LDAP auditor and admin groups not working for OpenLDAP

Issue #828 resolved
Drees Dreessen created an issue

Hit there.

I got an issue with the ldap auth on my local piler installation.

First i had to change some lines in auth.php to match our objectclass since it always seemed to filter for objectclass=user . Now our users can login with their ldap credentials and everyone is seeing their own mails.

I assigned some users to specific ldap groups for admins and auditors and assigned the DN specifically to:

$config["LDAP_AUDITOR_MEMBER_DN"]="cn=piler_auditor,ou=groups,dc=example,dc=de"; $config['LDAP_ADMIN_MEMBER_DN'] = 'cn=piler_admin,ou=groups,dc=example,dc=de';

I analysed our mail log and i see no querys going the way to identifie if a user is part of that specific group.

Kind Regards

Drees

Comments (10)

  1. Janos SUTO repo owner

    What did you change in auth.php exactly? Also check if the given user is part of LDAP_AUDITOR_MEMBER_DN. Note that it's case sensitive.

  2. Drees Dreessen reporter

    The given user is part of the defined ldap group for LDAP_AUDITOR_MEMBER_DN .

    In auth.php i changed that the ldap query does not search for a specific objectClass .

    Original:

         *$query = $ldap->query($ldap_base_dn, "(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))", array());*
    

    Changed:

        *$query = $ldap->query($ldap_base_dn, "(&(objectClass=*)($ldap_mail_attr=$username_prefix$username))", array());*
    

    Original:

     *$query = $ldap->query($ldap_base_dn, "(|(&(objectClass=$ldap_account_objectclass)($ldap_mail_attr=$username_prefix$username))(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=$username_prefix$username)" . ")(&(objectClass=$ldap_distributionlist_objectclass)($ldap_distributionlist_attr=" . $a['dn'] . ")))", array());*
    

    Changed:

    *$query = $ldap->query($ldap_base_dn, "(|(&(objectClass=*)($ldap_mail_attr=$username_prefix$username))(&(objectClass=*)($ldap_distributionlist_attr=$username_prefix$username)" . ")(&(objectClass=*)($ldap_distributionlist_attr=" . $a['dn'] . ")))", array());*
    

    Changing the $ldap_account_objectclass variable to * was all i did (I know i could have done so in config-site.php aswell but opted to try both ways. Both yielded the same result)

    After these changes users could log in using their LDAP accounts. Before he always wanted to auth for the objectclass "User" which we for our ldap do not use.

    Cheers

    Drees

  3. Janos SUTO repo owner

    Well, that's definitely a solution, however you can fix $ldap_account_objectclass by setting $config['LDAP_ACCOUNT_OBJECTCLASS'] in config-site.php. Btw. you didn't confirm that the cases sensitivity is not a problem in your case.

  4. Drees Dreessen reporter

    Yeah i know i tried to change it manually since i opted to tryed to change some other variables aswell.

    $config['LDAP_AUDITOR_MEMBER_DN']='cn=piler_auditor,ou=groups,dc=example,dc=de';*

    This is the config i use for the auditor auth.

    $config['ENABLE_LDAP_AUTH'] = 1;

    $config['LDAP_HOST'] = 'ldap://example';

    $config['LDAP_HELPER_DN'] = 'cn=example,dc=example,dc=de';

    $config['LDAP_HELPER_PASSWORD'] = 'XXXXXXXXX';

    $config['LDAP_MAIL_ATTR'] = "mail";

    $config['LDAP_AUDITOR_MEMBER_DN'] = 'cn=piler_auditor,ou=groups,dc=example,dc=de';

    $config['LDAP_ADMIN_MEMBER_DN'] = 'cn=piler_admin,ou=groups,dc=example,dc=de';

    $config['LDAP_BASE_DN'] = "dc=example,dc=de";

    This is my complete config for the ldap auth.

  5. Janos SUTO repo owner

    OK. Please clarify if the given user has 'cn=piler_auditor,ou=groups,dc=brille24,dc=de' (with lower case) in the user's group membership attributes.

  6. Drees Dreessen reporter

    We found the solution we had to change the DISTRIBUTIONLIST_ATTR to match a different attribute and auth our users with a uid instead of mail. Sorry that i wasted your time and ty for your help.

  7. Log in to comment