glauth: Cant enumerate groups or members of groups
As an example using sample-simple.cfg
Certain programs that use LDAP need to enumerate the groups available.
While I can see that GLAuth creates the uid as memberOf groups ie
memberOf: cn=superheros,ou=groups,dc=glauth,dc=com
It seems you can’t list the groups directly like you can with users. Example.
ldapsearch -LLL -H ldap://localhost:389 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bdc=glauth,dc=com ou=superheros
Returns everything from the ‘superheros’ OU - ie the Users listing.
However:
ldapsearch -LLL -H ldap://localhost:389 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bdc=glauth,dc=com ou=groups
Returns nothing. You would expect it to return the group listings etc.
By the same convention you should be able to search a group and returns the members with the group, Example:
ldapsearch -LLL -H ldap://localhost:389 -D cn=serviceuser,ou=svcaccts,dc=glauth,dc=com -w mysecret -x -bdc=glauth,dc=com cn=svcaccts,ou=groups,dc=glauth,dc=com
Returns nothing. You would expect the group to be returned with the users of that group etc.
This functionality of search is expected by a lot of programs to correctly configure groups and RBAC based on groups etc.
Hopefully that all makes sense. Thanks Cam.
About this issue
- Original URL
- State: open
- Created 5 years ago
- Reactions: 6
- Comments: 23 (1 by maintainers)
OK between this and your issue about Foreman, it looks like Group Base DN should be next in line for a bit of TLC. I will keep you posted (I may have follow-up questions)
I’ve been looking at a home deployment and encountered this. After digging through the source and the CI tests, you can get a list of groups with a search filter like this:
You can further narrow it like thus: