Question about uniqueMember and openLDAP

kazgurs (Kazys Gurskas) 2017-10-02 12:10:05 UTC #1

Hi,

under current LDAP configuration notes, I can see that groups must have unique_member_attribute (default is uniqueMember) which contains full DNs of the members. What if I have a different LDAP schema? I can override the unique_member_atttribute name, but not the contents. What if I store uid’s and not full DNs there? Is there any way to customize this?

sscarduzio (Simone Scarduzio) 2017-10-02 14:16:32 UTC #2

Is this common? How would other LDAP connectors of other products cope with this? What do you expect the setting to be called?

kazgurs (Kazys Gurskas) 2017-10-03 06:43:13 UTC #3

AFAIK, the 2 most common openLDAP configurations are memberOf overlay and POSIX groups (memberUid attribute). I’m using the latter and so far have had no issues integrating LDAP with most tooling, like Jenkins, Rundeck. I can see that your current search string is:

LDAP search string: (&(cn=*)(uniqueMember=cn=Name Surname,ou=user,dc=domain,dc=com))  |  groupNameAttr: cn

uniqueMember attribute has been adapted to be customisable already. Would it make any sense to be able customize the whole search string? Or maybe have some logic to search by DN if unique_member_atttribute is set to uniqueMember and to uid if it’s set to memberUid.

sscarduzio (Simone Scarduzio) 2017-10-04 11:05:32 UTC #4

Let’s talk about making the whole string configurable. We’d need some placeholders to replace the actual credentials, right? How do others do that?

kazgurs (Kazys Gurskas) 2017-12-12 12:04:51 UTC #5

Hi, sorry for bumping an old thread.

Which credentials are you referring to?

How about switching uniqueMember=cn=Name Surname,ou=user,dc=domain,dc=com to memberUid=uid=name.surname when configuration item unique_member_atttribute is set to memberUid ?