Closed bhulsken closed 3 years ago
marcus67
commented
3 years ago Hi Bas, the option ldap_search_base_dn denotes the base of the sub tree which is searched for both users and groups. In principle, you can use the base DN of your LDAP. At least, that's what I do: my base is dc=chaos,dc=de, the users are in ou=People,dc=chaos,dc=de and the groups are in ou=Group,dc=chaos,dc=de. Providing seperate base DN for users and groups would only make the searches for efficient.
bhulsken
commented
3 years ago Thanks, that worked! Didn't think of trying that:)
I do think however that having 2 search bases could make sense, I have a simple LDAP layout, but it's not uncommon to have multiple ou for different users (students, staff, guests, ..). On the other hand you do allow a specific user/admin group name to filter, so that should allow most use cases I guess.
In any case, LDAP is working for me now, and it's a nice improvement over the manual entering of users, great work!
marcus67
commented
3 years ago By the way: You may be affected by this issue: https://github.com/marcus67/little_brother/issues/138. Since I know that somebody else is using the LDAP implementation now I will make this issue a high priority one.
it is quite common to have different ou for groups (containing posixGroup) and people (containing posixUser), currently it seems the config does not allow for that:
# Distinguished name of the sub tree containing Posix users and groups (mandatory) ldap_search_base_dn = ou=people,dc=example,dc=comwould be good to be able to specify separate sub trees for people and groups, without that option I can't get ldap to work for my config (wheel group for admins is in Groups ou, users to monitor are in people ou).