LDAP group DN not working properly

Problem:
Using group based DN but still non group user can log in which should not happen
PS: I don’t want to use filter

Expected outcome:
Foreman should not let other group or non group member to login

Foreman and Proxy(plugin) versions:


Distribution and version:
ubuntu 20.04.3 LTS kernal 5.4.0-84-generic
Other relevant data:

  • LDAP: I’m using Openldap bitnami/openldap container image as my LDAP server
version: "3"
services:
  ldap:
    image: bitnami/openldap:2.5
    ports:
      - 3636:3636
      - 3893:3893
    environment:
      LDAP_ADMIN_USERNAME: admin
      LDAP_ADMIN_PASSWORD: adminpassword
      LDAP_ROOT: dc=glauth,dc=com
      LDAP_PORT_NUMBER: 3893
      LDAP_LDAPS_PORT_NUMBER: 3636
      LDAP_ENABLE_TLS: "no"
    restart: unless-stopped
  • Using apache directory studio to handle ldap
    clear all under ou=users,dc=glauth,dc=com and import below ldif in dc=glauth,dc=com
version: 1

dn: ou=users,dc=glauth,dc=com
objectClass: organizationalUnit
ou: users

dn: cn=test,ou=users,dc=glauth,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: test
cn: User2
gidNumber: 1001
homeDirectory: /home/test
sn: Bar2
uid: test
uidNumber: 1001
userPassword:: dGVzdA==

dn: cn=test2,ou=users,dc=glauth,dc=com
objectClass: posixGroup
objectClass: top
cn: test2
gidNumber: 5000
memberUid: test

dn: cn=test3,ou=users,dc=glauth,dc=com
objectClass: posixGroup
objectClass: top
cn: test3
gidNumber: 3000
memberUid: pratik

dn: cn=pratik,ou=users,dc=glauth,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: pratik
cn: User1
gidNumber: 1000
homeDirectory: /home/pratik
sn: Bar1
uid: pratik
uidNumber: 1000
userPassword:: cHJhdGlr

  • user test is part of group test2

  • user pratik is part of group test3(creds test:test)

  • Configure foreman



  • As you can see, I’ve configured groupDN as cn=test2,ou=users,dc=glauth,dc=com so technically it should only let test2 member login, but it allows pratik to login too

i can put foreman and ldap logs if you wnat

No. You have just configured where foreman can find groups. So it will only find and know of one group. That’s all. As you haven’t define any ldap filter all users can log in. In addition you can set up test2 as external group.

If you want to filter users you need to set up the LDAP filter accordingly. Make user only users which you want are accepted there.

No. You have just configured where foreman can find groups. So it will only find and know of one group. That’s all.

Wait, Why foreman needs to find and know groups? Without configuring Groups base DN I can still successfully configure external user groups with LDAP Auth Source.

You can use LDAP to provide user and group information. That’s it. That group DN is not a filter. It’s the base DN where it finds your groups. I am not sure what it does exactly, if you don’t define a group dn: either it uses the base dn with a sub search or it doesn’t read groups.

External user groups are just the link between the foreman user group and the group obtained from an external source. You can define external user groups and use a group name which doesn’t even exist in LDAP. May it doesn’t exist, yet. It’s an empty group, then…

You can define external user groups and use a group name which doesn’t even exist in LDAP

We can’t actually because foreman will check external group in LDAP (and that does not require Group base DN) as soon as we click on submit button.

You can use LDAP to provide user and group information. That’s it. That group DN is not a filter. It’s the base DN where it finds your groups. I am not sure what it does exactly, if you don’t define a group dn: either it uses the base dn with a sub search or it doesn’t read groups.

Still did not get why Group base DN does it exist? But anyway, it’s fine, Thanks for Fast as flash response. This is the last place where I get my answer all time. So thank you community as well.

That is standard ldap client configuration: you configure the dns where you find the data, unless you want to search the whole tree. Base DN is the search base where foreman find user accounts. Group base dn is the search base where foreman find groups.

Now you have put groups into the same base dn as the user accounts, thus in your case it seems not necessary.

But if you have put your users in ou=users,… and your groups in ou=groups,… you would see why it’s necessary. Also remember, that some directories are huge, thus simply using a common base dn (e.g. dc=glauth,dc=com for you) and a sub search for any directory element is very inefficient.

1 Like