LDAP Documentation (having issues with filters)

Is there documentation for LDAP Authentication? I searched around the installation documentation but couldn’t find any specific guidance for the LDAP integration.

I have the LDAP integration itself working but am having issues with the filter property.
I’m trying to restrict foreman login to users that are within the “Function_ForemanUsers” Group but I’m getting invalid username/password when the filter is enabled.

I’ve also verified that the foreman bind account has all read actions for the group.

The user account I’m trying to sign in with is a member of a group that’s nested within the referenced group. I’ve also tried adding the user directly to the group incase Foreman doesn’t support group nesting but that wasn’t successful either.

Foreman 3.2+ Katello

Your filter probably isn’t matching. Looking over the memberOf entry that you do have, it appears to be your LDAP server is a Microsoft AD Domain Controller, and I know from experience those can do wonky things to the group’s DN.

The easiest way to fix this would be to do a LDAP search against a user in that group to see what the memberOf field is supposed to be for that user then adjust the filter accordingly.

Additionally, you may need to alter/adjust the Base DN and Groups DN as well (since you say Authentication is working, I’m going to think your Base DN is set correctly but the Group DN may be off).

How would I do a direct query of the group from the foreman server?

Take a look here:


Easiest way is to install the openldap-clients package onto the foreman server (or some other Linux server since you can do an LDAP query from anywhere) and then use the ldapsearch command to query the LDAP server:

ldapsearch -h <LDAP SERVER> -D "<BIND DN>" -w '<BIND PW>' -p 389 -b "<BASE DN>" -s sub "<SEARCH CRITERIA>" -o ldif-wrap=no

Since you’re using Active Directory, I’m not sure what you’re using for the UID field, but a common one is the sAMAccountName so you could use a search criteria of “(sAMAccountName=XXXX)”.

You’ll then get a listing of all the LDAP attributes for the distinguished names matching the search criteria. You’ll want to look heavily at the memberOf attributes for that DN to see what Active Directory gives as the full name to the group you’re wanting to use as a filter.

1 Like