Mustafa Hashmi's picture

Hey there,

 

great product, took mere minutes to get up and running creating users+groups. Would love for you to include a GUI driven feature to enable memberof functionality which is required by many number of integrations. At this time would like a easy step-by-step method of turning this on in Turnkey's version. There are a log of guide out there but they generally are over complicated and refer to vanilla installs. 

 

Would love some help.

 

Thanks

Forum: 
Jonathan Struebel's picture

The following steps will allow you to enable the memberof overlay functionality on the OpenLDAP appliance. They will all have to be done from the console since the current permissions don't allow them to be done from the GUI. I still haven't figured out the right settings to keep the config secure but still allow all settings to be modified from the GUI.

First type the following command to enable the memberof module:

ldapmodify -Y EXTERNAL -H ldapi:/// <<EOL
dn: cn=module{0},cn=config
add: olcModuleLoad
olcModuleLoad: memberof
EOL

Second type the following command to configure OpenLDAP to use the memberof module:

ldapadd -Y EXTERNAL -H ldapi:/// <<EOL
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
olcOverlay: memberof
EOL

 

Finally type the following command to ensure OpenLDAP reloads the configuration (this step may not be strictly necessary due to the way the configuration is stored but it doesn't hurt anything and ensures your using the latest config):

service slapd restart

 

 

Jeremy Davis's picture

Seeing as the version of OpenLDAP in v15.x is the same major & minor version (i.e. 2.4.x) and the current v2.4 upstream documentation only references major/minor version suggest that things shouldn't have changed too much?! For example, the Member Of docs do not note any specific changes between v2.4 builds. I also note that the Debian "slapo-memberof" man page for Debian 8/Jessie (which the above was specifically relevant to) appears to be identical to the Debian 9/Stretch page.

Having said that, I'm certainly not expert on OpenLDAP and haven't double checked myself, so it's possible that there is some fundamental change that I am unaware of and hasn't been well documented. Although I've had a pretty good google and can't find any references to changes in the Member Of config between OpenLDAP v2.4.40 & v2.4.44, or even any recent tutorials on how to set it up.

If you keep in mind that TurnKey is Debian under the hood (v15.x = Debian 9/Stretch) then perhaps it might be worth seeking assistance somewhere such as Server Fault? ('Nix Stack Exchange is another option, although I reckon Server Fault would be better for this one).

I'll try to have a look sometime soon and will certainly post back with what I find. If you have any luck and manage to work out (or even if you discover more info) please post back and share what you learn. If there is anything that we can be doing better it'd be great to know! :)

Jeremy Davis's picture

FWIW, after following the steps above, I couldn't get it to work either. So I started again and followed an online tutorial. After following that (on the OpenLDAP appliance - obviously adapting to my specific use case) then using the ldapsearch CLI tool I could confirm that the "memberOf" was definitely working:

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=example,dc=net" memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: dc=example,dc=net

dn: cn=admin,dc=example,dc=net
memberOf: cn=nextcloud,ou=groups,dc=example,dc=net

dn: cn=samba,dc=example,dc=net

dn: ou=Hosts,dc=example,dc=net

dn: ou=Users,dc=example,dc=net

dn: cn=nsspam,dc=example,dc=net

dn: ou=Groups,dc=example,dc=net

dn: ou=Idmaps,dc=example,dc=net

dn: ou=Aliases,dc=example,dc=net

dn: uid=jed,ou=Users,dc=example,dc=net
memberOf: cn=nextcloud,ou=groups,dc=example,dc=net

dn: uid=adam,ou=Users,dc=example,dc=net
memberOf: cn=admins,ou=Groups,dc=example,dc=net
memberOf: cn=nextcloud,ou=groups,dc=example,dc=net

dn: cn=users,ou=Groups,dc=example,dc=net

dn: cn=admins,ou=Groups,dc=example,dc=net

dn: cn=nextcloud,ou=Groups,dc=example,dc=net

But it still wasn't working within Nextcloud!? Unfortunately, I'm not 100% sure exactly what did it, but I used the 'occ' (OwnCloud/Nextcloud CLI tool) tool to clear the Nextcloud LDAP config (assuming that the configID is s01, then 'occ occ ldap:delete-config s01'). I then readded it, step by step ('occ ldap:set-config s01 configKey configValue', check current conf with 'occ ldap:show-config'). I then tested it 'occ ldap:test-config s01'. I checked within the UI a couple of times and that still wasn't working, then lal of a sudden it started working?! I'm not sure. but it seems like Nextcloud requires quite a specific user/group setup, perhaps there is some caching on the Nextcloud side of things too which incorrectly shows failure when it's actually configured correctly...

