Howto verify that a member is part of a secondary group in OpenLDAP

So, recently I found this amazing application called Subsonic. In a nutshell, it is a streaming server. You can learn more about it at their web site.

Anyhow, that application has an option to create and authenticate users using LDAP. In my case I've setup LDAP server on Ubuntu 10.04 Server edition. The way that subsonic authenticates users is via a search based on a filter. Since I have some users in my LDAP already and I didn't want all of them to have access to that streaming server, I've created a group with select users. When it came to writing a filter to search for users, I've hit a wall.
When I was running ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -w "xxx" '(uid=user1)', I was getting all information related to that user. If I were to run ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -w "xxx" '(cn=subsonic)', I would get a printout of the subsonic group I have created earlier which would contain members that belong to that group. If I were to run anything that would combine 2 previous searches, I would get 0 hits.

So, I was completely at a loss until I stumbled across modules. In particular memberOf.

Here's what I did to get everything up and running. Please note, this guide assumes that you already have LDAP configured on your network and that you have installed phpLDAPAdmin for LDAP management. Also, I'm assuming that you are using cn=config for your LDAP configuration database.

Step 1: Enable MemberOf module

1) SSH into your LDAP server and become root
2) Add module memberof by typing the following command:

# ldapmodify -Y EXTERNAL -H ldapi:///

4) Once you hit 'Enter', you will be presented with an area to type in your commands. Type in the following and press 'Ctrl + D' when done.

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la

5) Make sure that modification completed successfully.
6) Add Overlay by typing the following comand:

# ldapmodify -Y EXTERNAL -H ldapi:///

7) Once you hit 'Enter', you will be presented with an area to type in your commands. Type in the following and press 'Ctrl + D' when done.

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof

Make sure that this command executes without any errors!
8) Restart your ldap server by typing:

# /etc/init.d/slapd restart

Step 2: Add a new group.

For this guide, I'm going to call my group 'subsonic'
1) To do that, log in to your phpLDAPAdmin web interface
2) Navigate to your ou=Groups
3) Create a new child entry under ou=Groups. Select User Group as template.
4) Name your subsonic and add users that should be part of this group.

Step 3: Verify that everything is working properly

In order to verify that everything was successful, you should ssh back to the LDAP server's console and type in the following command (replacing needed fields with appropriate information):

# ldapsearch -b "dc=example,dc=com" -D "cn=admin,dc=example,dc=com" -W '(&(uid=user1)(memberof=cn=subsonic,ou=Groups,dc=example,dc=com))'

If you will see any search results, everything works!

Step 4: Configure Subsonic to authenticate appropriate users

1) Login to your Subsonic page using account with administrative rights
2) Navigate to Settings | Advanced
3) Under LDAP section fill in the following:
LDAP URL: ldap://<IP Address of your LDAP Server>/<Your Base DN>
LDAP Search Filter: (&(uid={0})(memberof=cn=subsonic,ou=Groups,dc=example,dc=com))
4) Make sure that you have check Automatically create users in Subsonic!

Hope this was helpful!

Comments