Custom LDAP structure


#1

Hello,
Is there a possibility to use custom attribute to find user in LDAP (for login) and different attribute to connect a group to this user? What I would want to do is to login with email, but the groups have still the users dn as a member attribute.
I’ve tried

  ldap:
    user-dn-pattern: mail={0}
    group-search-filter: (member={0})

but this does not work, probably because the mail is username@example.com but the member is just cn=very_long_and_hashed_username,dc=example,dc=com. I don’t have access to the LDAP directory (meaning propose that many changes) Is there any way around this?

Another question would be, if it is possible to use the ‘orthogonal’ implementation of groups, where the group does not have a list of it’s members, but user has the list of groups he is a member in. In this setup I’ve tried

  ldap:
    group-search-filter: (@(memberOf={0}))

but I suspect that shinyproxy pastes user’s dn for the {0} so it does not make sense. Is it possible to do it this way?

thanks a lot
Jan


#2

Hi @Jan_Kucera,

For user lookup, there are 2 approaches:

  1. user-dn-pattern
    Use this if you can map the login name (typed by the user) directly to a DN.
    E.g. uid={0},ou=people where {0} is the login name. This approach will not work in your case, because {0} will be a mail address and will not map into the DN.

  2. user-search-base and user-search-filter
    Use this to perform a search for the user using any valid LDAP query.
    If the mail address is unique, you could use a filter like (mail={0}).

For group lookup, there is only one approach: group-search-base and group-search-filter.
However, in this case you have 3 placeholders at your disposal:

  • {0} maps to the user’s DN
  • {1} maps to the login name
  • {2} maps to the user’s CN

So I suspect this filter will work in your case:

group-search-filter: (member={0})

#3

Hi, thanks for the tip, I will try the user-search-base as soon as I can.
As for the group-search-filter: I don’t know If I’ve explained it correctly. The setup I am dealing with is, that the member is not specifically listed on the group object in the attribute (e.g. member), but the group is listed in the memberOf attribute on the user object. So I guess, I would need something like {3} which would map to the group’s DN if I understand it correctly.


#4

Ahh I see. That is unfortunately not possible in the current implementation.
The idea would be to search for the user object, and return the ‘memberOf’ values of that object, right?

Then the group-search-filter should be the same as the user-search-filter (thus returning the same user object).
But this requires a change to LDAPAuthenticationType.java so that the group search returns the memberOf attribute instead of the cn attribute.


#5

Hi @fmichielssen, you were right, the user-search- attributes together with the group-search-filter did the job. (I finaly found the mapping from where user is mentioned on a group).

After that I tried to find any mention of user-search-filter in the docs and couldn’t find any, maybe it would be good to add something there. e.g.

  • user-dn-pattern: pattern of the distinguished name for a user;
    • {0} maps to the login name;
  • user-search-base: search base for LDAP user;
  • user-search-filter: filter used to search for LDAP user; In the filter :
    • {0} maps to the login name;
  • group-search-filter: filter used to search for LDAP user. In the filter:
    • {0} maps to the user’s DN;
    • {1} maps to the login name;
    • {2} maps to the user’s CN;

The example for email instead of uid for forumsys could then look like

    ldap:
      url: ldap://ldap.forumsys.com:389/dc=example,dc=com
      user-search-base:
      user-search-filter: (mail={0})
      group-search-base:
      group-search-filter: (uniqueMember={0})
      manager-dn: cn=read-only-admin,dc=example,dc=com
      manager-password: password

#6

Hi @Jan_Kucera,

Thanks for the heads up, we’ll expand the LDAP documentation to include any undocumented settings.