Topic on Extension talk:LDAP Authentication

authenticate against dynamic group

2 (talkcontribs)

Hi Ryan and all,

I am new to Linux and LDAP, but have an embedded software background and have been learning lots in the last 2 weeks.

I am trying to get MediaWiki LDAP extention 1.2d to authenticate against a dynamic openLDAP group. We want a dynamic group because it seems to make sense to control all our apps through a couple of flags in the user profile; the dynamic groups are populated based on the flags.

I have looked at the source and the logs. Things are working fine through the proxy user bind, the user search in the static user tree, and the user password bind. However, because the LDAP search does not return results for a filter like "member=uid=john,ou=users,dc=example,dc=com", the searchGroups routine does not find that the user belongs to any groups.

I have confirmed this behaviour of my openLDAP v2.4.23, using command line LDAPsearch. The members show up if i don't filter, but don't if I try to filter.

I have another LDAP client application that also tries to search groups the same way you do. I changed it and got it to work by fetching all the members from the required group, and then matching the current login against the user list.

My question is, is my problem caused by my use of dynamic groups instead of static groups? (dynlist overlay with full dn in member attributes)? Or is the LDAP supposed to find members with the member= filter, and for some reason my setup isn't? Should the code work with dynamic groups?

Thanks, Gregory Fung

Ryan lane (talkcontribs)

The way that groups work in the plugin likely means that this will not work with dynamic groups. There are two ways to do group searching: start with the group, and work your way up and down nested groups, or search for user groups, and work your way up the groups; I do the latter. It's slightly more efficient, but also means you'll get issues like this.

Maybe I'll add support for both search methods. I don't have much time to add features to this extension any more, so if you send a patch for the alternative search method, I'll accept it.

Reply to "authenticate against dynamic group"