Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

Authentication: LDAP Group Support

It would be nice, if a LDAP-User can authentificate through a LDAP-Group.

67 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    MarcoMarco shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    9 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Anonymous commented  ·   ·  Flag as inappropriate

        I'd love to be able to use the same appliance that windows have access to and that I saw the online demo of.

      • robrob commented  ·   ·  Flag as inappropriate

        This is required if Astaro is to be compatible with Apple OD. Why have Apple Kerberos SSO when you can't have groups for different access levels??? More like a bug then a feature request!

      • ScottScott commented  ·   ·  Flag as inappropriate

        This is also the case with Apple's Open Directory. The comment from "Jean-Baptiste FAREZ" does not work as that ldap filter he speaks of only searches user records and does not look at group records. In these LDAP implementations, the group membership is not stored in the user record. It is stored in a separate group container.

      • G.ReinickeG.Reinicke commented  ·   ·  Flag as inappropriate

        HI, recently I was told by astaro support staff, that you have regarding openldap

        a) to use the primary group attribute of an user like the posixAccount uidNumber

        or

        b) you could add multiple group attributes to the user by overlays or extensibleObject.

        Because .... Astaro looks up the group membership in the USER DN .... not in the Group dn *sigh ....

        This is the MS AD or Novel eDirectory-way ... The Enterprise-Way . So I was told...

        Please Astaro: Look up the membership in the groups DN ...

      • Informatique DINACInformatique DINAC commented  ·   ·  Flag as inappropriate

        It does not work either with the LDAP object class groupOfNames
        dn: cn=admins,ou=groups,dc=example,dc=com
        cn: admins
        member: cn=admin1,ou=users,dc=example,dc=com
        member: cn=admin2,ou=users,dc=example,dc=com
        member: cn=admin3,ou=users,dc=example,dc=com
        ....

      • Tim SoderstromTim Soderstrom commented  ·   ·  Flag as inappropriate

        +1

        The group filter does not appear to work in my case as our setup is similar to Elmo's. Namely we are using OpenLDAP which has separate containers for groups.

      • ElmoElmo commented  ·   ·  Flag as inappropriate

        Currently this is only possible if the group attributes are part of the user record (e.g. with the attribute gidNumber). If the membership attribute is part of the group record, for example like this:

        dn: cn=admins,ou=groups,dc=example,dc=com
        cn: admins
        description: Administratoren
        gidNumber: 1001
        structuralObjectClass: posixGroup
        creatorsName: cn=admin,dc=example,dc=com
        objectClass: top
        objectClass: posixGroup
        memberUid: john.doe
        memberUid: clark.stevens

        I don't see any possibility to use this group with the ASG.

      • Jean-Baptiste FAREZJean-Baptiste FAREZ commented  ·   ·  Flag as inappropriate

        Actualy this functionality are already implemented, but you need to apply an "ldap filter" .

        Menu : Users / Groups / New group
        and then use the following settings :

        Group type : backend membership
        Backend : LDAP
        Check an LDAP attibute
        Attribute : gidNumber (may change if you use an custom attribute)
        Value : 1000 (as same may change for the group you want)

        That's all.

        If you have any question tell me to jbfarez@gmail.com

      Feedback and Knowledge Base