LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-05-2012, 07:17 AM   #1
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Rep: Reputation: 0
Retrieve group names for user in OpenLDAP


Hello,

I want to get the name of groups to which users belongs in OpenLDAP. I can get the list of group-members by passing group-name to ldapsearch command.However I want to get group names by passing uid/username to ldapsearch command.

Currently I am getting below result,

[root@Test ~]# ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(uid=skimeer)"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (uid=skimeer)
# requesting: ALL
#

# skimeer, test.com
dn: uid=skimeer,dc=test,dc=com
uid: skimeer
cn: skimeer
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationRole
objectClass: UserMail
userPassword:: e2NyeXB0fSQxJFdpMVVNL05iJDZIVVVpS2c3OEZHMUdNQnlXL0xySjA=
shadowLastChange: 15583
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10116
role: ldap-admin
usermail: skimeer@skimeer.com
homeDirectory: /home/skimeer
gidNumber: 10001

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
 
Old 10-06-2012, 04:08 AM   #2
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,900

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
Hi,

From the ldapsearch output above, looks like there are no attributes in a user's DN that hold the groups a user belongs to.
So if in any group DN, there are as attributes the group members (users), you can use the following command to find the groups a user belongs to:
Code:
ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(&(group-name=*)(uid=skimeer))"
Regards
 
Old 10-08-2012, 02:36 AM   #3
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hi Bathory,

Unfortunetly given query, did not given back anything,

Code:
[root@Test ~]# ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(&(group-name=*)(uid=skimeer))"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (&(group-name=*)(uid=skimeer))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
However, if I search for memberUid for test-auth group, It shows skimeer as member,

Code:
[root@Test ~]# ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(cn=test-auth)" memberUid
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (cn=test-auth)
# requesting: memberUid
#

# test-auth, test.com
dn: cn=test-auth,dc=test,dc=com
memberUid: skimeer
memberUid: bikash
memberUid: ganesh
memberUid: test123
 
Old 10-08-2012, 04:44 AM   #4
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,900

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
Quote:
Unfortunetly given query, did not given back anything,
That is normal.
It was just an example to show you how to filter specific DNs searching specific attributes/values.
Given your example test-auth group, you can try:
Code:
ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(&(cn=*)(memberUid=skimeer))
Regards
 
Old 10-08-2012, 05:22 AM   #5
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Ok, so I guess given query should list cn for which skimeer is memberUid.However its not listing test-auth group cn for this command.


[root@DevSDL1 Test]# ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(&(cn=*)(memberUid=skimeer))"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (&(cn=*)(memberUid=skimeer))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
 
Old 10-08-2012, 06:15 AM   #6
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,900

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
What is the full group dn?. It should look like this:
Code:
dn: cn=test-auth,dc=test,dc=com
...
cn=test-auth
...
memberUid: skimeer
memberUid: bikash
memberUid: ganesh
memberUid: test123
...
If not try another attribute common to all groups in your search filter.

Last edited by bathory; 10-08-2012 at 06:32 AM. Reason: typos
 
Old 10-10-2012, 09:22 AM   #7
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hello

This is details for test-auth group

[root@test ~]# ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(cn=test-auth)"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (cn=test-auth)
# requesting: ALL
#

# test-auth, test.com
dn: cn=test-auth,dc=test,dc=com
objectClass: top
objectClass: posixGroup
cn: test-auth
userPassword:: e2NyeXB0fXg=
gidNumber: 3000
memberUid: skimeer
memberUid: bikash
memberUid: ganesh
memberUid: test123
memberUid:: ZGM9aG9tZV90ZXN0LGRjPXNjaG5hZ2UsZGM9Y29tCQ==
memberUid: home_test
memberUid: venkata
memberUid: pradip
memberUid: hometest

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@test ~]#

Last edited by skimeer; 10-10-2012 at 09:25 AM.
 
Old 10-10-2012, 12:04 PM   #8
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,900

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
Huh strange! The ldapsearch filter should work.
Do each of the following searches work?
Code:
ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(cn=*)"
ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(memberUid=skimeer)"
 
Old 10-12-2012, 05:27 AM   #9
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Both search are not working, did this mean that issue with my openldap configuration.

[root@DevMMC2HA ~]# ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(cn=*)"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (cn=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

[root@DevMMC2HA ~]# ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(memberUid=skimeer)"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (memberUid=skimeer)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1
 
Old 10-12-2012, 06:49 AM   #10
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,900

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
Doh. The "no such object" error means that there is an error with the search base (dc=test,dc=com).
Are you sure that this is correct?
What do you get from:
Code:
ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com"
 
Old 10-12-2012, 07:44 AM   #11
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hey bathory, sorry something missed from my side,

now ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(cn=*)" and ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" lists me all the details from my server.

