Group check with apple openldap
303 views
Skip to first unread message
Abdsamad
Mar 1, 2012, 4:48:09 AM3/1/12
to RCDevs Security Solutions - Technical
Hi,
The group check doesn't work in a LDAP domain when I use a Apple
openldap, it's work well with a AD Ldap.
For the AD Ldap, I guess you check "memberOf" attribute on the user
record and "member" attribute on the group record
With Apple openldap, I see only a "memberUid" attribute on the group
On the webadm.conf file, I try first to add "memberUid":
member_attrs "member", "memberUid"
memberof_attrs "memberOf", "groupMembership"
second, I try to add "apple-generateduid" and "apple-group-memberguid"
to maybe made the link:
member_attrs "member", "memberUid", "apple-group-
memberguid"
memberof_attrs "memberOf", "groupMembership", "apple-
generateduid"
But without success
You can see below how look a user record and group record in th Apple
openldap
Group:
dn: cn=g_network_admins,cn=groups,dc=bres,dc=toto,dc=com
objectClass: posixGroup
objectClass: apple-group
objectClass: extensibleObject
objectClass: top
objectClass: webadmGroup
gidNumber: 1316
apple-generateduid: 5688E1C1-ED8F-44B5-9312-C998ACB9B06A
apple-group-realname: g_network_admins
cn: g_network_admins
apple-ownerguid: D4BC0A13-84CD-4AD1-BAAE-A1BE834521AF
apple-group-memberguid: 0B280210-A0B6-45B9-94E4-44AA89B8C7E8
apple-group-memberguid: F7A7B744-5D96-471B-B068-AB3B39EB5B28
apple-group-memberguid: 34D34DE7-C868-4EE4-BCC9-6AFB4BF25E26
memberUid: ab
memberUid: robert
memberUid: john
User:
dn: uid=ab,cn=users,dc=bres,dc=toto,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: webadmAccount
uidNumber: 435357536
apple-generateduid: 0B280210-A0B6-45B9-94E4-44AA89B8C7E8
apple-mcxflags::
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUW
VBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy
5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI
+CjxwbGlzdCB2ZXJzaW9uPSIxLjA
iPgo8ZGljdD4KCTxrZXk
+c2ltdWx0YW5lb3VzX2xvZ2luX2VuYWJsZWQ8L2tleT4KCTx0cnVlLz4K
PC9kaWN0Pgo8L3BsaXN0Pgo=
loginShell: /bin/bash
gidNumber: 20
userPassword:: KioqKioqKio=
uid: ab
cn:: QWJkZXNzYW1hZCBCQVJBS0FUIA==
authAuthority: ;ApplePasswordServer;
0x4f3e63c944cb9e820000031b00000a57,1024 35
1100141542636385866708246855460838246504736170518431574025029763531335081348
62981724305392660485422308887986408282585719139606610506541902267282557930819
03180287462204988489610388697093625784329729526998893980947739580027923504714
53284245357650721724628940815239097107531316798733719026550325532873932322008
11 ro...@bres.toto.com:192.168.2.200
authAuthority: ;Kerberosv5;0x4f3e63c944cb9e820000031b00000a57;a...@ARES.COVERWAY
.COM;ARES.COVERWAY.COM;1024 35
1100141542636385866708246855460838246504736170
51843157402502976353133508134862981724305392660485422308887986408282585719139
60661050654190226728255793081903180287462204988489610388697093625784329729526
99889398094773958002792350471453284245357650721724628940815239097107531316798
73371902655032553287393232200811 ro...@bres.toto.com:192.168.2.200
description: actif
homeDirectory: 99
givenName: Abdessamad
sn: 99
preferredLanguage: FR
webadmSettings: OpenOTP.ReplyData="192.168.22.254:Filter-ID="SonicWALL
Adminis
trators""
webadmData: OpenOTP.TokenType=lx6Rlw==,OpenOTP.TokenKey=D+
+lNEp9TBEUNThjfcps3v
1njVY=,OpenOTP.LastLogin=8WZTn/k/3biYwU
+xWPKSE5ozRg==,OpenOTP.LoginCount=8mQ=
,OpenOTP.TokenState=9y5A3VEO8fU=
The group check doesn't work in a LDAP domain when I use a Apple
openldap, it's work well with a AD Ldap.
For the AD Ldap, I guess you check "memberOf" attribute on the user
record and "member" attribute on the group record
With Apple openldap, I see only a "memberUid" attribute on the group
On the webadm.conf file, I try first to add "memberUid":
member_attrs "member", "memberUid"
memberof_attrs "memberOf", "groupMembership"
second, I try to add "apple-generateduid" and "apple-group-memberguid"
to maybe made the link:
member_attrs "member", "memberUid", "apple-group-
memberguid"
memberof_attrs "memberOf", "groupMembership", "apple-
generateduid"
But without success
You can see below how look a user record and group record in th Apple
openldap
Group:
dn: cn=g_network_admins,cn=groups,dc=bres,dc=toto,dc=com
objectClass: posixGroup
objectClass: apple-group
objectClass: extensibleObject
objectClass: top
objectClass: webadmGroup
gidNumber: 1316
apple-generateduid: 5688E1C1-ED8F-44B5-9312-C998ACB9B06A
apple-group-realname: g_network_admins
cn: g_network_admins
apple-ownerguid: D4BC0A13-84CD-4AD1-BAAE-A1BE834521AF
apple-group-memberguid: 0B280210-A0B6-45B9-94E4-44AA89B8C7E8
apple-group-memberguid: F7A7B744-5D96-471B-B068-AB3B39EB5B28
apple-group-memberguid: 34D34DE7-C868-4EE4-BCC9-6AFB4BF25E26
memberUid: ab
memberUid: robert
memberUid: john
User:
dn: uid=ab,cn=users,dc=bres,dc=toto,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: webadmAccount
uidNumber: 435357536
apple-generateduid: 0B280210-A0B6-45B9-94E4-44AA89B8C7E8
apple-mcxflags::
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUW
VBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy
5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI
+CjxwbGlzdCB2ZXJzaW9uPSIxLjA
iPgo8ZGljdD4KCTxrZXk
+c2ltdWx0YW5lb3VzX2xvZ2luX2VuYWJsZWQ8L2tleT4KCTx0cnVlLz4K
PC9kaWN0Pgo8L3BsaXN0Pgo=
loginShell: /bin/bash
gidNumber: 20
userPassword:: KioqKioqKio=
uid: ab
cn:: QWJkZXNzYW1hZCBCQVJBS0FUIA==
authAuthority: ;ApplePasswordServer;
0x4f3e63c944cb9e820000031b00000a57,1024 35
1100141542636385866708246855460838246504736170518431574025029763531335081348
62981724305392660485422308887986408282585719139606610506541902267282557930819
03180287462204988489610388697093625784329729526998893980947739580027923504714
53284245357650721724628940815239097107531316798733719026550325532873932322008
11 ro...@bres.toto.com:192.168.2.200
authAuthority: ;Kerberosv5;0x4f3e63c944cb9e820000031b00000a57;a...@ARES.COVERWAY
.COM;ARES.COVERWAY.COM;1024 35
1100141542636385866708246855460838246504736170
51843157402502976353133508134862981724305392660485422308887986408282585719139
60661050654190226728255793081903180287462204988489610388697093625784329729526
99889398094773958002792350471453284245357650721724628940815239097107531316798
73371902655032553287393232200811 ro...@bres.toto.com:192.168.2.200
description: actif
homeDirectory: 99
givenName: Abdessamad
sn: 99
preferredLanguage: FR
webadmSettings: OpenOTP.ReplyData="192.168.22.254:Filter-ID="SonicWALL
Adminis
trators""
webadmData: OpenOTP.TokenType=lx6Rlw==,OpenOTP.TokenKey=D+
+lNEp9TBEUNThjfcps3v
1njVY=,OpenOTP.LastLogin=8WZTn/k/3biYwU
+xWPKSE5ozRg==,OpenOTP.LoginCount=8mQ=
,OpenOTP.TokenState=9y5A3VEO8fU=
Administrators
Mar 1, 2012, 4:57:52 AM3/1/12
to RCDevs Security Solutions - Technical
The memberUID will not work. WebADM expect a member -like attribute
with the DN of the members (indirect groups) or a memberOf -like
attribute with DN of the groups (direct groups).
MemberUID is for UNIX (POSIX groups) and contains the user ID not the
the user DN. WebADM does not do the mapping for that.
You can certainly create standard groups with the "member" attrs in
the Apple openldap like in other openldap.
> 11 r...@bres.toto.com:192.168.2.200
with the DN of the members (indirect groups) or a memberOf -like
attribute with DN of the groups (direct groups).
MemberUID is for UNIX (POSIX groups) and contains the user ID not the
the user DN. WebADM does not do the mapping for that.
You can certainly create standard groups with the "member" attrs in
the Apple openldap like in other openldap.
> authAuthority: ;Kerberosv5;0x4f3e63c944cb9e820000031b00000a57;a...@ARES.COVERWAY
> .COM;ARES.COVERWAY.COM;1024 35
> 1100141542636385866708246855460838246504736170
>
> 518431574025029763531335081348629817243053926604854223088879864082825857191 39
>
> 606610506541902267282557930819031802874622049884896103886970936257843297295 26
>
> 998893980947739580027923504714532842453576507217246289408152390971075313167 98
> 73371902655032553287393232200811 r...@bres.toto.com:192.168.2.200
> .COM;ARES.COVERWAY.COM;1024 35
> 1100141542636385866708246855460838246504736170
>
> 518431574025029763531335081348629817243053926604854223088879864082825857191 39
>
> 606610506541902267282557930819031802874622049884896103886970936257843297295 26
>
> 998893980947739580027923504714532842453576507217246289408152390971075313167 98
Abdsamad
Mar 1, 2012, 7:57:55 AM3/1/12
to RCDevs Security Solutions - Technical
I will try to activate memberof overlay function on opendirectory
(apple openldap)
http://www.openldap.org/doc/admin24/overlays.html#Member%20Of%20Configuration
(apple openldap)
http://www.openldap.org/doc/admin24/overlays.html#Member%20Of%20Configuration
Reply all
Reply to author
Forward
0 new messages