LDAP groups have no members in Indico

Isidre_Costa_Font · December 10, 2019, 9:53am

Hi,
We’re trying to follow the documentation to connect Indico to an OpenLdap, but is somehow failing.

We detect the test group from Indico, but can not see the members in ‘windows stile’ using the OpenLdap memberof overlay.

We have a bit old openldap2-2.4, and the indico (v 2.2.3 , PostgreSQL 9.6.12)…

We thought the problem was the Indico version, as stated in the next link, but we have one of the latest Indico versions and no way. https://talk.getindico.io/t/adding-ldap-server-to-indicos-configuration-failed/1512

On our openldap we have implemented long time ago the ‘windows membership’, and it’s being used by many windows systems without issues, as far as we know.

On our test overlay group we have:

dn: cn=TestIndico,ou=Groups,dc=ACME,dc=COM
objectClass: groupOfNames
cn: TestIndico
structuralObjectClass: groupOfNames
member: uid=user1,ou=People,dc=ACME,dc=COM
member: uid=user2,ou=People,dc=ACME,dc=COM
(...)
 
On users belonging to the TestIndico group we have:
dn: uid=user1,ou=People,dc=ACME,dc=COM
objectClass: posixAccount
objectClass: inetOrgPerson
(..)
memberOf: cn=TestIndico,ou=Groups,dc=ACME,dc=COM

The ldap configuration on Indico is:

# OpenLDAP
_ldap_config = {
    'uri': 'ldaps://LDAPS.ACME.COM',
    'bind_dn': 'uid=misuser,ou=People,dc=ACME,dc=COM',
    'bind_password': '********',
    'timeout': 30,
    'verify_cert': False,
    'page_size': 1500,
 
    'uid': 'uid',
    'user_base': 'ou=People,dc=ACME,dc=COM',
    'user_filter': '(objectclass=posixAccount)',
 
    'gid': 'cn',
    'group_base': 'ou=Groups,dc=ACME,dc=COM',
    'group_filter': '(objectclass=groupOfNames)',      (??????)
    'member_of_attr': 'member',                        (??????)
    'ad_group_style': False                            (??????)
}
 
 
AUTH_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'default': True
    }
}
 
IDENTITY_PROVIDERS = {
    'ldap': {
        'type': 'ldap',
        'title': 'LDAP',
        'ldap': _ldap_config,
        'mapping': {
            'first_name': 'givenName',
            'last_name': 'sn',
            'email': 'mail',
            'affiliation': 'company',
            'phone': 'telephoneNumber'
        },
        'trusted_email': True,
        'default_group_provider': True,
        'synced_fields': {'first_name', 'last_name', 'affiliation', 'phone', 'address'}
    }
 
}

Right now, from the Indico Administration we can get all the LDAP groups but not their members. Do you know what can be wrong here?

Thanks in advance!!

ThiefMaster · December 10, 2019, 10:45am

'member_of_attr': 'member' should most likely be set to memberOf

PS: 2.2.3 is outdated; please update ASAP since 2.2.4 contains a security fix (and 2.2.5 fixes a bunch of smaller bugs)

Isidre_Costa_Font · December 13, 2019, 7:48am

Hello again,

we have just upgraded to Indico v 2.2.5 and we did the change you proposed in indico.conf and we still have the same problem retrieving members of LDAP groups.

This is a little explanation of what we have in our system and what we have tested:

On our Openldap we have two different type of groups, Linux like, and Windows Like (with overlay).

For standard “Linux like” groups we have:

dn: cn=MISSING,ou=Groups,dc=ACME,dc=COM
objectClass: posixGroup
memberUid: userX
memberUid: userY
(...)

With Indico config:

    'group_base': 'ou=Groups,dc=ACME,dc=COM',
    'group_filter': '(objectclass=posixGroup)',
    'member_of_attr': 'memberUid',
    'ad_group_style': False

We can search and find the “Linux like” group names, but are empty. No members are shown.

On our, Windows like, test overlay group we have:

dn: cn=TestIndico,ou=Groups,dc=ACME,dc=COM
objectClass: groupOfNames
cn: TestIndico
structuralObjectClass: groupOfNames
member: uid=user1,ou=People,dc=ACME,dc=COM
member: uid=user2,ou=People,dc=ACME,dc=COM
(...)

With Indico config:

    'group_base': 'ou=Groups,dc=ACME,dc=COM',
    'group_filter': '(objectclass=groupOfNames)',
    'member_of_attr': 'member',
    'ad_group_style': False

We can search and find the “windows like” group names, but are empty. No members found by Indico.

We also tried with'ad_group_style': False & 'ad_group_style': True with the same result.
And of course we tried with'member_of_attr': 'memberOf' as you suggested, but no way.

We don’t know what can be wrong, do you have any idea on what we are missing?

Thank you very much!!

bpedersen2 · December 13, 2019, 8:53am

Hi,

If read the ldap-code in flask-multipass[1] correctly, then mixing openLDAP-style groups ( a memberOF atttribute on the user is used) and AD-style groups (a list of members in the Group) is currently unsupported.
And listing members of a group is only implemented for OpenLDAP-Style.

[1] https://github.com/indico/flask-multipass/blob/master/flask_multipass/providers/ldap/providers.py

bpedersen2 · April 21, 2023, 10:54am

Checkout GitHub - bpedersen2/flask-multipass-ldap-mlz: MLZ-specific LDAP group mapping for a basic implementation of LDAP group mapping with only memberUid style groups (no memberOf support).