However,

[root@test ~]# ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(memberUid=skimeer)"
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (memberUid=skimeer)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
 
Old 10-12-2012, 08:58 AM   #12
bathory
LQ Guru
 
Registered: Jun 2004
Location: Piraeus
Distribution: Slackware
Posts: 11,900

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
It should also also work.
Maybe you have an ACL not allowing anonymous searches for that attribute
 
Old 10-15-2012, 11:51 PM   #13
Matthew Hardin
LQ Newbie
 
Registered: Aug 2007
Posts: 11

Rep: Reputation: 5
Bathory's right- it should work. The fact that the group entry could be searched for by cn means it's not an ACL problem, either. Time for some detective work.

Looking at your group entry I see:

Code:
memberUid:: ZGM9aG9tZV90ZXN0LGRjPXNjaG5hZ2UsZGM9Y29tCQ==
That's not wrong, per se, but that form does indicate that the value is base64 encoded. For attribute syntaxes other than octetString, that only happens when one or more characters in the value are unprintable. How did it get in there? Did you put it there? Probably not. Also, the syntax for memberUid is IA5String, which specifies 7-bit characters, and NO extended characters. So one or more characters in that value are outside the legal range for that syntax. I also note that in your earlier tests not all the members of your group printed out. In fact, test123, which is the one just before the base64-encoded value, is the last one displayed.

One thing I see a lot during learning cycles is dirty databases. Unprintable characters in attribute values that normally contain only printable characters is an indicator that something hinky happened and your database may have problems.

I suggest the following:

Stop slapd.

Run a backup of the database using slapcat. Something like:

Code:
slapcat -b "dc=test,dc=com" > backup.ldif
would do it. While you're at it, review the contents of the LDIF file you just produced, paying special attention to the attribute values in your group object. Remove any (besides userPassword) that are base64 encoded (they have double-colon as the separator instead of a single-colon).

Now, edit slapd.conf and change the database directory value for the dc=test,dc=com backend to something else. Create that new directory in the file system with the mkdir command and re-create the database using slapadd. Something like:

Code:
slapadd < backup.ldif
will do it.

Now restart slapd and run your test search again. In particular, the one looking for "(memberUID=skimeer)" I'll bet the search works fine.


One other thing: It's safer and more efficient to search for specific attribute values rather than a wildcard and the other attribute value that you want. To show you an example,

Instead of using this filter:

Code:
(&(cn=*)(memberUid=skimeer))
use this one:

Code:
(&(objectClass=posixGroup)(memberUid=skimeer))
The reason this is safer is that it's just possible that an LDAP database somewhere that your application gets used ends up with some other type of objectClass that just happens to have a cn attribute and a memberUid you're searching for, but is not a group. Best to be safe and filter based on specific values instead of wildcards whenever possible.

The reason this is more efficient is that the "(objectClass=posixGroup)" section of the filter results in only those entries containing "objectClass=posixGroup" being selected and then a subsequent lookup is performed within that set of entries with "memberUid=skimeer". "objectClass=posixGroup" is almost always going to be a smaller set than "cn=*". Setting eq indexes on objectClass and memberUid further accelerates the lookups. Don't forget to stop slapd and run slapindex if you're adding indexes to an existing database.

Contrast this to (cn=*), which will cause all entries in the database that contain any value of cn to be selected. That's going to be a much larger set than in the "objectClass=posixGroup" example above. Then all those entries will then need to be searched for "memberUid=skimeer". Adding appropriate indexes will speed things up a bit (i.e., pres for cn, eq for memberUid), but the resulting sets that need to be searched are quite a bit larger in this case than in the previous one, so slapd spends more time searching.

I hope this helps,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com
 
Old 10-16-2012, 01:02 AM   #14
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Hey Matt,

great, I have followed your procedure for backup/restore. After that search for group dn for users worked fine.

Code:
[root@test ~]#ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(&(cn=test-auth)(memberUid=skimeer))" dn
# extended LDIF
#
# LDAPv3
# base <dc=test-auth,dc=com> with scope subtree
# filter: (&(cn=test-auth)(memberUid=skimeer))
# requesting: dn
#

# test-auth, test.com
dn: cn=test-auth,dc=test,dc=com

# search result
search: 2
result: 0 Success
Thanks lot

I will check for su stuff and update you.
 
Old 10-17-2012, 08:10 AM   #15
skimeer
Member
 
Registered: Jun 2007
Posts: 62
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Thanks to Matt and bathory for your Inputs, I am able to list the groups to which user belong,

Code:
ldapsearch -h 127.0.0.1 -x -b "dc=test,dc=com" "(&(cn=*)(memberUid=skimeer))" dn
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Trouble assigning user to group in OpenLDAP sunnysthakur Linux - Server 7 09-18-2012 03:35 PM
Trouble assigning user to group in OpenLDAP sunnysthakur Linux - Server 2 09-18-2012 02:36 AM
uppercase letters in user/group names Sadus Linux - Security 1 09-17-2007 08:47 AM
user and group names from uid and gid PatrickNew Programming 3 06-02-2007 10:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:06 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration