How to Create OpenLDAP Member Groups

While assigning specific access rights or permissions to users whose access to various organization systems or resources are controlled via directory or identity management tools like OpenLDAP or FreeIPA, it is more feasible and less time consuming to manage this as a group. In this guide, we are going to learn how to Create OpenLDAP Member Groups to enable you to control what a specific group of members are authorized to do on a given organization system or resource.

Creating OpenLDAP Member Groups

Before you can proceed with this guide, we assume that you already have an OpenLDAP server up and running. Otherwise, you can check our OpenLDAP guides by following the links below;

Install and Setup OpenLDAP on CentOS 8

How to Configure SUDO via OpenLDAP Server

Configure SSSD for OpenLDAP Authentication on CentOS 8

Well, so how do you create member groups on OpenLDAP?

Enabling OpenLDAP memberof Overlay

The OpenLDAP group membership is provided by the memberof overlay. An overlay is component of OpenLDAP that is used to perform functions similar to the functions provided by an OpenLDAP database backends.

Overlays can be dynamically loaded via the overlays modules or can be compiled directly into OpenLDAP database, slapd.

To check if the memberof overlay module has already been loaded.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config -LLL | grep -i module

As you can see in the output below, only MDB database backend module is loaded.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# module{0}, config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
...

Find the location of the memberof overlay module and confirm if matches the already specified path above. The path below might be different in your case.

find / -iname memberof.la

/usr/libexec/openldap/memberof.la

Therefore, update the slapd database with the memberof overlay module by creating an ldif file as shown below.

vim update-module.ldif

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof.la

Load the module into slapd.

ldapadd -Y EXTERNAL -H ldapi:/// -f update-module.ldif

If you do not want to update the existing module, you can add another module directory information tree.

vim load-memberof-module.ldif

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof.la
olcModulePath: /usr/libexec/openldap

ldapadd -Y EXTERNAL -H ldapi:/// -f load-memberof-module.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=module,cn=config"

Verify again that the module is loaded.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config -LLL | grep -i module

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/libexec/openldap
olcModuleLoad: {0}back_mdb.la
olcModuleLoad: {1}memberof.la
...

Add memberof Overlay to SLAPD database

Now that the memberof overlay modules is loaded, you then need to update it on OpenLDAP database.

The overlay should be updated on a specific database backend. To locate your database backend, you can simply run the command. In our case, we are using MDB database hence grep mdb.

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b  cn=config olcDatabase | grep mdb

Note the sequential order of your database schema.

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={1}mdb,cn=config
olcDatabase: {1}mdb

Create an LDIF file with your memberof overlay attributes as shown below.

vim add-memberof-overlay.ldif

dn: olcOverlay=memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof 
olcMemberOfRefInt: TRUE
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

For more information on the overlay attributes used above, consult, man slapo-memberof.

Update the OpenLDAP database with memberof overlay attributes.

ldapadd -Y EXTERNAL -H ldapi:/// -f add-memberof-overlay.ldif

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=memberof,olcDatabase={1}mdb,cn=config"

Another important aspect of OpenLDAP group membership is the Referential Integrity. Consider the line olcMemberOfRefInt: TRUE. This line basically enables what is called referential integrity which ensures that the integrity of the database schema is kept. For example, if any attributes of a member are adjusted, all the groups on which the member belongs are also updated.

Referential Integrity is also managed by an overlay which has to be loaded via a module.

find / -iname refint.la

/usr/libexec/openldap/refint.la

Since the module location is the same, you can simply load the refint module as follows;

vim add-refint.ldif

dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: refint.la

ldapadd -Y EXTERNAL -H ldapi:/// -f add-refint.ldif

Read more on man slapo-refint.

Create OpenLDAP Member Groups

The OpenLDAP memberof overlay is now setup. The next step is to create member groups to enable you impose specific access control authorization.

Assuming you have the following users in your OpenLDAP database, for example;

uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

To create openldap member group with the above users as members, you can use an LDIF file as shown below;

vim member-group.ldif

Note that we have already created a Group OU, ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com, in our case. As such, this ldif will will simply create a group called admins with the above users as members.

dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

ldapadd -Y EXTERNAL -H ldapi:/// -f member-group.ldif

Check that the group is created;

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=admins

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: groupOfNames
cn: admins
member: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
member: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

The memberOf attribute is automatically added to user entries to indicate a group that the user belongs to. You can search the members using the memberOf attribute.

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" memberOf

Add OpenLDAP Users to Groups

You can as well add members to specific groups using the memberOf attribute. For example, to add the user, janedoe to the admins groups created above;

vim memberof.ldif

dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
add: memberOf
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

The update the slapd database;

ldapadd -Y EXTERNAL -H ldapi:/// -f memberof.ldif

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" uid=* memberOf

SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=linus,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=koromicha,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
memberOf: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

Well, you now have OpenLDAP groups and members added.

