Help Using LDAP Filter with "memberOf" Attribute

Hi All,

I'm a brand new Foreman user and I have hit a snag. I've entered the
following LDAP filter in the web GUI for Foreman 1.5.1:

(memberOf=staff-foreman-admin)

"Automatically create accounts in Foreman" is checked.

I try to login with a user (my_username) in "staff-foreman-admin" LDAP
group and I get "Invalid username or password".

In my OpenLDAP log (slapd.log) I see the Foreman user successfully bind to
the directory and the following search filter:

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SRCH
base="ou=people,dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=*)(?=undefined)(uid=my_username))"

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SRCH attr=givenName
sn mail dn

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SEARCH RESULT
tag=101 err=0 nentries=0 text=

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 fd=23 closed (connection
lost)

The search returns zero entries. Can anyone tell me why Foreman is
substituting (?=undefined) for my search criteria?

Thanks in advance!

Best,

Martín

From our discussion in IRC it turns out that you need to use the DN of the
group with the memberOf filter. Such as

(memberOf=CN=OPS,OU=Support,OU=Groups,OU=CHA,DC=example,DC=net)

where CHA/Groups/Support is the OU structure that group is in

v/r

STEVE

··· On Thursday, June 19, 2014 5:38:20 PM UTC-4, Martín B wrote: > > Hi All, > > > I'm a brand new Foreman user and I have hit a snag. I've entered the > following LDAP filter in the web GUI for Foreman 1.5.1: > > (memberOf=staff-foreman-admin) > > "Automatically create accounts in Foreman" is checked. > > I try to login with a user (my_username) in "staff-foreman-admin" LDAP > group and I get "Invalid username or password". > > In my OpenLDAP log (slapd.log) I see the Foreman user successfully bind to > the directory and the following search filter: > > Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SRCH > base="ou=people,dc=example,dc=com" scope=2 deref=0 > filter="(&(objectClass=*)(?=undefined)(uid=my_username))" > > Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SRCH attr=givenName > sn mail dn > > Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SEARCH RESULT > tag=101 err=0 nentries=0 text= > > Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 fd=23 closed (connection > lost) > > > The search returns zero entries. Can anyone tell me why Foreman is > substituting (?=undefined) for my search criteria? > > Thanks in advance! > > Best, > > Martín > > > >

Interesting, I've just sent a PR to the docs acknowledging this.

··· On Fri, Jun 20, 2014 at 4:12 PM, Steve Bambling wrote:

From our discussion in IRC it turns out that you need to use the DN of the
group with the memberOf filter. Such as

(memberOf=CN=OPS,OU=Support,OU=Groups,OU=CHA,DC=example,DC=net)

where CHA/Groups/Support is the OU structure that group is in

v/r

STEVE

On Thursday, June 19, 2014 5:38:20 PM UTC-4, Martín B wrote:

Hi All,

I’m a brand new Foreman user and I have hit a snag. I’ve entered the
following LDAP filter in the web GUI for Foreman 1.5.1:

(memberOf=staff-foreman-admin)

“Automatically create accounts in Foreman” is checked.

I try to login with a user (my_username) in “staff-foreman-admin” LDAP
group and I get “Invalid username or password”.

In my OpenLDAP log (slapd.log) I see the Foreman user successfully bind
to the directory and the following search filter:

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SRCH
base=“ou=people,dc=example,dc=com” scope=2 deref=0
filter=“(&(objectClass=*)(?=undefined)(uid=my_username))”

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SRCH
attr=givenName sn mail dn

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SEARCH RESULT
tag=101 err=0 nentries=0 text=

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 fd=23 closed
(connection lost)

The search returns zero entries. Can anyone tell me why Foreman is
substituting (?=undefined) for my search criteria?

Thanks in advance!

Best,

Martín


You received this message because you are subscribed to the Google Groups
“Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.


Daniel Lobato

@elobatoss

GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30

Thanks to Steve for the help digging into this!

It turns out that our OpenLDAP didn't support the "memberOf" attribute. Our LDAP guy is working on adding the overlay to support it.

When its setup I'll be able to test the filter that Steve suggests below. I'll also try a simplified "memberOf" statement to see what's really required for OpenLDAP and report back.

Best,
Martín

··· ----- Original Message -----

From: “Daniel Lobato” elobatocs@gmail.com
To: foreman-users@googlegroups.com
Sent: Friday, June 20, 2014 12:28:29 PM
Subject: Re: [foreman-users] Re: Help Using LDAP Filter with
"memberOf" Attribute

Interesting, I’ve just sent a PR to the docs acknowledging this.
https://github.com/theforeman/theforeman.org/pull/231

On Fri, Jun 20, 2014 at 4:12 PM, Steve Bambling < > smbambling@gmail.com > wrote:

From our discussion in IRC it turns out that you need to use the DN
of the group with the memberOf filter. Such as

(memberOf=CN=OPS,OU=Support,OU=Groups,OU=CHA,DC=example,DC=net)

where CHA/Groups/Support is the OU structure that group is in

v/r

STEVE

On Thursday, June 19, 2014 5:38:20 PM UTC-4, Martín B wrote:

Hi All,

I’m a brand new Foreman user and I have hit a snag. I’ve entered
the
following LDAP filter in the web GUI for Foreman 1.5.1:

(memberOf=staff-foreman-admin)

“Automatically create accounts in Foreman” is checked.

I try to login with a user (my_username) in "staff-foreman-admin"
LDAP group and I get “Invalid username or password”.

In my OpenLDAP log (slapd.log) I see the Foreman user
successfully
bind to the directory and the following search filter:

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SRCH
base=“ou=people,dc=example,dc= com” scope=2 deref=0
filter="(&(objectClass=*)(?= undefined)(uid=my_username))"

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SRCH
attr=givenName sn mail dn

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 op=1 SEARCH
RESULT
tag=101 err=0 nentries=0 text=

Jun 19 16:49:10 ldap-a slapd[25268]: conn=1489483 fd=23 closed
(connection lost)

The search returns zero entries. Can anyone tell me why Foreman
is
substituting (?=undefined) for my search criteria?

Thanks in advance!

Best,

Martín

You received this message because you are subscribed to the Google
Groups “Foreman users” group.

To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com .

To post to this group, send email to foreman-users@googlegroups.com
.

Visit this group at http://groups.google.com/group/foreman-users .

For more options, visit https://groups.google.com/d/optout .

Daniel Lobato

@elobatoss
blog.daniellobato.me
daniellobato.me

GPG:
http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30

You received this message because you are subscribed to the Google
Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it,
send an email to foreman-users+unsubscribe@googlegroups.com .
To post to this group, send email to foreman-users@googlegroups.com .
Visit this group at http://groups.google.com/group/foreman-users .
For more options, visit https://groups.google.com/d/optout .