As you can see, I’ve configured groupDN as cn=test2,ou=users,dc=glauth,dc=com so technically it should only let test2 member login, but it allows pratik to login too
No. You have just configured where foreman can find groups. So it will only find and know of one group. That’s all. As you haven’t define any ldap filter all users can log in. In addition you can set up test2 as external group.
If you want to filter users you need to set up the LDAP filter accordingly. Make user only users which you want are accepted there.
No. You have just configured where foreman can find groups. So it will only find and know of one group. That’s all.
Wait, Why foreman needs to find and know groups? Without configuring Groups base DN I can still successfully configure external user groups with LDAP Auth Source.
You can use LDAP to provide user and group information. That’s it. That group DN is not a filter. It’s the base DN where it finds your groups. I am not sure what it does exactly, if you don’t define a group dn: either it uses the base dn with a sub search or it doesn’t read groups.
External user groups are just the link between the foreman user group and the group obtained from an external source. You can define external user groups and use a group name which doesn’t even exist in LDAP. May it doesn’t exist, yet. It’s an empty group, then…
You can define external user groups and use a group name which doesn’t even exist in LDAP
We can’t actually because foreman will check external group in LDAP (and that does not require Group base DN) as soon as we click on submit button.
You can use LDAP to provide user and group information. That’s it. That group DN is not a filter. It’s the base DN where it finds your groups. I am not sure what it does exactly, if you don’t define a group dn: either it uses the base dn with a sub search or it doesn’t read groups.
Still did not get why Group base DN does it exist? But anyway, it’s fine, Thanks for Fast as flash response. This is the last place where I get my answer all time. So thank you community as well.
That is standard ldap client configuration: you configure the dns where you find the data, unless you want to search the whole tree. Base DN is the search base where foreman find user accounts. Group base dn is the search base where foreman find groups.
Now you have put groups into the same base dn as the user accounts, thus in your case it seems not necessary.
But if you have put your users in ou=users,… and your groups in ou=groups,… you would see why it’s necessary. Also remember, that some directories are huge, thus simply using a common base dn (e.g. dc=glauth,dc=com for you) and a sub search for any directory element is very inefficient.