Cannot figure out user/group filter for the life of me

tom_bodet · August 30, 2010, 8:08pm

Okay, I know it’s been asked a bunch here, but I’m an LDAP moron and cannot figure out what I need to do.

I just pulled down 3.6.4 and installed on a Cent 5.3 system. I’ve got it communicating with my ClearOS LDAP where I have two people connected in chat using LDAP credentials.

What I need to do is make an LDAP group that is just for chat so system/maint accounts don’t show in the list.

I’ve read some people setting the filter from the LDAP page in the web gui, others are setting it via the openfire.xml. I can’t figure where either should go or what the syntax is.

I set group field to cn or uid and the test button returns what looks like a user list…but it’s only a partial so I don’t know that everything is in there. I try anything in the filter field and test shows nothing back. I set it to either, with no filter, save it, go to the groups page and see…only users…

Putting anything other than cn or uid in the group field gives me nothing.

I need help please.

And seriously, explain it to me like I’m a idiot because I’m 100% lost at this point.

tom_bodet · August 31, 2010, 5:01pm

Okay what I’ve got so far is I figured out how to set the filter for the group list. So only the users in the group are showing up, but if you do a user search, all the users in LDAP are still visible.

My base dn = ou=Accounts,dc=mydomain,dc=com

The group filter is (&(cn=chat))

How do I limit the user list to only those in the chat group?

speedy · September 1, 2010, 7:05am

This is how I do it. I wrote up a little how a few months ago. hope it helps

http://community.igniterealtime.org/message/204068#204068

tom_bodet · September 1, 2010, 12:25pm

Speedy,

Thanks for responding.

Unfortunately I don’t have AD, I’m running ClearOS which is using OpenLDAP. I’m thinking the key issue I have here is AD has the memberOf field that tags users as to what groups they are in. In OpenLDAP there doesn’t seem to be such a thing.

When I do an ldapsearch on the user list, no group information comes back. So there is nothing keeping users synced with groups. If I want to know what group a user is in, it looks like I have to query every group to see if they are there…unless someone can explain to me otherwise. Again, I’m barely a beginner in LDAP, this is just what I’ve observed at this point.

Here’s what I see in an ldapsearch on a single test user, only specifying the top level as the base DN:

Joe Bob, test, Users, Accounts, mydomain.com

dn: cn=Joe Bob,ou=Users,ou=Accounts,dc=mydomain,dc=com
uidNumber: 1014
gidNumber: 63000
loginShell: /sbin/nologin
kolabHomeServer: system.clearos.lan
kolabInvitationPolicy: ACT_MANUAL
homeDirectory: /home/joe.bob
pcnWebconfigFlag: TRUE
givenName: Joe
sn: Bob
street:
l:
st:
c:
postalCode:
o:
ou:
pcnFTPFlag: FALSE
pcnMailFlag: FALSE
pcnGoogleAppsFlag: FALSE
pcnOpenVPNFlag: FALSE
pcnPPTPFlag: FALSE
pcnWebFlag: FALSE
pcnProxyFlag: FALSE
uid: joe.bob
cn: Joe Bob
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: kolabInetOrgPerson
objectClass: hordePerson
objectClass: pcnAccount
objectClass: pcnWebconfigAccount
objectClass: pcnFTPAccount
objectClass: pcnMailAccount
objectClass: pcnGoogleAppsAccount
objectClass: pcnOpenVPNAccount
objectClass: pcnPPTPAccount
objectClass: pcnWebAccount
objectClass: pcnProxyAccount
userPassword::
pcnSHAPassword:
pcnMicrosoftNTPassword:
pcnMicrosoftLanmanPassword:
pcnFTPPassword:
pcnMailPassword:
pcnGoogleAppsPassword:
pcnOpenVPNPassword:
pcnPPTPPassword:
pcnProxyPassword:
pcnWebconfigPassword:
pcnWebPassword:

What also has me thinking this is this post: http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/f unc,view/id,27/limit,10/limitstart,20/

He shows an AD record and a ClearOS LDAP record. Sure enough, memberOf is in AD, not LDAP. I’ve got a post in the ClearOS forum trying to find out if there’s a way to add that functionality in or simulate it somehow. Otherwise I was hoping someone here had done this in a plain LDAP environment, no AD.

Right now the only thing I can think of is to bury the chat users in one OU and the system stuff in another. The problem is it adds complexity to the user creation process. ClearOS has a simple web page for adding users which automatically creates them in the Users OU. I’d then have to move/copy them into the chat OU, vs if it’s just a group, I can select their participation in that from the web GUI. Much simpler.

Edit: Okay I just found this: http://www.openldap.org/software/man.cgi?query=slapo-memberof&sektion=5&apropos= 0&manpath=OpenLDAP+2.4-Release

I’m trying that now to see if it works.

tom_bodet · September 1, 2010, 3:14pm

Done!

http://www.linuxtopia.org/online_books//network_administration_guides/ldap_admin istration/overlays_Reverse_Group_Membership_Maintenance.html

How to implement memberOf for OpenLDAP. Just sub in your domain info and in the memberOf.ldif, ignore the test user entries, just do the group mapping bit.

Then with the user filter:

(&(objectclass=inetOrgPerson)(|(memberOf=CN=chat,ou=Groups,ou=Accounts,DC=mydoma in,DC=com)))

You’re all set.