UCS LDAP groups not working

openldap
ldap

#1

Hi, I have a UCS configured as a domain controller.
Im using OpenLDAP auth. with nextcloud and it works great with group filtering.
But I have tried to get LDAP working with both PFsense, and VMWARE VCenter for both OpenLDAP and AD.

AD wont work at all, and OpenLDAP only works for users, not any groups for VCenter and PFsense.
In VCenter i get listed all of the users, but groups are empty.
Im not using SSL in my config, and again Nextcloud works great with everything.

Thanks in advance,


#2

Hey,

OpenLDAP and AD LDAP store group membership in different ways. For OpenLDAP the group membership is stored in the group’s LDAP object via the memberUid and uniqueMember attributes (which contain the user’s UIDs and DNs, respectively). In an AD LDAP, the membership is stored in the user’s LDAP object via the memberOf attribute (which contains the group’s DNs).

Therefore applications have to actively support the two different schemes if they want to use group membership information. OwnCloud & Nextcloud do know about both kinds of schemes, but a lot of other applications do not.

Normally using the AD LDAP schema is easier, especially if you want to filter on group membership. For an AD LDAP you can easily specify a search filter such as e.g. (&(samAccountName=<UID>)(memberOf=CN=my-admins,…)). For an OpenLDAP this isn’t that easy — in fact you have to use two LDAP searches (one for location the user’s object, another for locating all group objects that user object’s DN is used in).

I therefore usually configure applications to use the AD LDAP server — it’s simply the scheme that’s supported much better.

Kind regards
mosu


#3

Thanks for info. I found a script in UCS that installed memberOf for OpenLDAP it started working after that.
PFsense was a little bit tricky to configure with AD ssl, so I will stick with OpenLDAP for now.


#4

Great. Note that installing the overlay has its drawbacks in 4.2 and earlier versions: whenever you want to join a new DC Backup or DC Slave, you first have to install the server without joining it to the domain, then install the overlay package, and only join it once that package’s been installed — otherwise copying the LDAP content during the join will fail due to the used attributes not being recognized yet.

However, with the upcoming 4.3 (due in March) this should change: Univention’s announced that they plan on shipping and enabling the overlay by default with 4.3. I expect that the delayed join process won’t be necessary anymore.