Using Group Authorization with OpenLDAP
502 views
Skip to first unread message
Brent Bice
Aug 2, 2016, 5:49:37 PM8/2/16
to simple...@googlegroups.com
We've been using simplesamlphp for a while now using the LDAP
authsource with an OpenLDAP server. So far we've always wanted to allow
every user in a particular branch of the LDAP tree to auth with various
SAML service providers but now we want to filter out which users are
authorized and which aren't for different services.
In our case, each user's LDAP record has no attribute specifying
what groups he or she is a member of, but instead there are
groupOfUniqueMember objects in LDAP which contain "member" attributes,
each one specifying the DN of a user who is a member of that group.
Ideally, I'd like to have a way to specify in each SP metadata entry
a group that users must be a member of in order to be authorized for
that service provider. So, I was thinking maybe I could accomplish this
with a combination of the authproc.sp array, using the
authorize:Authorize class to specify a group array (DNs of the
groupOfUniqueMember attributes?) and the ldap:AttributeAddUsersGroups
filter. Does this make sense?
Reading the docs on ldap:AttributeAddUsersGroups, I'm not quite sure
what the config would be to tell it to query ou=Groups,dc=domain,dc=com
for (objectclass=groupOfUniqueMembers) and to find any groups where the
"member" attribute was the same as the authenticating user's DN.
Is this possible? Anyone have a config example I could use as a
starting point?
Brent
authsource with an OpenLDAP server. So far we've always wanted to allow
every user in a particular branch of the LDAP tree to auth with various
SAML service providers but now we want to filter out which users are
authorized and which aren't for different services.
In our case, each user's LDAP record has no attribute specifying
what groups he or she is a member of, but instead there are
groupOfUniqueMember objects in LDAP which contain "member" attributes,
each one specifying the DN of a user who is a member of that group.
Ideally, I'd like to have a way to specify in each SP metadata entry
a group that users must be a member of in order to be authorized for
that service provider. So, I was thinking maybe I could accomplish this
with a combination of the authproc.sp array, using the
authorize:Authorize class to specify a group array (DNs of the
groupOfUniqueMember attributes?) and the ldap:AttributeAddUsersGroups
filter. Does this make sense?
Reading the docs on ldap:AttributeAddUsersGroups, I'm not quite sure
what the config would be to tell it to query ou=Groups,dc=domain,dc=com
for (objectclass=groupOfUniqueMembers) and to find any groups where the
"member" attribute was the same as the authenticating user's DN.
Is this possible? Anyone have a config example I could use as a
starting point?
Brent
Marco Ferrante
Aug 3, 2016, 3:27:16 AM8/3/16
to simple...@googlegroups.com
Il 02/08/2016 23:49, Brent Bice ha scritto:
> ...snip...
- in the LDAP authsource, add the operational attribute entryDN
(available in Sun Directory Server, ApacheDS and OpenLDAP at least):
'example-ldap' => array(
'ldap:LDAP',
'search.attributes' => array('uid', 'mail', ... 'entryDN'),
- then add to the authproc
nn => array(
'class' => 'ldap:AttributeAddFromLDAP',
'authsource' => 'example-ldap',
'ldap.basedn' => 'dc=example,dc=org',
'attributes' => array('isMemberOf' => 'entryDN'),
'search.filter' => '(member=%entryDN%)',
),
in this example groups belong to the groupOfNames objectclass, for
groupOfUniqueNames change the filter to '(uniqueMember=%entryDN%)'
After this step in the authproc you will have the isMemberOf attribute
populated.
--
Marco Ferrante (ma...@csita.unige.it)
Università degli Studi di Genova
CTS GARR-IDEM
> ...snip...
> In our case, each user's LDAP record has no attribute specifying what
> groups he or she is a member of, but instead there are
> groupOfUniqueMember objects in LDAP which contain "member" attributes,
> each one specifying the DN of a user who is a member of that group.
I solved in this way:
> groups he or she is a member of, but instead there are
> groupOfUniqueMember objects in LDAP which contain "member" attributes,
> each one specifying the DN of a user who is a member of that group.
- in the LDAP authsource, add the operational attribute entryDN
(available in Sun Directory Server, ApacheDS and OpenLDAP at least):
'example-ldap' => array(
'ldap:LDAP',
'search.attributes' => array('uid', 'mail', ... 'entryDN'),
- then add to the authproc
nn => array(
'class' => 'ldap:AttributeAddFromLDAP',
'authsource' => 'example-ldap',
'ldap.basedn' => 'dc=example,dc=org',
'attributes' => array('isMemberOf' => 'entryDN'),
'search.filter' => '(member=%entryDN%)',
),
in this example groups belong to the groupOfNames objectclass, for
groupOfUniqueNames change the filter to '(uniqueMember=%entryDN%)'
After this step in the authproc you will have the isMemberOf attribute
populated.
--
Marco Ferrante (ma...@csita.unige.it)
Università degli Studi di Genova
CTS GARR-IDEM
Peter Schober
Aug 3, 2016, 5:18:09 AM8/3/16
to simple...@googlegroups.com
* Brent Bice <bb...@sgi.com> [2016-08-02 23:49]:
overlay, which will also make integration / authorizsation with
*other* LDAP clients much easier:
http://www.openldap.org/doc/admin24/guide.html#Reverse%20Group%20Membership%20Maintenance
Best regards,
-peter
> In our case, each user's LDAP record has no attribute specifying
> what groups he or she is a member of, but instead there are
> groupOfUniqueMember objects in LDAP which contain "member"
> attributes, each one specifying the DN of a user who is a member of
> that group.
Other than what Marco suggested you could enable OpenLDAP's memberOf
> what groups he or she is a member of, but instead there are
> groupOfUniqueMember objects in LDAP which contain "member"
> attributes, each one specifying the DN of a user who is a member of
> that group.
overlay, which will also make integration / authorizsation with
*other* LDAP clients much easier:
http://www.openldap.org/doc/admin24/guide.html#Reverse%20Group%20Membership%20Maintenance
Best regards,
-peter
Brent Bice
Aug 3, 2016, 10:57:39 AM8/3/16
to simple...@googlegroups.com
On 08/03/2016 03:18 AM, Peter Schober wrote:
> Other than what Marco suggested you could enable OpenLDAP's memberOf
> overlay, which will also make integration / authorizsation with
> *other* LDAP clients much easier:
Yeah, we did that for a different set of LDAP servers which we're
> Other than what Marco suggested you could enable OpenLDAP's memberOf
> overlay, which will also make integration / authorizsation with
> *other* LDAP clients much easier:
using to get away from NIS. Apparently the LDAP integration on some of
the newer versions of linux will ONLY work using attributes in the
auth'd user's record instead of doing a second query to see if they're a
member of a named group object. Bummer.
The LDAP server that I must use for SAML (I won't bore the list with
the details why) was setup without the memberOf overlay and making
changes to these servers is much more involved. Will probably have to do
this at some point though...
Thanks for the help, guys. I'll try the AttributeAddFromLDAP
solution and if I can't make that go, maybe I'll just add the memberOf
overlay...
Brent
Reply all
Reply to author
Forward
0 new messages