How do you authenticate to LDAP connected systems as a group via SSSD?

Setup OpenLDAP SSSD Group Authentication

Now that you have setup your member groups, let us see how you can configure SSSD on your LDAP clients for group authentication.

Assuming you already installed SSSD on your OpenLDAP clients, edit the SSSD main configuration file, /etc/sssd/sssd.conf.

vim /etc/sssd/sssd.conf

Below is our sample SSSD configuration. Note that we restrict access only to members of the admins group we created above using the memberOf attribute as the value of ldap_access_filter. Also note the access provider, access_provider = ldap.

[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
debug_level = 10
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://ldapmaster.kifarunix-demo.com:636
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssW0rd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/cacert.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = memberOf=cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com

You other configuration options might be different as with the above configuration, but the memberOf attribute should be there to define the group of members allowed access. Read more on man sssd-ldap for a more description on SSSD options.

Test SSSD Authentication as a Group Member

Once you have defined your memberOf access filter, try to authenticate as member of the admins group.

Clear SSSD cache.

systemctl stop sssd;rm -rf /var/lib/sss/db/*;systemctl start sssd

Now, login as one member of the admins group.

ssh [email protected]

Where:

• The IP address specified here is the OpenLDAP client with SSSD configuration above.
• linus is a user member of the admins group.

The authenticity of host '192.168.56.103 (192.168.56.103)' can't be established.
ECDSA key fingerprint is SHA256:HMMbAonHoAVgZwbYi7KY4O7jXH+h9GMDDwy1kI2LyGM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.56.103' (ECDSA) to the list of known hosts.
[email protected]'s password: 
Creating directory '/home/linus'.
Welcome to Ubuntu 18.04 LTS (GNU/Linux 4.15.0-20-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Thu Dec 12 04:13:48 2019 from ::1
linus@ubuntu18:~$

There you go.

Try to authenticate as user who is not a member of the admins group.

ssh [email protected]

[email protected]'s password: password here
Connection to 192.168.56.103 closed by remote host.
Connection to 192.168.56.103 closed.

Set Access Control Lists for OpenLDAP Member Group

You can also assign specific access controls to a group of members on OpenLDAP.

What am demoing here is not actually group access controls. But let us see how to give members of a specific group sudo rights via OpenLDAP. Learn how to configure OpenLDAP SUDO support here first.

We already created a sudoers role on our LDAP server called, sudo with one member given sudo rights.

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=sudo

SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: johndoe
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

Now, modify your sudo role (if already existing) and add one of the users from the admins group.

vim addtosudo.ldif

dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
changetype: modify
add: sudoUser
sudoUser: linus

Update the database.

ldapadd -Y EXTERNAL -H ldapi:/// -f addtosudo.ldif

Verify the sudo group membership.

ldapsearch -H ldapi:/// -Y EXTERNAL -LLL -b "dc=ldapmaster,dc=kifarunix-demo,dc=com" cn=sudo

dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: johndoe
sudoUser: linus
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

Now, since only members of admins group are allowed to authenticate, only user, linus has been given sudo rights as defined above.

root@ubuntu18:~# sudo -U linus -ll

Matching Defaults entries for linus on ubuntu18:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
    LS_COLORS", env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
    LC_MESSAGES", env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", env_keep+=SSH_AUTH_SOCK, secure_path = /sbin:/bin:/usr/sbin:/usr/bin, env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User linus may run the following commands on ubuntu18:

SSSD Role: sudo
    RunAsUsers: ALL
    Commands:
	ALL

root@ubuntu18:~# sudo -U koromicha -ll
User koromicha is not allowed to run sudo on ubuntu18.

Well, there you. You have learn to create OpenLDAP member groups via the memberof overlay module as well as adding other users to member groups and even defining specific access controls for respective members of the group.

Extras;

How to Delete Users from an OpenLDAP Group

You can also delete or remove users from OpenLDAP groups.

For example, to remove the user uid=janedoe from the admins group;

Run the command below on the terminal;

ldapmodify -Y EXTERNAL -H ldapi:/// -QQQ

Press enter on the terminal to execute the command above

Copy the following, modify to fit your environment setup and paste and press enter to execute.

dn: cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com
delete: member
member: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

You should see the output;

modifying entry "cn=admins,ou=groups,dc=ldapmaster,dc=kifarunix-demo,dc=com"

Press Ctrl+c to stop the command.

Other tutorials

Setup OpenLDAP Server with SSL/TLS on Debian 10

Install and Configure OpenLDAP server on Fedora 29

Install and Setup FreeIPA Server on CentOS 8