Search if user X is a member of a certain group on LDAP. And how to search all groups on LDAP?
1. Searching groups that certain user is a member of : I asked on python-ldap-dev mailing list how to solve the problem of reading groups. Some of the great advices I got are:
by Michael Ströder: 1. Bear in mind that there are many different types of group entries out in the wild. LDAP entries are typed by object class. So your filter has to specifically search for group entries by object class. 2. Additionally for determining whether a certain user is member of a group you have to compare a certain member attribute within the group entry with an attribute within the user's entry or the DN of the entry. 3. You should never ever (accidently) request the member attribute within the group entry to be returned in the search results since some groups can be big leading to a large amount of data to be returned.
Search filters:
The filter depends on your setup. Most likely it's: '(objectClass=PosixGroup)' or '(objectClass=GroupOfUniqueNames)' Filter for group and user: '(&(objectClass=PosixGroup)(memberUID=<youruser>))'
example: (|(&(objectClass=posixGroup)(memberUid=jdoe))((&objectClass=groupOfUniqueNames)(uniqueMember=uid=jdoe,ou=users,o=ACME)))
Should I only user default objectClass groups for openLDAP? While searching for groups that user X is member of I need to deal with uid and all of those stuff. At first point deal only with LDAP (do not deal with AD at the moment, AD can't search for uid): From te python-ldap-dev mailing list:
You have to deal with all those "stuff after the uid=usera". Hint: In MS AD the DN of the user's entry does not even start with uid=!
And I have a part of record record: 'member': ['cn=dummy', 'uid=usera,ou=Unit A,ou=Users,ou=testing,dc=example,dc=org'] Don't request attribute 'member' during group lookup. Your application just have to know in which groups a user is member of. It should not retrieve all members since that can be many!
use: LDAPObject.search_st(base, scope[, filterstr='(objectClass=*)'[, attrlist=None[, attrsonly=0[, timeout=-1]]]])
2. Define the MM LDAP Configuration file
- when an admin is configuring MM groups in LDAP use configuration rules (define objectClass as one of the default LDAP groups object classes)
define objectClass that will represent groups (use default LDAP groups: PosixGroup, GroupOfUniqueNames,GroupOfNames)
How other software solved LDAP auth: * look at how your user accounts are created: are they uid=<user> or cn=<user> * ibm DB2 has Group lookup plug-in