Allow forcing "group object class" / "memberAttribute" for LDAP auth #1433
Comments
Having memberAttribute configurable would also solve #1436. |
I'm running into the same issue as my ldap groups are configured like this :
So it would be nice if there was a way to specify the memberUid attribute :) |
Check the entry object for "uniqueMember" and "member" attributes if we cannot determine the correct member attribute from the object class. The member attribute should be configurable eventually. Until that can be done, this fix should improve the situation. Refs #1433
The memberUid attribute of a posixGroup does not contain the DN of the LDAP object but the UID. Check against the ldap entry UID if the DN match didn't work. Refs #1433
Thank you for the reports! We improved the detection of the member attribute in #1494 which should help with the reported cases. These changes will be in the upcoming 1.2.2 release. I will leave this ticket open and mark it as feature request for the next major release. The member attribute should be configurable, we just cannot do that for the stable release right now. I hope this works for you. |
Many thanks to you for fixing that ! |
This has been fixed a long time ago. |
I'm trying to run the LDAP authentication against a Univention Corporate Server. While this basically works I'm unable to successfully use the LDAP group to role mapping. Looking at the logs I see a couple lines saying:
2015-09-20T12:55:13.523+02:00 WARN [LdapConnector] Unable to auto-detect the LDAP group object class, assuming 'member' is the correct attribute.
The reason for this is that UCS doesn't use the
objectClass "groupOfUniqueNames"
as expected by the LDAP connector (/org/graylog2/security/ldap/LdapConnector.java:236) and while the LDAP entry actually has theuniqueMember
attribute Graylog makes the wrong choice here. Here's what I get when querying the LDAP directory for a group (shortened for brevity):Now if I could tell Graylog what objectClass filter to use (univentionGroup) or what the memberAttribute is (uniqueMember) the problem would be easily solved I guess. An alternative would be to add another check for "univentionGroup" to the LdapConnector.java. But I think in the long run a user definable option would make more sense than possibly adding tons of different and maybe conflicting tests there.
The text was updated successfully, but these errors were encountered: