LDAP-Group mappings works only with proper Unix-Groups

[zoide]

grav-plugin-login-ldap/login-ldap.php

Line 176 in a5656aa

$query = $ldap->query($group_dn, 'gidnumber=' . $this->getLDAPMappedItem('gidNumber', $ldap_data));

I had a look at the plugin's code. And the line above suggest that the user's groups can only be found if the user is a member of an "objectClass=posixGroup" group.

In my environment I have 'virtual' groups which do not have the gidNumber. Such groups can be found in GoSa and ActiveDirectory allow these kind of groups.

Here's an example of such a group:

version: 1

dn: cn=GROUPNAME,ou=groups,dc=example,dc=com
objectClass: top
objectClass: gosaGroupOfNames
objectClass: trustAccount
cn: GROUPNAME
gosaGroupObjects: [U]
trustModel: fullaccess
description: A Group which is not posixGroup
member: cn=A UserDN,ou=people,dc=example,dc=com
member: cn=Another User DN,ou=people,dc=example,dc=com

[w00fz]

How do users look like with their default groups? Specifically, how do you think we can change that group query to make it configurable and allow to specify other queries other than the posix approach?

I would love to have it customizable but LDAP is just so customizable that it's hard to test all scenarios.

[zoide]

Well, that is the problem. There is no default group for a user. In the AD / GOSA (RFC2307Bis) schema you don't have those.

I'm currently taking a deeper look into the plugin. It seems that it need to be restructured a little bit in order to account for these different setup.

[pacija]

I am also eyeing this plugin, but it does not work for me with AD implementation of LDAP.

I use some php software with good LDAP/AD integration, namely Nextcloud's user_ldap module. Perhaps one could look at the solution hints there?

I like LDAP integrations where I can:

• bind to LDAP with specific non-privileged "bind DN / pass" combination
• narrow scope to specific OU and its sub-OUs
• specify filter so that only members of specific group (AD's memberOf, also available as overlay in OpenLDAP) can use the service
• optionally map LDAP groups to local groups

I wish you devs strength and luck to integrate grav with AD 😄. I would be glad to do any testing.

[zoide]

Yes, That is usually the way how the whole ldap-authentication works.

• the non-privileged user just checks whether the actual user exists
• username/password is only used to test for its correctnes.

I've done some work to get the plugin to work with rfc2307bis type LDAP trees.
https://github.com/zoide/grav-plugin-login-ldap/tree/refactor
It still needs docs and more work.
I will refactor the whole process but currently I can't find the time :(

The branch is not yet read for a PR

For those who want to try it out, there are some config differences
UserDN is only uid=[username]
and not uid=[username],ou=people,....
you should add User search DN and User Group DN

I had to add jpegPhoto to blacklist Fields. Grav can't handle the base64 image data... But that's another issue...