Hi all
I am using OpenLdap as IDP.
OpenLdap posixGroup uses the memberUid attribute to identify members, which is just the UID of a user (eg pjones).
OAK LdapIdentityProvider uses the full DN of a user when querying groups for members (eg cn=Peter Jones,ou=users,dc=example,dc=com).
This means user Peter Jones is not be found when querying groups.
Please see SearchRequest filter of [1] from ldap.log file.
[1]
org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider getDeclaredGroupRefs: using SearchRequest MessageType : SEARCH_REQUEST
Message ID : -1
SearchRequest
baseDn : 'ou=groups,dc=example,dc=com'
filter : '(&(memberUid=cn=Peter Jones,ou=users,dc=example,dc=com)(objectclass=posixGroup))'
scope : whole subtree
typesOnly : false
Size Limit : no limit
Time Limit : 60000
Deref Aliases : deref Always
attributes : 'cn'
How can this be resolved?
Solved! Go to Solution.
Views
Replies
Total Likes
Via CLI, created new group in OpenLDAP. This identifies members by DN.
dn: cn=boss,ou=groups,dc=example,dc=com
cn: boss
member: cn=Peter Jones,ou=users,dc=example,dc=com
objectclass: top
objectClass: groupOfNames
Was using PHP admin as LDAP UI, which seemingly only allows for creating posixGroup. Did not see option for creating groupOfNames so I used CLI.
Querying groups for members now returns results.
Views
Replies
Total Likes
Via CLI, created new group in OpenLDAP. This identifies members by DN.
dn: cn=boss,ou=groups,dc=example,dc=com
cn: boss
member: cn=Peter Jones,ou=users,dc=example,dc=com
objectclass: top
objectClass: groupOfNames
Was using PHP admin as LDAP UI, which seemingly only allows for creating posixGroup. Did not see option for creating groupOfNames so I used CLI.
Querying groups for members now returns results.
Views
Replies
Total Likes