Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

OpenLDAP as Identity Provider

Avatar

Level 3

Hi all

I am using OpenLdap as IDP.

OpenLdap posixGroup uses the memberUid attribute to identify members, which is just the UID of a user (eg pjones).

OAK LdapIdentityProvider uses the full DN of a user when querying groups for members (eg cn=Peter Jones,ou=users,dc=example,dc=com).

This means user Peter Jones is not be found when querying groups.

Please see SearchRequest filter of  [1] from ldap.log file.

[1]

org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider getDeclaredGroupRefs: using SearchRequest MessageType : SEARCH_REQUEST

Message ID : -1

    SearchRequest

        baseDn : 'ou=groups,dc=example,dc=com'

        filter : '(&(memberUid=cn=Peter Jones,ou=users,dc=example,dc=com)(objectclass=posixGroup))'

        scope : whole subtree

        typesOnly : false

        Size Limit : no limit

        Time Limit : 60000

        Deref Aliases : deref Always

        attributes : 'cn'

How can this be resolved?

1 Accepted Solution

Avatar

Correct answer by
Level 3

Via CLI, created new group in OpenLDAP. This identifies members by DN.

dn: cn=boss,ou=groups,dc=example,dc=com

cn: boss

member: cn=Peter Jones,ou=users,dc=example,dc=com

objectclass: top

objectClass: groupOfNames

Was using PHP admin as LDAP UI, which seemingly only allows for creating posixGroup. Did not see option for creating groupOfNames so I used CLI.

Querying groups for members now returns results.

View solution in original post

0 Replies

Avatar

Correct answer by
Level 3

Via CLI, created new group in OpenLDAP. This identifies members by DN.

dn: cn=boss,ou=groups,dc=example,dc=com

cn: boss

member: cn=Peter Jones,ou=users,dc=example,dc=com

objectclass: top

objectClass: groupOfNames

Was using PHP admin as LDAP UI, which seemingly only allows for creating posixGroup. Did not see option for creating groupOfNames so I used CLI.

Querying groups for members now returns results.