MRBS + LDAP admin group
Brought to you by:
jberanek
Menu
▾
▴
#1291 MRBS + LDAP admin group
[Transferred from the general mailing list]
I'm having issues trying to get $ldap_admin_group_dn to work.
My users are logging in ok, and denied when enter a bad password, but
it seems that everybody has permission level 1 only when logged in, and
we need that the members of mrbs_admins LDAP group be admins (level 2)
on MRBS.
Something is obviously wrong but I can't figure it out what it is.
This is an OpenLDAP scenario (Not Active Directory).
Our config is:
config.php
$auth["type"] = "ldap"; $ldap_host = "ii.pp.aa.dd"; $ldap_base_dn = "ou=Users,dc=example,dc=com"; $ldap_user_attrib = "uid"; $ldap_email_attrib = "mail"; #$ldap_admin_group_dn = "mrbs_admins"; #$ldap_admin_group_dn = "dn=mrbs_admins,dc=example,dc=com"; $ldap_admin_group_dn = "cn=mrbs_admins,ou=Groups,dc=example,dc=com"; #$ldap_group_member_attrib = 'memberof'; $ldap_group_member_attrib = 'memberUID'; #$ldap_group_member_attrib = 'memberUid'; $ldap_debug = TRUE;
(commented out lines are previous attempts)
slapcat's dump (Group only)
dn: cn=mrbs_admins,ou=Groups,dc=example,dc=com objectClass: posixGroup object Class: top objectClass: sambaGroupMapping gidNumber: 10010 cn: mrbs_admins structuralObjectClass: posixGroup entryUUID: ********-****-****-****- ********** creatorsName: cn=admin,dc=example,dc=com createTimestamp: 20170725192656Z sambaSID: S-1-5-21-*******-*******-*******-**** sambaGrou pType: 2 displayName: mrbs_admins description:: ******************************** memberUid: someuser memberUid: someuser2 memberUid: someuser3 entryCSN: 20170725193400Z#000000#00#000000 modifiers Name: cn=admin,dc=example,dc=com modifyTimestamp: 20170725193400Z -----
debugging output:
2017/08/17 18:34:27 [error] 16891#16891: *572606 FastCGI sent in stderr: "PHP message: authLdapAction: Got LDAP connection PHP message: authLdapAction: Constructed dn 'uid=someuser,ou=Users,dc=example,dc=com' and user_search 'uid=someuser' using 'uid' PHP message: authValidateUserCallback: base_dn 'ou=Users,dc=example,dc=com' dn 'uid=someuser,ou=Users,dc=example,dc=com' user 'someuser' PHP message: authValidateUserCallback: Successful authenticated bind with no $ldap_filter PHP message: authLdapAction: Got LDAP connection PHP message: authLdapAction: Constructed dn 'uid=someuser,ou=Users,dc=example,dc=com' and user_search 'uid=someuser' using 'uid' PHP message: authLdapCheckAdminGroupCallback: base_dn 'ou=Users,dc=example,dc=com' dn 'uid=someuser,ou=Users,dc=example,dc=com' user_search 'uid=someuser' user 'someuser' PHP message: authCheckAdminGroupCallback: search successful memberUID" while reading response header from upstream, client: 172.24.30.6, server: reserva.example.com, request: "POST /admin.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host: "reserva.example.com", referrer: "https://reserva.example.com/admin.php ?day=17&month=8&year=2017&area=1&room=3&returl=https%3A%2F%2Freserva.ex ample.com%2Fadmin.php%3Fday%3D17%26month%3D8%26year%3D2017%26area%3D1%2 6room%3D3&returl=https%3A%2F%2Freserva.example.com%2Fadmin.php%3Fday%3D 17%26month%3D8%26year%3D2017%26area%3D1%26room%3D3&returl=https%3A%2F%2 Freserva.example.com%2Fadmin.php%3Fday%3D17%26month%3D8%26year%3D2017%2 6area%3D1%26room%3D3&returl=https%3A%2F%2Freserva.example.com%2Fadmin.p hp%3Fday%3D17%26month%3D8%26year%3D2017%26area%3D1%26room%3D3" 2017/08/17 18:34:27 [error] 16891#16891: *572606 FastCGI sent in stderr: "PHP message: authLdapAction: Got LDAP connection PHP message: authLdapAction: Constructed dn 'uid=someuser,ou=Users,dc=example,dc=com' and user_search 'uid=someuser' using 'uid' PHP message: authLdapCheckAdminGroupCallback: base_dn 'ou=Users,dc=example,dc=com' dn 'uid=someuser,ou=Users,dc=example,dc=com' user_search 'uid=someuser' user 'someuser' PHP message: authCheckAdminGroupCallback: search successful memberUID PHP message: authLdapAction: Got LDAP connection PHP message: authLdapAction: Constructed dn 'uid=someuser,ou=Users,dc=example,dc=com' and user_search 'uid=someuser' using 'uid' PHP message: authLdapCheckAdminGroupCallback: base_dn 'ou=Users,dc=example,dc=com' dn 'uid=someuser,ou=Users,dc=example,dc=com' user_search 'uid=someuser' user 'someuser' PHP message: authCheckAdminGroupCallback: search successful memberUID PHP message: authLdapAction: Got LDAP connection PHP message: authLdapAction: Constructed dn 'uid=someuser,ou=Users,dc=example,dc=com' and user_search 'uid=someuser' using 'uid' PHP message: authLdapCheckAdminGroupCallback: base_dn 'ou=Users,dc=example,dc=com' dn 'uid=someuser,ou=Users,dc=example,dc=com' user_search 'uid=someuser' user 'someuser' PHP message: authCheckAdminGroupCallback: search successful memberUID" while reading response header from upstream, client: 172.24.30.6, server: reserva.example.com, request: "GET /admin.php?day=17&month=8&year=2017&area=1&room=3&returl=https%3A%2F%2F reserva.example.com%2Fadmin.php%3Fday%3D17%26month%3D8%26year%3D2017%26 area%3D1%26room%3D3&returl=https%3A%2F%2Freserva.example.com%2Fadmin.ph p%3Fday%3D17%26month%3D8%26year%3D2017%26area%3D1%26room%3D3&returl=htt ps%3A%2F%2Freserva.example.com%2Fadmin.php%3Fday%3D17%26month%3D8%26yea r%3D2017%26area%3D1%26room%3D3&returl=https%3A%2F%2Freserva.example.com %2Fadmin.ph
does anybody see something that I am missing?
Hmm, reading the code, I think the use of $ldap_admin_group_dn only works for LDAP schema where group membership is stored in the user object, and not in LDAP schemas like OpenLDAP's where group membership is stored in the group object. I might be able to put together some code to work for the OpenLDAP case, but I don't think I have a working OpenLDAP directory to test it on at the moment...
Hmm, it's a bit tricky to add a search for a group object into the existing code, as the main authLdapAction() is very much tied to searching for a user and not a group. Let me think a bit more...
Same problem here -- I tried to add a admin-group via OpenLDAP . But it's not working. Is there a solution meanwhile?
I have created a patch that modifies the MRBS admin judgement at LDAP as work the same way like generic POSIX account.
This seems to work very well, at least in my place.
Configuration like this.