LDAP query filtering by group

If we are integrating applications on an LDAP (in our case on a OpenLDAP), we have probably seen the utility to obtain the users belonging to one group even LDAP query, because we want to integrate the application supports only a single query.

Also if we documentation on this subject we have found stuff like, “for users belonging to the group grp_test run the query”.

Source   
memberOf=cn=grp_test,ou=Groups,dc=zentyal

On the DN where users are located. But we note that this is not working.

It does not work for several reasons:
1- You need to load the “memberof” module and configure LDAP
2- He has to work with groups groupOfNames type (this is defined by the objectClass). For those who do not know an LDAP groups can have many types (until we can define). Keep in mind that do not help us posixGroup type of special way, because they basically do not store an absolute reference to the user.

The type of user and we do not care.

We will reload the “memberof” module:

File memberof_mod.ldif

Source   
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: memberof

Executed:

Source   
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_mod.ldif

Now we configure:

File memberof_conf.ldiff

Source   
dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Excuted:

Source   
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_conf.ldif

Now we define a group and a user with:

File grp_users.ldif

Source   
dn: ou=Groups,dc=zentyal
objectClass: organizationalUnit
ou: Groups
dn: cn=grp_test,ou=Groups,dc=zentyal
objectClass: groupOfNames
objectClass: top
cn: grp_test
member: uid=Integration,ou=Users,dc=zentyal
member: uid=jdoe,ou=Users,dc=zentyal
dn: ou=Users,dc=zentyal
objectClass: organizationalUnit
ou: Users
dn: uid=Integration,ou=Users,dc=zentyal
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
cn: Intranet Integration
gidNumber: 1901
homeDirectory: /home/Integration
sn: Integration
uid: Integration
uidNumber: 2035
givenName: Intranet
loginShell: /bin/sh
userPassword:: e1NIQX1xT0hkM0dXeVViTVBGcG1nNlp3dXJSdm9xTW89
dn: uid=jdoe,ou=Users,dc=zentyal
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
objectClass: pwmUser
cn: John
gidNumber: 1901
homeDirectory: /home/jdoe
sn: Doe
uid: jdoe
uidNumber: 2001
description:: UFdNIA==
givenName: John Doe
loginShell: /bin/sh
userPassword:: YWJvcnQ0aW9ucw==

Executed:

Source   
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f grp_users.ldif

As you can see the group has a reference to users but not vice versa.

Now when we execute a query (where cn=user_ro,dc=zentyal is the user to authenticate us and we asked for the password):

Source   
ubuntu@ip-10-80-242-10:~$ ldapsearch -H ldap://localhost:389 -D "cn=user_ro,dc=zentyal" -W -b "ou=Users,dc=zentyal" "(memberOf=cn=grp_test,ou=Groups,dc=zentyal)" "objectClass"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=Users,dc=zentyal> with scope subtree
# filter: (memberOf=cn=grp_test,ou=Groups,dc=zentyal)
# requesting: objectClass
#
# Integration, Users, zentyal
dn: uid=Integration,ou=Users,dc=zentyal
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
# jdoe, Users, zentyal
dn: uid=jdoe,ou=Users,dc=zentyal
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
objectClass: pwmUser
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2

In the result only of users it objectclass is shown because this has been asked ldapsearch (last parameter “objectClass”).

I leave some interesting links:

http://www.openldap.org/doc/admin24/index.html (Oficial documentation OpenLDAP)

http://www.openldap.org/doc/admin24/overlays.html#Reverse%20Group%20Membership%20Maintenance (Specific documentation of memberof)

I hope you find it useful.

Leave a Reply