LDAP Configuration

Active Directory

Tips

  • Checks if connection user is member of group “Account Operators”

OpenLDAP

In order to setup an OpenLDAP server correctly, you can follow the article at https://wiki.debian.org/LDAP/OpenLDAPSetup which describes the steps to configure a fully operational server under a Debian like distribution.

In OpenLDAP, to the use the group membership feature you need to add an ‘overlay’ called ‘membeof’. It’s a module that adds an internal attribute to those users which belongs to a group.

These are the steps to configure that module:

  • Create the file ‘ldap_memberof_add.ldif’ with this content:

    dn: cn=module,cn=config
    objectClass: olcModuleList
    cn: module
    olcModulePath: /usr/lib/ldap
    olcModuleLoad: memberof
    
  • Create the file ‘ldap_memberof_config.ldif’ with this content:

    dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
    objectClass: olcMemberOf
    objectClass: olcOverlayConfig
    objectClass: olcConfig
    objectClass: top
    olcOverlay: memberof
    olcMemberOfDangling: ignore
    olcMemberOfRefInt: TRUE
    olcMemberOfGroupOC: groupOfNames
    olcMemberOfMemberAD: member
    olcMemberOfMemberOfAD: memberOf
    
  • Modify the LDAP configuration by running these commands:

    ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_add.ldif
    ldapadd -D cn=admin,cn=config -w "password" -H ldapi:/// -f memberof_config.ldif
    

Tips

  • Check whether the sysPass ‘admin’ user is the same in OpenLDAP, you need to add this user to the LDAP group that have access permissions to sysPass.
  • The username and email ofthe LDAP users are populated from ‘displayname’,’fullname’ and ‘mail’ attributes.
  • You could use ldaps by setting a connection URI like ‘ldaps:/ /my_ldap_server’.
  • You could install phpLDAPadmin to create and manage the LDAP objects.