LDAP groups have no members in Indico

Hi,
We’re trying to follow the documentation to connect Indico to an OpenLdap, but is somehow failing.

We detect the test group from Indico, but can not see the members in ‘windows stile’ using the OpenLdap memberof overlay.

We have a bit old openldap2-2.4, and the indico (v 2.2.3 , PostgreSQL 9.6.12)…

We thought the problem was the Indico version, as stated in the next link, but we have one of the latest Indico versions and no way. https://talk.getindico.io/t/adding-ldap-server-to-indicos-configuration-failed/1512

On our openldap we have implemented long time ago the ‘windows membership’, and it’s being used by many windows systems without issues, as far as we know.

On our test overlay group we have:

dn: cn=TestIndico,ou=Groups,dc=ACME,dc=COM
objectClass: groupOfNames
cn: TestIndico
structuralObjectClass: groupOfNames
member: uid=user1,ou=People,dc=ACME,dc=COM
member: uid=user2,ou=People,dc=ACME,dc=COM
(...)
 
On users belonging to the TestIndico group we have:
dn: uid=user1,ou=People,dc=ACME,dc=COM
objectClass: posixAccount
objectClass: inetOrgPerson
(..)
memberOf: cn=TestIndico,ou=Groups,dc=ACME,dc=COM

The ldap configuration on Indico is:

# OpenLDAP
_ldap_config = {
    'uri': 'ldaps://LDAPS.ACME.COM',
    'bind_dn': 'uid=misuser,ou=People,dc=ACME,dc=COM',
    'bind_password': '********',
    'timeout': 30,
    'verify_cert': False,
    'page_size': 1500,
 
    'uid': 'uid',
    'user_base': 'ou=People,dc=ACME,dc=COM',
    'user_filter': '(objectclass=posixAccount)',
 
    'gid': 'cn',
    'group_base': 'ou=Groups,dc=ACME,dc=COM',
    'group_filter': '(objectclass=groupOfNames)',      (??????)
    'member_of_attr': 'member',                        (??????)
    'ad_group_style': False                            (??????)
}
 
 
AUTH_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'default': True
    }
}
 
IDENTITY_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'affiliation': 'company',
            'phone': 'telephoneNumber'
        },
        'trusted_email': True,
        'default_group_provider': True,
        'synced_fields': {'first_name', 'last_name', 'affiliation', 'phone', 'address'}
    }
 
}

Right now, from the Indico Administration we can get all the LDAP groups but not their members. Do you know what can be wrong here?

Thanks in advance!!

'member_of_attr': 'member' should most likely be set to memberOf

PS: 2.2.3 is outdated; please update ASAP since 2.2.4 contains a security fix (and 2.2.5 fixes a bunch of smaller bugs) :slight_smile:

Hello again,

we have just upgraded to Indico v 2.2.5 and we did the change you proposed in indico.conf and we still have the same problem retrieving members of LDAP groups.

This is a little explanation of what we have in our system and what we have tested:

On our Openldap we have two different type of groups, Linux like, and Windows Like (with overlay).

For standard “Linux like” groups we have:

dn: cn=MISSING,ou=Groups,dc=ACME,dc=COM
objectClass: posixGroup
memberUid: userX
memberUid: userY
(...)

With Indico config:

    'group_base': 'ou=Groups,dc=ACME,dc=COM',
    'group_filter': '(objectclass=posixGroup)',
    'member_of_attr': 'memberUid',
    'ad_group_style': False

We can search and find the “Linux like” group names, but are empty. No members are shown.

On our, Windows like, test overlay group we have:

dn: cn=TestIndico,ou=Groups,dc=ACME,dc=COM
objectClass: groupOfNames
cn: TestIndico
structuralObjectClass: groupOfNames
member: uid=user1,ou=People,dc=ACME,dc=COM
member: uid=user2,ou=People,dc=ACME,dc=COM
(...)

With Indico config:

    'group_base': 'ou=Groups,dc=ACME,dc=COM',
    'group_filter': '(objectclass=groupOfNames)',
    'member_of_attr': 'member',
    'ad_group_style': False

We can search and find the “windows like” group names, but are empty. No members found by Indico.

We also tried with'ad_group_style': False & 'ad_group_style': True with the same result.
And of course we tried with'member_of_attr': 'memberOf' as you suggested, but no way.

We don’t know what can be wrong, do you have any idea on what we are missing?

Thank you very much!!

Hi,

If read the ldap-code in flask-multipass[1] correctly, then mixing openLDAP-style groups ( a memberOF atttribute on the user is used) and AD-style groups (a list of members in the Group) is currently unsupported.
And listing members of a group is only implemented for OpenLDAP-Style.

[1] https://github.com/indico/flask-multipass/blob/master/flask_multipass/providers/ldap/providers.py