{"id":4778,"date":"2019-11-15T23:12:53","date_gmt":"2019-11-15T20:12:53","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4778"},"modified":"2024-03-12T23:15:36","modified_gmt":"2024-03-12T20:15:36","slug":"how-to-create-openldap-member-groups","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-create-openldap-member-groups\/","title":{"rendered":"How to Create OpenLDAP Member Groups"},"content":{"rendered":"\n

While assigning specific access rights or permissions to users whose access to various organization systems or resources are controlled via directory or identity management tools like OpenLDAP<\/a> or FreeIPA<\/a>, it is more feasible and less time consuming to manage this as a group. In this guide, we are going to learn how to Create OpenLDAP Member Groups to enable you to control what a specific group of members are authorized to do on a given organization system or resource.<\/p>\n\n\n\n

Creating OpenLDAP Member Groups<\/h2>\n\n\n\n

Before you can proceed with this guide, we assume that you already have an OpenLDAP server up and running. Otherwise, you can check our OpenLDAP guides by following the links below;<\/p>\n\n\n\n

Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n

How to Configure SUDO via OpenLDAP Server<\/a><\/p>\n\n\n\n

Configure SSSD for OpenLDAP Authentication on CentOS 8<\/a><\/p>\n\n\n\n

Well, so how do you create member groups on OpenLDAP?<\/p>\n\n\n\n

Enabling OpenLDAP memberof Overlay<\/h3>\n\n\n\n

The OpenLDAP group membership is provided by the memberof<\/code> overlay. An overlay<\/a> is component of OpenLDAP that is used to perform functions similar to the functions provided by an OpenLDAP database backends.<\/p>\n\n\n\n

Overlays can be dynamically loaded via the overlays modules or can be compiled directly into OpenLDAP database, slapd.<\/p>\n\n\n\n

To check if the memberof overlay<\/code> module has already been loaded.<\/p>\n\n\n\n

ldapsearch -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b  cn=config -LLL | grep -i module<\/code><\/pre>\n\n\n\n
As you can see in the output below, only MDB database backend module is loaded.<\/p>\n\n\n\n
\nSASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\n# module{0}, config\ndn: cn=module{0},cn=config\nobjectClass: olcModuleList\ncn: module{0}\nolcModulePath: \/usr\/libexec\/openldap\nolcModuleLoad: {0}back_mdb.la<\/strong>\n...\n<\/code><\/pre>\n\n\n\n
Find the location of the memberof overlay module and confirm if matches the already specified path above. The path below might be different in your case.<\/p>\n\n\n\n
find \/ -iname memberof.la<\/code><\/pre>\n\n\n\n
\/usr\/libexec\/openldap\/memberof.la<\/code><\/pre>\n\n\n\n
Therefore, update the slapd database with the memberof overlay module by creating an ldif file as shown below.<\/p>\n\n\n\n
vim update-module.ldif<\/code><\/pre>\n\n\n\n
dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: memberof.la<\/code><\/pre>\n\n\n\n
Load the module into slapd.<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f update-module.ldif<\/code><\/pre>\n\n\n\n
If you do not want to update the existing module, you can add another module directory information tree.<\/p>\n\n\n\n
vim load-memberof-module.ldif<\/code><\/pre>\n\n\n\n
dn: cn=module,cn=config\ncn: module\nobjectClass: olcModuleList\nolcModuleLoad: memberof.la\nolcModulePath: \/usr\/libexec\/openldap<\/code><\/pre>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f load-memberof-module.ldif<\/code><\/pre>\n\n\n\n
SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"cn=module,cn=config\"<\/code><\/pre>\n\n\n\n
Verify again that the module is loaded.<\/p>\n\n\n\n
ldapsearch -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b  cn=config -LLL | grep -i module<\/code><\/pre>\n\n\n\n
\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: cn=module{0},cn=config\nobjectClass: olcModuleList\ncn: module{0}\nolcModulePath: \/usr\/libexec\/openldap\nolcModuleLoad: {0}back_mdb.la\nolcModuleLoad: {1}memberof.la<\/strong>\n...\n<\/code><\/pre>\n\n\n\n
Add memberof Overlay to SLAPD database<\/h3>\n\n\n\n
Now that the memberof overlay modules is loaded, you then need to update it on OpenLDAP database.<\/p>\n\n\n\n
The overlay should be updated on a specific database backend. To locate your database backend, you can simply run the command. In our case, we are using MDB database hence grep mdb.<\/p>\n\n\n\n
ldapsearch -LLL -Y EXTERNAL -H ldapi:\/\/\/ -b  cn=config olcDatabase | grep mdb<\/code><\/pre>\n\n\n\n
Note the sequential order of your database schema.<\/p>\n\n\n\n
SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: olcDatabase={1}mdb,cn=config<\/strong>\nolcDatabase: {1}mdb<\/code><\/pre>\n\n\n\n
Create an LDIF file with your memberof overlay attributes as shown below.<\/p>\n\n\n\n
vim add-memberof-overlay.ldif<\/code><\/pre>\n\n\n\n
dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config\nobjectClass: olcMemberOf\nobjectClass: olcOverlayConfig\nobjectClass: olcConfig\nobjectClass: top\nolcOverlay: memberof \nolcMemberOfRefInt: TRUE\nolcMemberOfDangling: ignore\nolcMemberOfGroupOC: groupOfNames\nolcMemberOfMemberAD: member\nolcMemberOfMemberOfAD: memberOf\n<\/code><\/pre>\n\n\n\n
For more information on the overlay attributes used above, consult, man slapo-memberof<\/code>.<\/p>\n\n\n\n
Update the OpenLDAP database with memberof overlay attributes.<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f add-memberof-overlay.ldif<\/code><\/pre>\n\n\n\n
SASL\/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nadding new entry \"olcOverlay=memberof,olcDatabase={1}mdb,cn=config\"<\/code><\/pre>\n\n\n\n
Another important aspect of OpenLDAP group membership is the Referential Integrity. Consider the line olcMemberOfRefInt: TRUE<\/strong><\/code>. This line basically enables what is called referential integrity<\/a> which ensures that the integrity of the database schema is kept. For example, if any attributes of a member are adjusted, all the groups on which the member belongs are also updated.<\/p>\n\n\n\n
Referential Integrity is also managed by an overlay which has to be loaded via a module.<\/p>\n\n\n\n
find \/ -iname refint.la<\/code><\/pre>\n\n\n\n
\/usr\/libexec\/openldap\/refint.la<\/code><\/pre>\n\n\n\n
Since the module location is the same, you can simply load the refint<\/code> module as follows;<\/p>\n\n\n\n
vim add-refint.ldif<\/code><\/pre>\n\n\n\n
dn: cn=module{0},cn=config\nchangetype: modify\nadd: olcModuleLoad\nolcModuleLoad: refint.la<\/code><\/pre>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f add-refint.ldif<\/code><\/pre>\n\n\n\n
Read more on man slapo-refint<\/code>.<\/p>\n\n\n\n
Create OpenLDAP Member Groups<\/h3>\n\n\n\n
The OpenLDAP memberof overlay is now setup. The next step is to create member groups to enable you impose specific access control authorization.<\/p>\n\n\n\n
Assuming you have the following users in your OpenLDAP database, for example;<\/p>\n\n\n\n
uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nuid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n
To create openldap member group with the above users as members, you can use an LDIF file as shown below;<\/p>\n\n\n\n
vim member-group.ldif<\/code><\/pre>\n\n\n\n
Note that we have already created a Group OU, ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code>, in our case. As such, this ldif will will simply create a group called admins<\/strong><\/code> with the above users as members.<\/p>\n\n\n\n
\ndn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: groupOfNames\ncn: admins\nmember: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmember: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<\/code><\/pre>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f member-group.ldif<\/code><\/pre>\n\n\n\n
Check that the group is created;<\/p>\n\n\n\n
ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" cn=admins<\/code><\/pre>\n\n\n\n
\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: groupOfNames\ncn: admins\nmember: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmember: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n<\/code><\/pre>\n\n\n\n
The memberOf <\/strong>attribute is automatically added to user entries to indicate a group that the user belongs to. You can search the members using the memberOf attribute.<\/p>\n\n\n\n
ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" memberOf<\/code><\/pre>\n\n\n\n
Add OpenLDAP Users to Groups<\/a><\/h3>\n\n\n\n
You can as well add members to specific groups using the memberOf<\/code> attribute. For example, to add the user, janedoe<\/code> to the admins<\/code> groups created above;<\/p>\n\n\n\n
vim memberof.ldif<\/code><\/pre>\n\n\n\n
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nchangetype: modify\nadd: memberOf\nmemberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\n
The update the slapd database;<\/p>\n\n\n\n
ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f memberof.ldif<\/code><\/pre>\n\n\n\n
ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -LLL -b \"dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid=* memberOf<\/code><\/pre>\n\n\n\n
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\ndn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmemberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\n\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmemberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\n\ndn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nmemberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\n<\/code><\/pre>\n\n\n\n
Well, you now have OpenLDAP groups and members added.<\/p>\n\n\n\n
How do you authenticate to LDAP connected systems as a group via SSSD?<\/p>\n\n\n\n
Setup OpenLDAP SSSD Group Authentication<\/h3>\n\n\n\n
Now that you have setup your member groups, let us see how you can configure SSSD on your LDAP clients for group authentication.<\/p>\n\n\n\n
Assuming you already installed SSSD on your OpenLDAP clients, edit the SSSD main configuration file, \/etc\/sssd\/sssd.conf<\/code>.<\/p>\n\n\n\n
vim \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n
Below is our sample SSSD configuration. Note that we restrict access only to members of the admins group we created above using the memberOf<\/code> attribute as the value of ldap_access_filter<\/code>. Also note the access provider, access_provider = ldap<\/code>.<\/p>\n\n\n\n
[sssd]\nservices = nss, pam, sudo\nconfig_file_version = 2\ndomains = default\n\n[sudo]\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ndebug_level = 10\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nsudo_provider = ldap\nldap_uri = ldaps:\/\/ldapmaster.kifarunix-demo.com:636\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssW0rd\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/ssl\/certs\/cacert.crt\nldap_tls_cacertdir = \/etc\/ssl\/certs\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_access_order = filter\nldap_access_filter = memberOf=cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\n<\/code><\/pre>\n\n\n\n
You other configuration options might be different as with the above configuration, but the memberOf<\/code> attribute should be there to define the   group of members allowed access. Read more on man sssd-ldap<\/code> for a more description on SSSD options.<\/p>\n\n\n\n
Test SSSD Authentication as a Group Member<\/h3>\n\n\n\n
Once you have defined your memberOf access filter, try to authenticate as member of the admins group.<\/p>\n\n\n\n
Clear SSSD cache.<\/p>\n\n\n\n
systemctl stop sssd;rm -rf \/var\/lib\/sss\/db\/*;systemctl start sssd<\/code><\/pre>\n\n\n\n
Now, login as one member of the admins group.<\/p>\n\n\n\n
ssh linus@192.168.56.103<\/code><\/pre>\n\n\n\n
Where:<\/p>\n\n\n\n