Condition OR for LDAP in group

perrfect · October 15, 2021, 9:29am

Hello.
I need some help with LDAP, namely with OR condition for group.
I have two groups on my LDAP-server. First group for opennebula admins, second for opennebula developers:

oned-admin
oned-dev

And i want mapping users from oned-admin LDAP-group to oneadmin group in Opennebula and oned-dev LDAP-group to users group in Opennebula.

For that i add OR condition for group in a LDAP auth configuration file - ldap_auth.conf:

:group: '(|(cn=oned-admin,cn=groups,cn=accounts,dc=example,dc=net)(cn=oned-dev,cn=groups,cn=accounts,dc=example,dc=net))'

But I get an error:

User test is not in group (|(cn=oned-admin,cn=groups,cn=accounts,dc=example,dc=net)(cn=oned-dev,cn=groups,cn=accounts,dc=example,dc=net))

When i do a filter for group without OR condition authentication is success.

:group: 'cn=oned-admin,cn=groups,cn=accounts,dc=example,dc=net'

Does Opennebula support OR condition in group filter?

rdiaz · October 20, 2021, 6:54pm

Hi @perrfect,

You can do that by using Group Mapping

Update both groups with the attribute GROUP_DN set to cn=oned-admin,cn=groups,cn=accounts,dc=example,dc=net for oneadmin and set to cn=oned-dev,cn=groups,cn=accounts,dc=example,dc=net for users.

Cheers.

perrfect · October 20, 2021, 7:05pm

Thank you so much for the reply.

When i will set GROUP_DN in this case, which
:group: in a config file should i use?

TGM · March 13, 2023, 4:26pm

@perrfect I’m using a similar config. How did you fixed the problem?

perrfect · March 14, 2023, 8:18am

Hello.
It was a long time ago.
But these configs solved my problem:
/etc/one/auth/ldap_auth.conf

server 1:
    :auth_method: :simple
    :host: ldap.example.com
    :port: 636
    :user: 'uid=id,cn=users,cn=accounts,dc=example,dc=com'
    :password: 'some_password_here'
    :encryption: :simple_tls
    :base: 'cn=users,cn=accounts,dc=example,dc=com'
    :group_base: 'cn=groups,cn=accounts,dc=example,dc=com'
    :user_field: 'uid'
    :group_field: 'member'
    :mapping_generate: true
    :mapping_timeout: 300
    :mapping_filename: server1.yaml
    :mapping_key: GROUP_DN
    :mapping_default: false
    :rfc2307bis: false
 
:order:
    - server 1

/var/lib/one/server1.yaml

cn=oned-dev,cn=groups,cn=accounts,dc=example,dc=com: '101'
cn=oned-adm,cn=groups,cn=accounts,dc=example,dc=com: '0'

Topic		Replies	Views
Group mappings with OpenLDAP General	0	508	March 3, 2020
AD Group Mapping Community Support	0	921	April 4, 2017
Active Directory group mapping? Community Support	2	2942	January 10, 2017
Assign multiple groups via active directory Community Support	2	1243	February 23, 2017
LDAP/Active Directory group Mapping Community Support	2	825	March 13, 2023

Condition OR for LDAP in group

Related Topics