LDAP eDirectory

[aaron.t...@gmail.com]

Hi,
I am evaluating NXFilter for our School District.   I am trying to setup user authenication.  We runing NetIQ (formerly Novell) eDirectory (https://www.netiq.com/products/edirectory/).  It is LDAP compliant but when I tested the import I get users, but groups do not import.   I manually added a group but when I try to add users to the manual group none of my LDAP users show up in the list.  

I assume maybe the attributes from groups may be different in OpenLDAP and eDirectory?  Is there a way to modify what attributes is uses?

Also, I see a field for IP address in the user lists.   Is that supposed to be imported from LDAP?   Mine are all blank. 

Thanks,
Aaron

[Jinhee]

We supported eDirectory in old days. But I obsoleted it as there were so small number of users using it. You might be the second one talking about eDirectory in this forum. Do you have any reason for choosing eDirectory over OpenLDAP or Active Directory? One of the reasons we stopped to support eDirectory was that its LDAP schema is different according to its version.

Those IPs are manually filled. We didn't support single sign-on with eDirectory. Though you could make it using our custom login script if you know how to get IP - username pair from eDirectory.

This is the code when we import OpenLDAP user and groups,

            ctls.setReturningAttributes(new String[]{"cn", "uid", "memberUid", "memberOf", "objectClass"});
            String filter = "(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=posixGroup))";

If you can enable 'uid', 'memeberUid', 'memberOf' and 'posixAccount', 'posixGroup' it might be working.

[aaron.t...@gmail.com]

Using an ldap browser it looks like the groups in eDirectory are
objectClass=groupOfNames.  

When looking at the group object, users are listed with attribute "member".
When looking at the user object, they have the attribute "groupMembership"

Rather than hard-coding those values is it possible to allow the user to
set which attributes to use for user, groups, etc?    I will investigate if
I can add posix attributes to make it work.

Thanks.

[Jinhee]

We may go for more flexible way in future when we have more users for OpenLDAP and the other LDAP servers. But not now as it will require us to spend more time and effort and even if we make it that way most users will not understand how to use it unless they have enough knowledge and experience with LDAP.

If you can't find a solution then we can add some flag on 'cfg.properties'. When you set the flag NxFilter uses eDirectory import routine instead of the one for OpenLDAP. We can modify v3.1.9 for you to test and if it works we can add that feature on v3.2.0 as a config option.

[aaron.t...@gmail.com]

It looks like there may be a mechanism to add the Posix attributes to edirectory.  I will need to research this further as I have never done it before.    However we are in the last couple weeks of school and my time is limited until summer.  

[aaron.t...@gmail.com]

OK, that was easier than I thought.   I have added the posixGroup attribute to the group and it now sees the group and imports it but my users are not showing up as members of that group?   I assume this is becuase i'm not using memberUid or memeberOf attributes.

Also is there a way to mass delete all users to start fresh?


Aaron

[aaron.t...@gmail.com]

Good News!   I have LDAP sync working with eDirectory.   I'll leave some notes here in case anyone else tries to do this and needs some pointers:

0.  my users already had posixUser attribute but if this is missing look at enabling LUM for users.
1.  LUM enable the groups in eDirectory to add the posixGroup attribute
2.  edit the ldap groups in eDirectory for your ldap server and you can setup attribute mappings to map the groupMembership (edirectory) to memberOf (ldap).   once this is done they should import into nxfilter.

[Jinhee]

Yeah, that's a good news. Thanks for the sharing. To delete everything from a server, delete the server itself.

[aaron.t...@gmail.com]

Well,
my "fix" didn't work as expected.    when I changed my attribute mappings from groupMembership to memberOf it broke every other system on my network using ldap lookup.    I though the mapping would act as an alias to allow you to lookup memberOf or groupMembership but apparently its more of a permanent change and the groupMembership goes away.   When this happened all my other systems which were setup to look at the groupMembership attribute stopped working so I had to revert my changes.

If you are able to add a switch or option to allow these attributes let me know and i'll continue my testing.

