This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

LDAP (not AD) and group membership

Troels Hansen over 3 years ago

Been struggelig some with this, and given up on support getting back to me with a usable answer.

Trying to set up LDAP auth on XG, well aware that its only suppose to support a songle (primary) group,

This is the closest I have been able to find of codumentation:

https://support.sophos.com/support/s/article/KB-000035738?language=en_US

Some other documents exits on the topic, but none og them are correct either.

The problem is that it seems it enver does a lookup of the group, and just treats the attribute value as the group name:

On LDAP it does a search on the attribute you specify as the "Group name attribute"

That is the returned by the LDAP server:

INFO Aug 06 15:03:27.979100 [LDAP_AUTH]: ldapauth_search_user: 172.16.16.1:389: ATTR INDEX: 3 ATTR-NAME: 'gidNumber'
INFO Aug 06 15:03:27.979105 [LDAP_AUTH]: ldapauth_search_user: 172.16.16.1:389: ATTR-VAL[0]: '1103'

but never resolved, so only matched on the returned value:

DEBUG     Aug 06 15:03:27.999818 [POSTGRES_DB]: remove_escape_sequence: gropname before removing escape sequence 1103
DEBUG     Aug 06 15:03:27.999822 [POSTGRES_DB]: remove_escape_sequence: gropname after removing escape sequence 1103
DEBUG     Aug 06 15:03:27.999826 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Extracted groupname:'1103'
DEBUG     Aug 06 15:03:27.999830 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Groupname in list:'Open Group'
DEBUG     Aug 06 15:03:27.999833 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: In attribute:'1103'
DEBUG     Aug 06 15:03:27.999837 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Groupname in list:'Guest Group'
DEBUG     Aug 06 15:03:27.999841 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: In attribute:'1103'
DEBUG     Aug 06 15:03:27.999844 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Groupname in list:'LDAP'
DEBUG     Aug 06 15:03:27.999848 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: In attribute:'1103'
DEBUG     Aug 06 15:03:27.999858 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Groupname in list:'1103'
DEBUG     Aug 06 15:03:27.999862 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: In attribute:'1103'
DEBUG     Aug 06 15:03:27.999865 [POSTGRES_DB]: get_ads_ldap_highest_priority_group: Group Found:'1103'

making it completely useless (her I have created a group with the name 1103 to test, and that matches), but thats the only thing I can get to match.

This thread was automatically locked due to age.

Parents

0 FormerMember over 3 years ago

Hi Troels Hansen

Thank you for reaching out to the Community!

Could you please provide a bit more detail on what you're trying to do? Can you share more detail on the default LDAP user profile? Did you create the gidNumber same as the group name?

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Troels Hansen over 3 years ago in reply to FormerMember

We are running structuralObjectClass posixgroup, so its basically the same as in the KB.

The users primary group is in 'gidNumber', same as in the KB.

From reading the KB and the example I'm under the impression that it should search LDAP for a group with that GID, and use the name of the group in the match.

The documentation on LDAP in SFOS is useless, so the closest I can find as information is the KB.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Troels Hansen over 3 years ago in reply to FormerMember

We are running structuralObjectClass posixgroup, so its basically the same as in the KB.

The users primary group is in 'gidNumber', same as in the KB.

From reading the KB and the example I'm under the impression that it should search LDAP for a group with that GID, and use the name of the group in the match.

The documentation on LDAP in SFOS is useless, so the closest I can find as information is the KB.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data