While assigning specific access rights or permissions to users whose access to various organization systems or resources are controlled via directory or identity management tools like OpenLDAP or FreeIPA, it is more feasible and less time consuming to manage this as a group. In this guide, we are going to learn how to Create OpenLDAP Member Groups to enable you to control what a specific group of members are authorized to do on a given organization system or resource.
Creating OpenLDAP Member Groups
Before you can proceed with this guide, we assume that you already have an OpenLDAP server up and running. Otherwise, you can check our OpenLDAP guides by following the links below;
Install and Setup OpenLDAP on CentOS 8
How to Configure SUDO via OpenLDAP Server
Configure SSSD for OpenLDAP Authentication on CentOS 8
Well, so how do you create member groups on OpenLDAP?
Enabling OpenLDAP memberof Overlay
The OpenLDAP group membership is provided by the memberof overlay. An overlay is component of OpenLDAP that is used to perform functions similar to the functions provided by an OpenLDAP database backends.
Overlays can be dynamically loaded via the overlays modules or can be compiled directly into OpenLDAP database, slapd.
To check if the memberof overlay module has already been loaded.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config -LLL | grep -i moduleAs you can see in the output below, only MDB database backend module is loaded.
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
...
Find the location of the memberof overlay module and confirm if matches the already specified path above. The path below might be different in your case.
find / -iname memberof.la/usr/libexec/openldap/memberof.laTherefore, update the slapd database with the memberof overlay module by creating an ldif file as shown below.
vim update-module.ldifdn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.laLoad the module into slapd.
ldapadd -Y EXTERNAL -H ldapi:/// -f update-module.ldifIf you do not want to update the existing module, you can add another module directory information tree.
vim load-memberof-module.ldifdn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof.la
olcModulePath: /usr/libexec/openldapldapadd -Y EXTERNAL -H ldapi:/// -f load-memberof-module.ldifSASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"Verify again that the module is loaded.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config -LLL | grep -i module
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}memberof.la
...
Add memberof Overlay to SLAPD database
Now that the memberof overlay modules is loaded, you then need to update it on OpenLDAP database.
The overlay should be updated on a specific database backend. To locate your database backend, you can simply run the command. In our case, we are using MDB database hence grep mdb.
ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=config olcDatabase | grep mdbNote the sequential order of your database schema.
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcDatabase: {1}mdbCreate an LDIF file with your memberof overlay attributes as shown below.
vim add-memberof-overlay.ldifdn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfRefInt: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
For more information on the overlay attributes used above, consult, man slapo-memberof.
Update the OpenLDAP database with memberof overlay attributes.
ldapadd -Y EXTERNAL -H ldapi:/// -f add-memberof-overlay.ldifSASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"Another important aspect of OpenLDAP group membership is the Referential Integrity. Consider the line olcMemberOfRefInt: TRUE. This line basically enables what is called referential integrity which ensures that the integrity of the database schema is kept. For example, if any attributes of a member are adjusted, all the groups on which the member belongs are also updated.
Referential Integrity is also managed by an overlay which has to be loaded via a module.
find / -iname refint.la/usr/libexec/openldap/refint.laSince the module location is the same, you can simply load the refint module as follows;
vim add-refint.ldifdn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint.laldapadd -Y EXTERNAL -H ldapi:/// -f add-refint.ldifRead more on man slapo-refint.
Create OpenLDAP Member Groups
The OpenLDAP memberof overlay is now setup. The next step is to create member groups to enable you impose specific access control authorization.
Assuming you have the following users in your OpenLDAP database, for example;
uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=comTo create openldap member group with the above users as members, you can use an LDIF file as shown below;
vim member-group.ldifNote that we have already created a Group OU, ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com, in our case. As such, this ldif will will simply create a group called admins with the above users as members.
dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldapadd -Y EXTERNAL -H ldapi:/// -f member-group.ldifCheck that the group is created;
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=admins
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
The memberOf attribute is automatically added to user entries to indicate a group that the user belongs to. You can search the members using the memberOf attribute.
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" memberOfAdd OpenLDAP Users to Groups
You can as well add members to specific groups using the memberOf attribute. For example, to add the user, janedoe to the admins groups created above;
vim memberof.ldifdn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
add: memberOf
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=comThe update the slapd database;
ldapadd -Y EXTERNAL -H ldapi:/// -f memberof.ldifldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=* memberOfSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
dn: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
dn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
Well, you now have OpenLDAP groups and members added.
How do you authenticate to LDAP connected systems as a group via SSSD?
Setup OpenLDAP SSSD Group Authentication
Now that you have setup your member groups, let us see how you can configure SSSD on your LDAP clients for group authentication.
Assuming you already installed SSSD on your OpenLDAP clients, edit the SSSD main configuration file, /etc/sssd/sssd.conf.
vim /etc/sssd/sssd.confBelow is our sample SSSD configuration. Note that we restrict access only to members of the admins group we created above using the memberOf attribute as the value of ldap_access_filter. Also note the access provider, access_provider = ldap.
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[sudo]
[nss]
[pam]
offline_credentials_expiration = 60
[domain/default]
ldap_id_use_start_tls = True
debug_level = 10
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://ldapmaster.kifarunix-demo.com:636
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssW0rd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/cacert.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = memberOf=cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
You other configuration options might be different as with the above configuration, but the memberOf attribute should be there to define the group of members allowed access. Read more on man sssd-ldap for a more description on SSSD options.
Test SSSD Authentication as a Group Member
Once you have defined your memberOf access filter, try to authenticate as member of the admins group.
Clear SSSD cache.
systemctl stop sssd;rm -rf /var/lib/sss/db/*;systemctl start sssdNow, login as one member of the admins group.
ssh [email protected]Where:
- The IP address specified here is the OpenLDAP client with SSSD configuration above.
linusis a user member of the admins group.
The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ECDSA key fingerprint is SHA256:HMMbAonHoAVgZwbYi7KY4O7jXH+h9GMDDwy1kI2LyGM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.103' (ECDSA) to the list of known hosts.
[email protected]'s password:
Creating directory '/home/linus'.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Thu Dec 12 04:13:48 2019 from ::1
linus@ubuntu18:~$
There you go.
Try to authenticate as user who is not a member of the admins group.
ssh [email protected][email protected]'s password: password here
Connection to 192.168.56.103 closed by remote host.
Connection to 192.168.56.103 closed.Set Access Control Lists for OpenLDAP Member Group
You can also assign specific access controls to a group of members on OpenLDAP.
What am demoing here is not actually group access controls. But let us see how to give members of a specific group sudo rights via OpenLDAP. Learn how to configure OpenLDAP SUDO support here first.
We already created a sudoers role on our LDAP server called, sudo with one member given sudo rights.
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=sudoSASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: johndoe
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
Now, modify your sudo role (if already existing) and add one of the users from the admins group.
vim addtosudo.ldifdn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
add: sudoUser
sudoUser: linusUpdate the database.
ldapadd -Y EXTERNAL -H ldapi:/// -f addtosudo.ldifVerify the sudo group membership.
ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=sudodn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: johndoe
sudoUser: linus
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
Now, since only members of admins group are allowed to authenticate, only user, linus has been given sudo rights as defined above.
root@ubuntu18:~# sudo -U linus -llMatching Defaults entries for linus on ubuntu18:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
LS_COLORS", env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
LC_MESSAGES", env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
XAUTHORITY", env_keep+=SSH_AUTH_SOCK, secure_path = /sbin:/bin:/usr/sbin:/usr/bin, env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User linus may run the following commands on ubuntu18:
SSSD Role: sudo
RunAsUsers: ALL
Commands:
ALL
root@ubuntu18:~# sudo -U koromicha -ll
User koromicha is not allowed to run sudo on ubuntu18.Well, there you. You have learn to create OpenLDAP member groups via the memberof overlay module as well as adding other users to member groups and even defining specific access controls for respective members of the group.
Extras;
How to Delete Users from an OpenLDAP Group
You can also delete or remove users from OpenLDAP groups.
For example, to remove the user uid=janedoe from the admins group;
Run the command below on the terminal;
ldapmodify -Y EXTERNAL -H ldapi:/// -QQQPress enter on the terminal to execute the command above
Copy the following, modify to fit your environment setup and paste and press enter to execute.
dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
delete: member
member: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=comYou should see the output;
modifying entry "cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"Press Ctrl+c to stop the command.
Other tutorials
Setup OpenLDAP Server with SSL/TLS on Debian 10
Hello,
I had import memberof overlay to my Openldap server, and when I create a new user ( class:inet
Id is not showing secondary group details after adding the memberOf attribute ..weras same is showing with memberUid .any help would be appreciated .I am stuck
Hi Shiksha.
Did you already created the user group?