Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Open LDAP and group based permissions
-
We are evaluating ProGet and have some trouble with the ProGet Open LDAP configuration.
It recognizes users and groups but not user and group relation. Therefore, mapping LDAP groups to permissions does not grant those permissions. It seems ProGet does not look for users in groups but for groups with users. This is the opposite from how our LDAP ID provider operates.
Would you be able to help with troubleshooting this? We are currently and LDAP integrations would be essential.Thank you in advance and best regards,
Sirko
-
Hi @sirko_6724,
Which OpenLDAP-based server are you currently using? We have seen that most OpenLDAP-based servers tend to use different attributes based on their configuration. By default we use the values suggested by OpenLdap, but you may need to modify them to suite your setup. With that said, ProGet looks up both ways; get groups from the user and get users for the group. In most operations, ProGet will first find the user, then load their groups, and then check if the user or user's groups for permissions.
Typically the starting point is verify the LDAP attributes and queries are correct for your OpenLDAP based server. Can you also share what you have configured for your LDAP attributes and LDAP queries?
Thanks,
Dan
-
Hi Dan,
thank you for your reply. Allow me to share more details below.
They may help to tune the LDAP settings on ProGet side.Dummy user LDAP attributes from our LDAP server:
dn: cn=service_accounts,ou=Departments,dc=innogames,dc=net objectClass: top objectClass: igDepartment cn: service_accounts description: Service Accounts maintained by System Administrationdn: uid=proget-testuser,ou=People,dc=innogames,dc=net uid: proget-testuser mail: proget-testuser.it@innogames.fail sn: tokentest givenName: proget cn: proget testuser birthDate: 1970-01-01 gidNumber: 31279 uidNumber: 31279 homeDirectory: /home/proget-testuser objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: evolutionPerson objectClass: uidObject objectClass: igPerson objectClass: posixAccount igMemberOf: cn=service_accounts,ou=Departments,dc=innogames,dc=net # this is the relation attribute mailVerified: TRUE userPassword:: *SECRET*Current LDAP settings in ProGet:
LDAP Connection Type: OpenLDAP/Generic LDAP Host: login.innogames.de Bind DN: cn=proget-test,ou=Applications,dc=innogames,dc=net Bind Password: *** User Search Base: dc=innogames,dc=net Users: (&(uid=%s)(igMemberOf=cn=proget-test,ou=Applications,dc=innogames,dc=net)) List User's Groups: (&(objectClass=igDepartment)(member=%s)) Group Search Base: ou=Departments,dc=innogames,dc=net Groups: (&(cn=%s)(objectClass=igDepartment)) List Group's Members: (&(objectClass=inetOrgPerson)(igMemberOf=%s)) User name Property Value: uid Display Name Value: displayName Email Property Value: mail Group Name Property Value: cnScreenshots to illustrate the missing user-group relation:
Thank you again and best regards,
Sirko
-
Hi @sirko_6724,
I now understand what you mean by our search pattern for a users' groups. ProGet does this in an attempt to reduce LDAP calls since we do not synchronize users and groups to ProGet. This allows us to make 1 LDAP call to get the groups. If we searched by user, we would then have to make a call to get the user and then X number of calls to load each group's details.
Based on OpenLDAP's documentation, groups will include one or more
memberattributes. Based on the record you sent me, that may not be the case for you. Is it possible for you to add that to your directory?Thanks,
Dan
