USER SECURITY GROUP IN OpenLDAP

Rajesh Kumar RajLDAP
PLEASE SHARE

The LDAP security groups help us to enforce access restrictions to LDAP users. By implementing security groups, we can make sure only the selected users can access the applications or devices. We can add a user into the group using the “memberOf” attribute. Unfortunately, by default, this “memberOf” attribute is not enabled in the OpenLDAP server. To enable this, we need to configure the memberOf Overlay.

This article explains how to implement memberOf overlay in OpenLDAP installed on the Ubuntu 18.04 operating system. We will be using phpLDAPadmin GUI to demonstrate the group operations.

Note: Please visit this post if you would like to know how to install and configure OpenLDAP and phpLDAPadmin, https://www.thedeveloperfriend.com/ldap/installing-openldap-server-with-phpldapadmin-on-ubuntu-18-04/

CONFIGURING THE MEMBEROF OVERLAY

  1. Create a new file “/tmp/loadmemberofmodule.ldif” with the following content,
dn: cn=module,cn=config
cn: module 
objectClass: olcModuleList
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof.la

2. Execute the LDIF file created above with the following command,

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/loadmemberofmodule.ldif

3. Create a new file “/tmp/applyoverlay.ldif” with the following content,

dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: memberof
olcMemberOfRefint: TRUE

4. Execute the LDIF file created above with the following command,

ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/applyoverlay.ldif

HOW TO CREATE A SECURITY GROUP IN OpenLDAP

  1. Login to phpLDAPadmin using the URL below,

http://<OPENLDAP_IP_ADDRESS>/phpldapadmin/

2. Click on the login link.

3. Enter “Login DN” as the distinguished name of admin user (Example: cn=admin,dc=thedeveloperfriend,dc=com)

4. Enter the administrative password.

5. Click on the “Authenticate” button.

6. Expand the root node.

7. Click on “Create new entry here” link then select the Default option.

8. Select “groupOfNames” as ObjectClasses and click on the Proceed button.

9. Select the “RDN” as “cn (cn)”

10. Enter “cn” as the group name (Example: HR Group)

11. Click on the explore button under the member field.

12. Expand the root node and select a user

13. Click on the “Create Object” button.

14. Confirm the details and click on the “Commit” button.

HOW TO ADD/REMOVE USER FROM OpenLDAP Security GROUP

  1. Login into phpLDAPadmin as admin.
  2. Navigate and click on a Group node (Example: HR Group)
  3. Click on the “modify group members” link as shown below,

4. We can add a user to the group by moving username from “Available members” to “Group members”

5. We can remove a user from the group by moving username from “Group members” to “Available members”

6. Click on the “Save changes” button.

A USEFUL COMMAND TO LIST ALL USERS OF A GROUP

Here’s the command to list all the users of a particular group, 

ldapsearch -x -D "<LDAP_ADMIN_USERNAME>" -w "<LDAP_ADMIN_PASSWORD>" -b "<DN OF ROOT NODE>" -h "<LDAP_HOST_IP>" '(memberOf=<DN_OF_AD_SECURITY_GROUP>)'

Example:

ldapsearch -x -D "cn=admin,dc=thedeveloperfriend,dc=com" -w "Web@123" -b "dc=thedeveloperfriend,dc=com" -h "localhost" '(memberOf=cn=HR Group,dc=thedeveloperfriend,dc=com)'
Follow Me

Leave a Reply

Your email address will not be published. Required fields are marked *