How-to: Remove a `uniqueMember` from an LDAP Group in Nubus for Kubernetes

Knowledge Base Community
, , , , ,
1

Remove a uniqueMember from an LDAP Group in Nubus for Kubernetes

Summary

In environments based on Nubus for Kubernetes, administrators may occasionally need to manually modify LDAP group memberships. One common task is removing a user from a group by deleting the corresponding uniqueMember attribute.

This article demonstrates how to perform this operation directly inside the LDAP primary pod using kubectl exec and ldapmodify.

Environment

  • Nubus / openDesk deployment running on Kubernetes
  • Access to the cluster via kubectl
  • Administrative LDAP credentials
  • Access to the LDAP primary pod (ums-ldap-server-primary-0)

Scenario

A user is still listed as a member of a group in LDAP and must be removed manually.
LDAP groups in Nubus/openDesk store their memberships using the uniqueMember attribute.

To remove a user from a group, the corresponding uniqueMember value must be deleted from the group entry.

Step 1: Execute ldapmodify inside the LDAP primary pod

The following command pipes an LDIF modification directly into the LDAP container.

cat <<EOF | kubectl exec -i -n $NAMESPACE ums-ldap-server-primary-0 -- ldapmodify -x \
-D "uid=Administrator,cn=users,dc=swp-ldap,dc=internal" \
-w univention
dn: cn=Domain Users,cn=groups,dc=swp-ldap,dc=internal
changetype: modify
delete: uniqueMember
uniqueMember: uid=test.tiles,cn=users,dc=swp-ldap,dc=internal
EOF

Explanation

Component Description
kubectl exec Executes the command inside the LDAP primary pod
ldapmodify LDAP tool used to modify existing entries
-D Bind DN used for authentication
-w LDAP administrator password
changetype: modify Specifies that an existing entry will be modified
delete: uniqueMember Indicates that a value should be removed from the attribute
uniqueMember DN of the user to remove from the group

If the modification is successful, the output will look similar to:

modifying entry "cn=Domain Users,cn=groups,dc=swp-ldap,dc=internal"

Alternative with kubectl:

kubectl exec -i -n ${NAMESPACE?} ums-ldap-server-primary-0 -- ldapmodify -x   -D "$(kubectl get -n ${NAMESPACE?} configmaps ums-ldap-server-primary -o json | jq -r '.data.ADMIN_DN')"   -w "$(kubectl get -n ${NAMESPACE?} secrets ums-ldap-server-admin -o json | jq -r '.data.password' | base64 -d)"  <<EOR
dn: cn=Domain Users,cn=groups,dc=swp-ldap,dc=internal
changetype: modify
delete: uniqueMember
uniqueMember: uid=test.tiles,cn=users,dc=swp-ldap,dc=internal
EOR

Output:

Defaulted container "main" out of: main, leader-elector, univention-compatibility (init), load-internal-plugins (init), load-ox-extension (init), load-opendesk-extension (init), load-portal-extension (init), load-opendesk-a2g-mapper-extension (init), wait-for-saml-metadata (init)
modifying entry "uid=cscheini,cn=users,dc=swp-ldap,dc=internal"

Step 2: Verify the Group Membership

After the modification, you should verify that the member has been removed from the group.

The following command performs an LDAP search directly from the Kubernetes pod while dynamically retrieving the administrator DN, password, and base DN from Kubernetes resources.

kubectl exec -n $NAMESPACE ums-ldap-server-primary-0 -- ldapsearch -x \
-D "$(kubectl get -n $NAMESPACE configmaps ums-ldap-server-primary -o json | jq -r '.data.ADMIN_DN')" \
-w "$(kubectl get -n $NAMESPACE secrets ums-ldap-server-admin -o json | jq -r '.data.password' | base64 -d)" \
-b "$(kubectl get -n $NAMESPACE configmaps ums-ldap-server-primary -o json | jq -r '.data.LDAP_BASEDN')" \
"cn=Domain Users" uniqueMember

Example Output

dn: cn=Domain Users,cn=groups,dc=swp-ldap,dc=internal
uniqueMember: uid=Administrator,cn=users,dc=swp-ldap,dc=internal
uniqueMember: uid=test.ox.01,cn=users,dc=swp-ldap,dc=internal
uniqueMember: uid=test.ox.02,cn=users,dc=swp-ldap,dc=internal
uniqueMember: uid=test.selfservice,cn=users,dc=swp-ldap,dc=internal
uniqueMember: uid=test.test,cn=users,dc=swp-ldap,dc=internal

If the removed user no longer appears in the uniqueMember list, the operation was successful.

Notes and Best Practices

  • Always perform LDAP modifications using administrative credentials.
  • Ensure the DN of the uniqueMember value exactly matches the one stored in LDAP.
  • Prefer automated tools (e.g., UDM or APIs) where possible. Direct LDAP modifications should typically only be used for troubleshooting or administrative recovery tasks.
  • In Kubernetes deployments, executing LDAP tools inside the primary LDAP pod ensures direct access to the directory service.

Conclusion

Removing a user from an LDAP group in Nubus or openDesk for Kubernetes can be performed using ldapmodify executed inside the LDAP primary pod. After applying the change, administrators should always verify the modification using ldapsearch to ensure the group membership has been updated correctly.

Inspired by: