DevOps - DB

OpenLDAP – Activation of the MemberOf module

By devops-db.com

Today in many scenarios, it is much easier to manage permissions if we add users to specific groups and manage permissions, roles, etc. by groups and not user by user.
To achieve this, one of the best-known means is the use of the memberOf attribute, which is basically a list of groups to which a user belongs. With this, it is possible to make ldap queries and identify whether or not a user may have some type of privilege.
OpenLDAP does not, by default, have this option activated, some small configurations are necessary to activate the necessary module.

memberOf Module

First check if the module is not already loaded, in the items that contain: olcModuleLoad

$ ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config -LLL | grep -i module

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb.la
olcObjectIdentifier: olmModuleAttributes olmSubSystemAttributes:3
olcObjectIdentifier: olmModuleObjectClasses olmSubSystemObjectClasses:3
olcAttributeTypes: ( OLcfgGlAt:30 NAME 'olcModuleLoad' EQUALITY caseIgnoreMatc
olcAttributeTypes: ( OLcfgGlAt:31 NAME 'olcModulePath' EQUALITY caseExactMatch
olcObjectClasses: ( OLcfgGlOc:8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic mo
 dule info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad

As it is not loaded yet, let’s validate that the module exists in the OpenLDAP installation:

$ find / -iname memberof.la

/usr/lib/ldap/memberof.la

Create the LDIF file with the module configuration. (update-module.ldif)

mkdir /work/memberof
cat << EOL > /work/memberof/update-module.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la
EOL

Load the configuration into OpenLDAP:

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /work/memberof/update-module.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=module{0},cn=config"

At this point, if there was no error in the import above, the module should already be loaded into the system.

$ ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config -LLL | grep -i module

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}memberof.la
olcObjectIdentifier: olmModuleAttributes olmSubSystemAttributes:3
olcObjectIdentifier: olmModuleObjectClasses olmSubSystemObjectClasses:3
olcAttributeTypes: ( OLcfgGlAt:30 NAME 'olcModuleLoad' EQUALITY caseIgnoreMatc
olcAttributeTypes: ( OLcfgGlAt:31 NAME 'olcModulePath' EQUALITY caseExactMatch
olcObjectClasses: ( OLcfgGlOc:8 NAME 'olcModuleList' DESC 'OpenLDAP dynamic mo
 dule info' SUP olcConfig STRUCTURAL MAY ( cn $ olcModulePath $ olcModuleLoad

Now we need to create the schema overlay in the LDAP database.
First, check the database schema sequence.

$ ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcDatabase | grep mdb

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcDatabase: {1}mdb

dn: olcDatabase={1}mdb,cn=config

So let’s add the memberOf overlay schema to the database.

Create an LDIF file with the changes: (add-memberof-overlay.ldif)

cat << EOL > /work/memberof/add-memberof-overlay.ldif
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof 
olcMemberOfRefInt: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
EOL

Apply the changes

$ ldapadd -Y EXTERNAL -H ldapi:/// -f /work/memberof/add-memberof-overlay.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"

Something important, which I hadn’t seen on any site other than https://kifarunix.com/, is the configuration of referential integrity for objects. “For example, if any attributes of a member are adjusted, all the groups to which the member belongs are also updated.

So, let’s apply, look for the module:

$ find / -iname refint.la

/usr/lib/ldap/refint.la

Create the file and apply: (refint.ldif)

cat << EOL > /work/memberof/refint.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint.la
EOL

ldapadd -Y EXTERNAL -H ldapi:/// -f /work/memberof/refint.ldif

At this point, everything should be ready and configured, the next post is Creating the initial user structure.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

By devops-db.com

Related Post

DevOps - Laboratory Docker/Vagrant images

Base image for Ansible

devops-db.com
DevOps - Laboratory Jenkins Jenkins

Jenkins – Dynamic Pod Template

devops-db.com
DevOps - Laboratory Jenkins Kubernetes

Jenkins – Pods, Containers and Pipelines

devops-db.com

You Missed

Ansible Groovy Jenkins Jenkins Kubernetes

Jenkins – Ansible Playbooks

DevOps - Laboratory Docker/Vagrant images

Base image for Ansible

DevOps - Laboratory Jenkins Jenkins

Jenkins – Dynamic Pod Template

Jenkins Knowledge Base

Jenkins – Pipeline parameters.