I have a problem adding user in a group using dirsrv, CentOS6.2.
Default schema, have user jmarsden in "People" and created a group into "Groups".
Tried to use any types of the group: groupOfNames, groupOfUniqueNames, posixgroup. Member (uniqueMember or memberUid) is successfully added as attribute.
member=uid=jmarsden,ou=People,dc=mymy,dc=localdomain
But when I fetch operational attributes using Apache Directory Studio there is not memberOf attribute for user jmarsden. Search with filter "memberOf=cn=M"* does not work either.
What am I doing wrong?
memberOf is an attribute that is most often associated with Active Directory.
Many LDAP implementation do not use an attribute on the user to represent which group the users are a member of.
Which LDAP implementation are your using?
Related
Question is more advanced than usual.
Imagine you have three users groups in Keycloak: Group_Basic, Group_Client_A, Group_Client_B.
You add two different LDAP user federation setting for "Client A" and "Client B".
You make Group_Basic as your default group.
How to automatically assign Group_Client_A to LDAP users from "Client A", and Group_Client_B group to LDAP users from "Client B" ?
Any ideas are welcome! Thanks!
Basically #Vadim pointed to right thing:
Under created LDAP -> Mappers -> Create ->
Mapper type: hadrcoded-ldap-group-mapper
Group: /Group_Client_A
Did synced user, got default Group_Basic group + hardcoded Group_Client_A.
I assume pointing to different group under different LDAP synchronisation will got another group assigned.
Thanks!
I was dealing with some LDAP entries and I am wondering myself why "objectClass = top" is always a part of each entry. According to the internet this stands for the highest level any objectClass, but why is it there in any entry?
An example can be found here.
top is an abstract object class that is the parent of every LDAP object class. It is the one that defines that every object in LDAP must have an objectClass attribute.
Hallo I need help to optimize a LDAP Filter string because the Ldap filter is too long (maximum is 255 characters) for my tool (Foreman).
My LDAP curent Ldap filter
(|
(memberOf=cn=admingoup,ou=groups,OU=admin,DC=xxx,DC=de)
(memberOf=CN=group1,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
(memberOf=CN=group2,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
)
This work but i need a soultion like
(|
(memberOf=cn=admingoup,ou=groups,OU=admin,DC=xxx,DC=de)
(memberOf=CN=*,OU=dd,OU=cc,OU=ab,DC=xxx,DC=de)
)
I don't think you can work your way out without making modifications on your constraints somewhere :
Allow longer filter in foreman
Modify the LDAP directory to allow substring match on the memberOf attribute
Modify your filter. A way to do it could be :
search base dn : DC=xxx,DC=de
search filter : (&(objectclass=group)(|(cn=admingroup)(cn=group1)(cn=group2))) (This is an example, the point is to match only the group you need, maybe using the entry id if necessary)
attribute retrieve member (or the equivalent)
What it will do is to retrieve all the members of these groups, dupplicate members should not be a probleme for access control I presume
I am setting up gitlab to have LDAP access.
I would like to give access to 2 seperate OU's OU=Users,OU=Dept1,OU=land,DC=my,DC=com and OU=Users,OU=Dept2,OU=land,DC=my,DC=com (basically the users of 2 departments.
I believe that I would have to set the base to OU=land,DC=my,DC=com and then use a user_filer (Format: RFC 4515)
Probably something of the sort
(|(ou=Dept1)(ou=Dept2))
How do I extend this to specify only for the USERS within those ou's? Thanks
Note:
When I use the Filter: (objectClass=user)I am given access
however if i change it to any of the following I am refused access
(&(objectClass=user)(ou=Users))
(&(objectClass=user)(ou=Dept1))
(&(objectClass=user)(ou=Users,ou=Dept1,ou=land))
(&(objectClass=user)(ou=Users,ou=Dept1,ou=land,dc=my,dc=com))
You should add an objectClass constraint to the filter to limit it only to users , say (&(objectClass=Person))
I have a question about the rbac system. I think I've pretty well understood it but I need more informations about a special case.
I would like to do the autorisations on groups instead of users. I mean for instance the group "HR" has permission to create a person. Then any person who join this group would have it as well.
Let me give you more informations.
A part of my database:
And this a part of what my group hierarchy could be:
So what I'm looking for, this would be a must, is a system where each group has some autorizations. People get the autorizations of their group and of their parents group (for instance people in "Forsys" has the autorizations of "Forsys", "R&D" and "Administration").
The solution I see at the moment is using bizrule. But I'm not sure write php code in database is a good idea and then if I update the group hierarchy (R&D inherits of RH instead of Administration) I would have to modify bizrule in database. I tried it and it works well but as you can see it require a lot of code.
$user = User::model()->with("people","people.groups")->findByPk(Yii::app()->user->id);
foreach($user->people[0]->groups as $group)
if($group->id == 2)
return true;
return false;
It's just for see if a user is in a group (without checking parent groups and hierarchy)
Another possibility could be create a new table "group_auth" where we would say for instance:
-Group_2 has role "managePerson"
-Group_3 has operation "deleteUser"
...
And then everytime a user is added in or removed of a group we would update his autorizations in the auth_assigment table.
I'd like to hear other opinions on this subject.
All comments will be appreciated :)
Thank you for reading and sorry for my English if you had difficulties to understand me.
Michaƫl S.
Do users ever get their own authorization items? If not, seems like you could in essence swap out the userid column in auth_assignment and name it / treat it as groupID instead. That way you wouldn't need to worry about keeping user auth assignments in sync with your group roles.
A couple of places you'd probably need to make some changes:
- by default CWebUser passes in the logged in userid for use in bizrules. Might be good to change that our with your own override that passes in groupId/groupIds instead.
- you'd need to override CDbAuthManager and rework some of how things work there
We've done something similar on a project I've worked on (we were handling multi-tenant RBAC custom permissions), which required custom CDbAuthManager overrides. It gets a bit tricky if you do it, but there is an awful lot of power available to you.
Edit:
Understood about your users sometimes needing to have additional authorizations. What if your group has a 'roles' field with different roles serialized in it (or some other method of having multiple roles stored for that group, could also be a relationship).
Then, on user login (for efficiency), you'd store those roles in session. Probably the easiest way to handle things would be to write a custom checkAccess for your WebUser override:
https://github.com/yiisoft/yii/blob/1.1.13/framework/web/auth/CWebUser.php#L801
as that will make things simpler to do your custom checking. Then I'd probably do something like:
if(Yii::app()->user->hasGroupAccess() || Yii::app()->user->checkAccess('operation/task/role')) {
....
}
In your WebUser hasGroupAccess method, you could loop over all group roles and send those to checkAccess as well.
Think that will work?
What I use to check access for groups when it's in another table, or somewhere else in the application I give the user the role per default. By using this:
return array(
'components'=>array(
'authManager'=>array(
'class'=>'CDbAuthManager',
'defaultRoles'=>array('authenticated', 'R&D', 'Administration'),
),
),
);
Under: Using Default Roles
By using this, every user gets these assignments. Now, I create a business rule to make sure that the checkAccess('group') will return the correct value.
For example in your case the business rule for R&D would be:
return (
count(
Person::model()->findByPk(Yii::app()->user->id)->groups(array('name'=>'R&D'))
) > 0
) ? true : false;
So what this does is:
find the logged-in person by primary key
look into groups (from the user) for the group with name R&D
if there is a group: return true (else return false)