jelockwood
commented
4 years ago @MichalMMac It's been a while since I set this up but I believe I managed to get adldap2 working for group membership with FreeIPA.
It should be noted that adldap2 has schema support for various LDAP servers - obviously this includes Active Directory but it does also include OpenLDAP and FreeIPA.
The following settings are what I used in-conjunction with FreeIPA so bear in mind they might need adjusting for OpenLDAP.
(The first section is still listed in my .env but might be obsolete dating back from before Munkireport used adldap2)
AUTH_LDAP_GROUP_BASE="cn=groups,cn=accounts,dc=server,dc=example,dc=com" AUTH_LDAP_GROUP_FILTER="(&(objectClass=posixGroup)(cn=*))" AUTH_LDAP_GROUP_SCOPE="sub" AUTH_LDAP_GROUP_KEY="cn" AUTH_LDAP_ALLOWED_GROUPS="mygroup"
(Note the schema entry below)
AUTH_AD_SCHEMA="FreeIPA" AUTH_AD_BASE_DN="cn=users,cn=accounts,dc=server,dc=example,dc=com" AUTH_AD_ACCOUNT_PREFIX="uid=" AUTH_AD_ACCOUNT_SUFFIX=",cn=users,cn=accounts,dc=server,dc=example,dc=com" AUTH_AD_HOSTS="server.example.com" AUTH_AD_ALLOWED_GROUPS="mygroup" AUTH_AD_RECURSIVE_GROUPSEARCH=FALSE
Hello,
Current MR code uses adldap2 library to talk with LDAP servers. It works great. However only way to allow access based on a group membership is
AUTH_AD_ALLOWED_GROUPSoption. Enabling this options results in php code searching formemberOfattribute in the user ldap object. This works great with Active Directory.OpenLDAP in it's default form does not generate memberOf attibutes in the user objects. There are way to enable this behavior with overlays but it's not trivial endeavour in some cases.
It would be great to have the alternative method for determining group membership. Something like
AUTH_LDAP_GROUP_FILTERprevious implementation of ldap support in MR had.