Thanks,
Aaron

[Jinhee]

Replace your /nxfilter/nxd.jar with this one. And add this line into your /nxfilter/conf/cfg.properties.

  http://nxfilter.org/download/nxfilter-3.1.9-p1.zip

Since cfg.properties is not being shared among the clustering nodes you'd need to add it on every nodes.

If it goes well, we will add it into GUI on v3.2.0.

[Jinhee]

Actually you can do it on your master node alone as your slave nodes will load user data from the master node DB.

[aaron.t...@gmail.com]

Jinhee,
I don't see the line i'm supposed to add to cfg.properites?

Aaron

[Jinhee]

Sorry the line is,

  use_edirectory_query = 1

[aaron.t...@gmail.com]

Jinhee,
I am testing the patch you provided with mixed results.  
First, it does import users and groups from eDirectory.   However, it seems to have a problem with assigning group membership in different OUs. 
I have an OU called Users that has my student accounts in it and all my groups.   The students and groups import OK and i see correct membership values for the student users in nxFilter.
I have a 2nd OU called Staff that has staff accounts.   The staff accounts are also members of groups in the Users OU.   However when I import the staff accounts they do NOT get group mappings and all show up as "anon-grp".

when I do an import I see bunch of errors on the console but I don't know if that is related:




Thanks,
Aaron

[Jinhee]

We use 'groupMembership' attribute to get the relationship between groups and users. But these groups and users should be imported before we import the relationship. If there's a group name we found with 'groupMembership' but if we didn't import it from your base DN then you get 'Missing grp_id' info.

So what you need to check is if your base DN include the second OU or not. If it doesn't you can add one more LDAP importation setup to include that.

Otherwise you can get me a dump text for your ldap query.

            ctls.setReturningAttributes(new String[]{"cn", "groupMembership", "objectClass"});
            String filter = "(|(objectClass=Person)(objectClass=inetOrgPerson)(objectClass=groupOfNames))";

You know what this is. We import "cn", "groupMembership", "objectClass" attributes with "(|(objectClass=Person)(objectClass=inetOrgPerson)(objectClass=groupOfNames))" filter.

[aaron.t...@gmail.com]

Hi Jinhee,
I'm back to testing this again.  Based on your last email about the Base DN I have tested the LDAP import by going up a level and setting my base DN to o=dist86 (see attached picture fro my tree structure).

This imported all users from both Staff OU and Users OU but did not import any groups and did not assign any relationships.

Attached is a screenshot of the LDAP attributes for both a student and a staff account. 



Also, it would be much cleaner/easier to let us specify the groups we want to import.  I really only need 2 or 3 -- Staff and Students (maybe Admins).  But doing an import brings in about 30 groups taht we use for internal purposes taht I don't need in my filter.


Thanks again for you time and efforts. 

Aaron

[Jinhee]

There was some change in LDAP importation with v3.3.0 and later. The problem was that when you import it using your OU you don't get the groups or relations and if you import it on lower level without OU you can't go through the login-page. But I made it keeping the original DN with OU and using the original DN to login. So it might be OK if you import it without OU. I mean the lower base DN level.

About the unwanted groups, we have 'Exclude Keyword' on the edit page of LDAP importation. Maybe we can add 'Include Keyword' later but this time try to use 'Exclude Keyword'.

[Jinhee]

v3.3.0 has a bug with LDAP importation. There was a massive change on LDAP importation to solve this guy's problem.

  https://groups.google.com/forum/#!topic/nxfilter200/1N-l5ssg3lY

And I think you have the same problem beside that you are on eDirectory. He reported me that his problem has been solved with v3.3.4. If v3.3.4 solves your problem we can add an option for eDirectory.

[aaron.t...@gmail.com]

Jinhee,

I had some free time so I fired up my VM and updated from 3.1.9 to 3.4.6 and tested LDAP import.   Sadly, nothing appears to have changed and group user group import is still not working against eDirectory.  I would be happy to provide data and testing if there is any interest from the developers to address this issue.

Thanks,

Aaron

[Jinhee]

Send me your dump text from your LDAP search result with your basedn. We can work on it if we can finish it in this month. But we will work on it another thing from next month. When you send me the text, get me some of your missing users or groups, relationships.