LDAP groups and how to filter

[Alan DeKok]

On Feb 12, 2020, at 3:21 PM, Daniel Oakes <daniel at 2600hz.com> wrote:
> So your first query works, but returns A LOT:
> 
> ldapsearch -D 'uid=admin,cn=users,cn=accounts,dc=server,dc=domain,dc=net' -w<password>' -h localhost -s sub '(objectclass=posixAccount)' -b 'uid=doakes,cn=users,cn=accounts,dc=server,dc=domain,dc=net'

  Which is asking for *all* of the user information.  Not just groups.

> ...
> memberOf: cn=ipausers,cn=groups,cn=accounts,dc=server,dc=domain,dc=net
> memberOf: cn=employees,cn=groups,cn=accounts,dc=server,dc=domain,dc=net
> memberOf: cn=ops_training_wheels,cn=groups,cn=accounts,dc=server,dc=domain,dc
> =net
> …

  Those are the groups.

> Much output later.
> 
> So that works – I’m struggling with how that translates to the group filter.

  In recent versions of the server, see mods-available/ldap.  It shows a sample of the query to use when asking for groups:

	#  Group membership can be queried by using the above "ldapsearch" string,
	#  and adding "memberof" qualifiers.  For ActiveDirectory, use:
	#
	#    ldapsearch ... '(&(objectClass=user)(sAMAccountName=user)(memberof=CN=group,${base_dn}))'

 That's for AD "samaccountname".  But you can modify that for your LDAP server.


> My mods-enabled/ldap has an identity and password configured in the ldap section.
> 
> My base_dn is ‘cn=accounts,dc=server,dc=domain,dc=net’

  That's all good.

> In the group section I change the filter to '(objectClass=posixAccount)' and uncommented scope = ‘sub’
> 
> Currently the membership filter is the default of :
> 
> membership_filter = "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name
> }:-%{User-Name}}))"
> 
> How is that modified to handle that above query so I get the groups?

 It should pretty much just work.  Follow the documentation in the most recent versions of the server.

  If you're running something from 5 years ago, well, the documentation has been updated.

  Alan DeKok.