Google LDAP nested groups.

[Steve Melo]

Greetings,

I am unable to get nested groups working with Google's LDAP service (https://support.google.com/a/answer/9048516?hl=en)

I can authenticate and login to rundeck with my google credentials and I can see a list of groups for which i am a primary member.  However I do not see those groups which are subgroups of another group (aka nested groups).

I should mention also that I am connecting to google's ldap service via an stunnel which is handling the secure communication required by google.

jaas-loginmodule.conf:

multiauth {

    com.dtolabs.rundeck.jetty.jaas.JettyCachingLdapLoginModule sufficient

      debug="true"

      contextFactory="com.sun.jndi.ldap.LdapCtxFactory"

      providerUrl="ldap://ldap.example.com:636"

      bindDn="username"

      bindPassword="password"

      authenticationMethod="simple"

      forceBindingLogin="true"

      forceBindingLoginUseRootContextForRoles="true"

      userBaseDn="ou=Users,dc=example,dc=com"

      userRdnAttribute="uid"

      userIdAttribute="uid"

      userPasswordAttribute="userPassword"

      userObjectClass="person"

      userLastNameAttribute="sn"

      userFirstNameAttribute="givenName"

      userEmailAttribute="mail"

      roleBaseDn="ou=Groups,dc=example,dc=com"

      roleNameAttribute="cn"

      roleMemberAttribute="memberUid"

      roleObjectClass="posixGroup"

      cacheDurationMillis="150000"

      supplementalRoles="user"

      reportStatistics="true"

      timeoutRead="10000"

      timeoutConnect="20000"

      nestedGroups="true";

    org.eclipse.jetty.jaas.spi.PropertyFileLoginModule required

      debug="true"

      file="/etc/rundeck/realm.properties";

};

I suspect either the `roleMemberAttribute` or `roleBaseDn` is not correct, but i don't know where to find those correct values that are set in google's particular way.

Thanks in advance.

[Reiner Acuña]

Hi Steve,

You can see the LDAP structure using Apache Directory Studio to check and pass correct values to roleBaseDn and roleNameAttribute (or anything else related to your mult iauth config).

Regards.

[Steve Melo]

Hi Reiner,

I was able to browse my directory using the Apache Directory Studio, thank you for the suggestion.

What i found was that in the Group OU listing I have two possible attributes that list group membership.

Those are memberUid and member.  The memberUiD attribute contains usernames but not groups.  The member attribute lists both users and groups but with ldap style naming ie. member=cn=devops,ou=Groups,dc=example,dc=com.

When i try to use the member attribute instead of memberUid for the roleUsernameMemberAttribute and roleMemberAttribute I see no group roles assigned to my users after logging in.

Anyone have an idea how i can make it work using the member attribute since that is the only attribute that list both users and groups?

-steve

On Wednesday, May 6, 2020 at 7:14:56 PM UTC-4, Steve Melo wrote:

[Steve Melo]

I was able to find the solution which was to use both member and memberUid.

      roleUsernameMemberAttribute="memberUid"

      roleMemberAttribute="member"

Hopefully this saves some time for someone in the future.

Thank you!

On Wednesday, May 6, 2020 at 7:14:56 PM UTC-4, Steve Melo wrote:

[Reiner Acuña]

Thanks Steve!

---

From: rundeck...@googlegroups.com <rundeck...@googlegroups.com> on behalf of Steve Melo <mom...@gmail.com>
Sent: Saturday, May 9, 2020 11:47:31 AM
To: rundeck-discuss <rundeck...@googlegroups.com>
Subject: [rundeck] Re: Google LDAP nested groups.

 

--
You received this message because you are subscribed to the Google Groups "rundeck-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rundeck-discu...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rundeck-discuss/4da01432-c0d4-4165-b4f0-0b33b70c1f2b%40googlegroups.com.