How to enable MemberOf using OpenLDAP

15/10/2014 Maarten De Paepe How to vait_mcright

The fun part about working in IT is that you're often forced to work with - and make things work based on - technologies you are unfamiliar with. So, at one point in my (infant) career, I was asked to set up an LDAP server that supported user, groups, and basic knowledge of which users belong to which groups.

As sys admin is not my forte, the task was long and arduous. And so, I hope to write something that I would have considered a "gold mine" when starting off.

First tip: LDAP is not case sensitive.

Adding nodes

After installing OpenLDAP (which is pretty straightforward on linux using apt-get) we're ready to create some nodes. When comparing to a relational database, we could compare nodes as a table where we store our records. Of course they are not the same, but this comparison is made so you can have a grasp of what a node is.

We want two nodes:

  • Groups node
  • People node

There's no native application or shell in which you can fiddle. Instead, Openldap comes with a few executables you can use to perform your actions. You feed these executables with files containing the data you want to add. So let's get to it. Make a file named add_nodes.ldif in your favorite text editor and add the following lines.

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
To add these nodes, simply run the following command and give the admin password (that you chose during slapd setup) when prompted:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_nodes.ldif

Our base is dc=example,dc=com and with this we've just added people and groups nodes.

Enabling MemberOf

In order to easily and efficiently do queries that enables you to see which users are part of which groups, we need to set up the feature in ldap that allows us to do this.

To do so, make the following 3 files (courtesy to this article):

memberof_config.ldif

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof
olcModulePath: /usr/lib/ldap

dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
refint1.ldif
dn: cn=module{1},cn=config
add: olcmoduleload
olcmoduleload: refint
refint2.ldif
dn: olcOverlay={1}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner
To set up the memberof module and configure it, run this command:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memberof_config.ldif
To load and configure the refint module
sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f /tmp/refint1.ldif
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /tmp/refint2.ldif

Small (but not so small) note: Every group created before this module is enabled has to be deleted and remade in order for these changes to take effect. LDAP assigns a "member" attribute behind the scenes to existing users when creating a group.

Adding a user

Before we add a user, we first need to generated his password hash.
slappasswd -h {SHA} -s my_secret_password
yielding this result
{SHA}M6XDJwA47cNw9gm5kXV1uTQuMoY=
We will use this result when creating our user file. Make the following file and name it add_user.ldif
dn: uid=john,ou=people,dc=example,dc=com
cn: John Doe
givenName: John
sn: Doe
uid: john
uidNumber: 5000
gidNumber: 10000
homeDirectory: /home/john
mail: john.doe@example.com
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {SHA}M6XDJwA47cNw9gm5kXV1uTQuMoY=
And add it by running:
ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_user.ldif

 Adding a group

Same stuff, make add_group.ldif
dn: cn=mygroup,ou=groups,dc=example,dc=com
objectClass: groupofnames
cn: mygroup
description: All users
member: uid=john,ou=people,dc=example,dc=com
where you add a "member : user_dn" line for each user you want to add to this group. And then run
ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_group.ldif

Taking it for a test-run

you can run the following command to see if it's all set up properly:
ldapsearch -x -LLL -H ldap:/// -b uid=john,ou=people,dc=example,dc=com dn memberof
And it should yield this result
dn: uid=john,ou=People,dc=example,dc=com
memberOf: cn=mygroup,ou=groups,dc=example,dc=com
Maarten De Paepe

Maarten is a software engineer, forever employee #1, he enjoys fiddling with Python and JavaScript.