPCherry Admin user to this group

This has been mentioned in the docs.

https://ldapcherry.readthedocs.io/en/latest/deploy.html#defining-ldapcherry-administrator-role

Note : I am using Active Directory. My backend group name is "ad". You may have to use your ldap server variable name defined in /etc/ldapcherry/ldapcherry.ini

[gauravpathak]

Hi, @vishwakumba I tried your suggestions and created a new group "AdminGroup" and created a user in it "ldap.admin".

Here is the "roles.yml" file for it:

admin-lv3:
    display_name: Administrators Level 3
    description: Super administrators of the system
    LC_admins: True
    backends_groups:
        ldap:
             - cn=admin,cn=AdminGroup,ou=team-xebrium,dc=connect,dc=xebrium,dc=com 
#        ad:
#            - Administrators
#            - Group Policy Creator Owners
#            - Enterprise Admins
#            - Schema Admins
#            - Domain Admins

admin-lv2:
    display_name: Administrators Level 2
    description: Basic administrators of the system
    backends_groups:
        ldap:
            - cn=india-group,ou=team-xebrium,dc=connect,dc=xebrium,dc=com
#        ad:
#            - Administrators

developpers:
    display_name: Developpers
    description: Developpers of the system
    backends_groups:
        ldap:
            - cn=developpers,ou=Group,dc=example,dc=org
            - cn=users,ou=Group,dc=example,dc=org

users:
    display_name: Simple Users
    description: Basic users of the system
    backends_groups:
        ldap:
            - cn=india-group,ou=team-xebrium

But it did't work. If i set "auth.mode = 'none'" then all users get administrator rights.

I also tried setting groups like below with no luck:

admin-lv3:
    display_name: Administrators Level 3
    description: Super administrators of the system
    LC_admins: True
    backends_groups:
        ldap:
             - AdminGroup

[vishwakumba]

May I ask which LDAP Server, Operating System and Python version are you using? I use Python 2.7.5, Centos 7.2 and AWS Directory Service (microsoft active directory) and the active directory backend works fine for me.

Note: I had to make a small change in the active directory backend (base dn and user dn path) as I am using AWS Directory Service.

[gauravpathak]

I am using openldap-2.4.42 on Ubuntu 16.04.6 having python 3.5.2.

[kakwa]

Hello,

Sorry for the delay, there is no notion of an "admin" account in ldapcherry, what you have instead is "ldapcherry admins", basically you set LC_admins: True on one of the role, and the users having this role (ie, being member of all the groups of that role), will have admin rights in ldapcherry (add/del fully modify users).

That being said, there is a bit of a chicken and egg problem when the ldap is first created: you need an admin user to connect to ldapcherry to create an admin user. For that, either create one manually with ldapadd or something like that, or alternatively, you can disable the authentication on ldapcherry:

[auth]

auth.mode = 'none'

Just be cautious to restrict it somewhat.

To simplify bootstrapping, I'm thinking of creating a companion CLI tool running locally to create users, but it would require some restructuring of the code to better separate role/group/backends/atrributes management and the web part.

For troubleshooting the issue, you can launch ldapcherry in debug mode (-D), it should display the roles and the groups of the user your are login with. Not sure what is the layout of your ldap for the group part, but you may need to tweak the ldap.group_filter_tmpl and ldap.groupdn depending on your deployment.

As for testing, personally I use OpenLdap for the ldap backend, and Samba 4 for the AD backend.

[gauravpathak]

@kakwa Thanks a lot for your reply.

I was also a bit suspicious about ldap.group_filter_tmpl and ldap.groupdn. Whenever I launch ldapcherry in debug mode with -D option and login with any user, it is not able to pull the group details of the user and for every user it shows:

user 'ldap.admin' groups: {'ldap': []}
user 'ldap.admin' roles: {'unusedgroups': {}, 'roles': set()}

I will try to change the filters for group and groupdn.

[gauravpathak]

Finally found a solution to my issue, hope this should help others as well. I used phpldapadmin initially to access opanldap server, the structure is shown above (https://user-images.githubusercontent.com/5787318/56347737-91e94d80-61e2-11e9-92a1-f713dfe70da5.png).

My issue was that upon login from web-console of ldapcherry using any username, the ldapcherry was not able to fetch the group name of the user, due to this roles.yml files was not able to define any roles of users logged in from web-console.

I first created a separate group viz AdminGroup, created a POSIXuser in that group and created a new attribute of the group namely memberUid using Add New Attribute inside group details of phpldapadmin.

Then I added the desired users in that memberUid, after that I used ldap.group_filter_tmpl = '(&(cn=*)(memberUid=%(username)s))' inside /etc/ldapcherry/ldapcherry.ini file.

This resolved my issue.

[smacz42]

Should this issue be marked as closed @kakwa?