OpenLDAP unable to pull in group memberships

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

Hey Folks, I’m attempting to pull in LDAP groups and memberships via the OpenLDAP connector and also have those memberships appear as isMemberOf attributes on the link. After aggregation/refresh, I’m able to see that the groups I’m filtering for are successfully added to the Entitlements Catalog, but it’s missing the memberships, and I’m at a loss as to why.

Here’s my group search dn:

<entry key="group.searchDNs">
        <value>
          <List>
            <Map>
              <entry key="iterateSearchFilter" value="objectClass=groupOfMembers"/>
              <entry key="objectType" value="group"/>
              <entry key="searchDN" value="cn=TEST Group,ou=Groups,o=orgname.org,o=orgname"/>
              <entry key="searchScope" value="SUBTREE"/>
            </Map>
          </List>
        </value>
      </entry>

Here’s my Group Schema:

<Schema displayAttribute="cn" featuresString="PROVISIONING" identityAttribute="dn" nativeObjectType="groupOfMembers" objectType="group">
      <AttributeDefinition name="cn" type="string"/>
      <AttributeDefinition name="dn" type="string"/>
      <AttributeDefinition name="description" type="string"/>
      <AttributeDefinition multi="true" name="isMemberOf" type="string"/>
      <Attributes>
        <Map>
          <entry key="groupMemberAttribute" value="isMemberOf"/>
          <entry key="memberAttribute" value="dn"/>
        </Map>
      </Attributes>
    </Schema>

Here’s my account schema attribute:

<Schema displayAttribute="cn" identityAttribute="dn" nativeObjectType="inetOrgPerson" objectType="account">
      <AttributeDefinition multi="true" name="isMemberOf" type="string"/>
    </Schema>

I’ve tried various permutations of the following:
• Group/App Schema attribute as: isMemberOf, member, memberOf
• App Schema attribute Type as: group, string

The best I’ve been able to achieve is the result described above. Does anyone with experience with this connector have further suggestions?

Thanks,
Tom

Hi @tm1819,

Usually, I have seen people using memberOf attribute instead of isMemeberOf attribute for OpenLDAP.

With respect to group serach dn, are you looking for all the groups in TEST Group else change it to something like below.

<entry key="searchDN" value="ou=Groups,o=orgname.org,o=orgname"/>

With respect to Group Schema, is the memebers in the group displayed in isMemberOf attribute. Usually, the memberOf attribute is used for displaying groups on the user and member attribute is used to display members in a group.

I have this working in my PoC IIQ environment with OpenLDAP:

In my account schema I have:

      <AttributeDefinition entitlement="true" managed="true" multi="true" name="groups" schemaObjectType="group" type="string">
        <Description>List of groups a user is a member</Description>
      </AttributeDefinition>
      <AttributeDefinition entitlement="true" managed="true" multi="true" name="posixgroups" schemaObjectType="posixgroup" type="string">
        <Description>List of posix groups a user is a member</Description>
      </AttributeDefinition>
      <AttributeDefinition entitlement="true" managed="true" multi="true" name="nisNetgroups" schemaObjectType="nisNetgroup" type="string">
        <Description>List of nisnet groups a user is a member</Description>
      </AttributeDefinition>

The group schema (for posixgroup, to only group-type I have used to demo):

    <Schema aggregationType="group"  descriptionAttribute="" displayAttribute="cn" featuresString="PROVISIONING" identityAttribute="dn" instanceAttribute="" nativeObjectType="posixgroup" objectType="posixgroup">
      <AttributeDefinition name="cn" type="string">
        <Description>common name(s) for which the entity is known by</Description>
      </AttributeDefinition>
      <AttributeDefinition multi="true" name="memberUid" type="string">
        <Description>unique member of a posixGroup</Description>
      </AttributeDefinition>
      <AttributeDefinition name="dn" type="string">
        <Description>Directory Path</Description>
      </AttributeDefinition>
      <AttributeDefinition name="gidNumber" type="string">
        <Description>Group ID</Description>
      </AttributeDefinition>
      <AttributeDefinition name="description" type="string">
        <Description>descriptive information</Description>
      </AttributeDefinition>
      <Attributes>
        <Map>
          <entry key="groupMemberAttribute" value="memberUid"/>
          <entry key="memberAttribute">
            <value>
              <List>
                <String>cn</String>
                <String>uid</String>
              </List>
            </value>
          </entry>
        </Map>
      </Attributes>
    </Schema>

And the SeardDN:

      <entry key="posixgroup.searchDNs">
        <value>
          <List>
            <Map>
              <entry key="iterateSearchFilter"/>
              <entry key="objectType" value="posixgroup"/>
              <entry key="searchDN" value="ou=groups,dc=nodomain"/>
              <entry key="searchScope" value="SUBTREE"/>
            </Map>
          </List>
        </value>
      </entry>

I hope this example is enough, if not let us know

– Remold

Thanks folks,

I wanted to clarify my situation further by sharing the LDIF for the group I’m targeting:

version: 1

dn: cn=TEST Group,ou=Groups,o=orgname.org,o=orgname
objectClass: groupofmembers
objectClass: top
cn: TEST Group
description: Test Group for Testing
member: uid=testuser1,ou=People,o=orgname.org,o=orgname
member: uid=testuser2,ou=People,o=orgname.org,o=orgname
member: uid=testuser3,ou=people,o=orgname.org,o=orgname

And this is the LDIF for a user who is a member of that group:

version: 1

dn: uid=testuser1,ou=People,o=orgname.org,o=orgname
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: First Last
sn: Last
givenName: First
isMemberOf: cn=test group,ou=groups,o=orgname.org,o=orgname
isMemberOf: cn=another group,ou=groups,o=orgname.org,o=orgname
mail: [email protected]
telephoneNumber: +1 123 555 5555
uid: testuser1

@Jarin_James :
I tested with memberOf, but the result is the same.
Re. search dn: I’m looking to add the group “TEST Group”, and the members therein.
Re. isMemberOf, YES, the group is displayed in the isMemberOf on the user, e.g. testuser1.

Thanks for the reply. I think posix group is different. Looking at the docs, posixgroup looks for memberUid. The docs don’t really specify what to do in case of regular groups and isMemberOf.

Do you think it’s worth trying anyway as a posixgroup? I’m happy to give it a shot.

@tm1819

I believe you should change your group schema something like this

<Schema displayAttribute="cn" featuresString="PROVISIONING" identityAttribute="dn" nativeObjectType="isMemberOf" objectType="group">
      <AttributeDefinition name="cn" type="string"/>
      <AttributeDefinition name="dn" type="string"/>
      <AttributeDefinition name="description" type="string"/>
      <AttributeDefinition multi="true" name="member" type="string"/>
      <Attributes>
        <Map>
          <entry key="groupMemberAttribute" value="member"/>
          <entry key="memberAttribute" value="dn"/>
        </Map>
      </Attributes>
    </Schema>

and account schema like this

<Schema displayAttribute="cn" identityAttribute="dn" nativeObjectType="inetOrgPerson" objectType="account">
      <AttributeDefinition entitlement="true" managed="true" multi="true" name="isMemberOf"  schemaObjectType="isMemberOf"  type="string"/>
    </Schema>

Did you try this if not can you try and let me know the result

Thanks, but this also did not work. It created the entitlement in the entitlements catalog, but no memberships added, and the attribute field is blank. Checked the identity, and nothing showed up under entitlements.

Appreciate everyone’s help so far. This is a tricky one for sure.

Hi @tm1819 ,
This is what i found in the documentation. Did you try it already?

Screenshot_20231125_224618_Adobe Acrobat1752×893 124 KB

Will you be able to a share a screenshot of account directly from LDAP showing the attribute names ( you can hide the senstive information)

I was reading this other topic, and was wondering if the solution found there might not help out with your issue here: Unable to get membership group after aggregation - #2 by ismaelmoreno1

I believe the main issue here is that it is not currently working with “groupOfMembers”, which is different from the “groupOfUniqueNames”, “posixGroupsd”, “group” and “nisNetGroup”.

Does anyone else have experience using “groupOfMembers”?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.