Bottom line is that it appears to be a Nextcloud issue. FWIW, here's my working Nextcloud LDAP config:

+-------------------------------+-----------------------------------------------------------------------------------------------------+
| Configuration                 | s01                                                                                                 |
+-------------------------------+-----------------------------------------------------------------------------------------------------+
| hasMemberOfFilterSupport      | 1                                                                                                   |
| homeFolderNamingRule          |                                                                                                     |
| lastJpegPhotoLookup           | 0                                                                                                   |
| ldapAgentName                 | cn=admin,dc=example,dc=net                                                                          |
| ldapAgentPassword             | ***                                                                                                 |
| ldapAttributesForGroupSearch  |                                                                                                     |
| ldapAttributesForUserSearch   |                                                                                                     |
| ldapBackupHost                |                                                                                                     |
| ldapBackupPort                |                                                                                                     |
| ldapBase                      | dc=example,dc=net                                                                                   |
| ldapBaseGroups                |                                                                                                     |
| ldapBaseUsers                 |                                                                                                     |
| ldapCacheTTL                  | 600                                                                                                 |
| ldapConfigurationActive       | 0                                                                                                   |
| ldapDefaultPPolicyDN          |                                                                                                     |
| ldapDynamicGroupMemberURL     |                                                                                                     |
| ldapEmailAttribute            |                                                                                                     |
| ldapExperiencedAdmin          | 0                                                                                                   |
| ldapExpertUUIDGroupAttr       |                                                                                                     |
| ldapExpertUUIDUserAttr        |                                                                                                     |
| ldapExpertUsernameAttr        |                                                                                                     |
| ldapExtStorageHomeAttribute   |                                                                                                     |
| ldapGidNumber                 | gidNumber                                                                                           |
| ldapGroupDisplayName          | cn                                                                                                  |
| ldapGroupFilter               | (&(|(objectclass=posixGroup))(|(cn=nextcloud)))                                                     |
| ldapGroupFilterGroups         | nextcloud                                                                                           |
| ldapGroupFilterMode           | 0                                                                                                   |
| ldapGroupFilterObjectclass    | posixGroup                                                                                          |
| ldapGroupMemberAssocAttr      |                                                                                                     |
| ldapHost                      | 192.168.1.90                                                                                        |
| ldapIgnoreNamingRules         | 1                                                                                                   |
| ldapLoginFilter               | (&(&(|(objectclass=posixAccount))(|(memberof=cn=nextcloud,ou=Groups,dc=example,dc=net)))(uid=%uid)) |
| ldapLoginFilterAttributes     |                                                                                                     |
| ldapLoginFilterEmail          | 0                                                                                                   |
| ldapLoginFilterMode           | 0                                                                                                   |
| ldapLoginFilterUsername       | 1                                                                                                   |
| ldapMatchingRuleInChainState  | unknown                                                                                             |
| ldapNestedGroups              | 0                                                                                                   |
| ldapOverrideMainServer        |                                                                                                     |
| ldapPagingSize                | 500                                                                                                 |
| ldapPort                      | 389                                                                                                 |
| ldapQuotaAttribute            |                                                                                                     |
| ldapQuotaDefault              |                                                                                                     |
| ldapTLS                       | 0                                                                                                   |
| ldapUserAvatarRule            | default                                                                                             |
| ldapUserDisplayName           | displayName                                                                                         |
| ldapUserDisplayName2          |                                                                                                     |
| ldapUserFilter                | (&(|(objectclass=posixAccount))(|(memberof=cn=nextcloud,ou=Groups,dc=example,dc=net)))              |
| ldapUserFilterGroups          | nextcloud                                                                                           |
| ldapUserFilterMode            | 0                                                                                                   |
| ldapUserFilterObjectclass     | posixAccount                                                                                        |
| ldapUuidGroupAttribute        | auto                                                                                                |
| ldapUuidUserAttribute         | auto                                                                                                |
| turnOffCertCheck              | 0                                                                                                   |
| turnOnPasswordChange          | 0                                                                                                   |
| useMemberOfToDetectMembership | 1                                                                                                   |
+-------------------------------+-----------------------------------------------------------------------------------------------------+

Add new comment