authentik icon indicating copy to clipboard operation
authentik copied to clipboard

Published 20 hours ago verified publisher icon goauthentik

What is the LDAP group object type?

Open pavanfhw opened this issue 3 years ago • 5 comments

Describe your question/ I am using Authentik LDAP outpost. I am configuring LDAP authentication on a service and it has a variable called AUTH_LDAP_GROUP_TYPE so it can search groups. I tried using the values from examples configurations and tutorials, but it is not working. And I don't know how to get this information via CLI like ldapsearch.

Version and Deployment (please complete the following information):

  • authentik version: 2022.4.1
  • Deployment: helm

pavanfhw avatar May 13 '22 12:05 pavanfhw

Maybe it would help if you could add some information about which service you want to connect. as it seems something which comes from the service

at least a quick google shows https://stackoverflow.com/questions/6356705/mapping-ldap-users-to-django-users-with-django-auth-ldap maybe it will point you already in the right direction?

BobSilent avatar May 24 '22 08:05 BobSilent

The service is NetBox. Which uses Django Auth LDAP.

The LDAP configuration have the two values:

AUTH_LDAP_GROUP_SEARCH_CLASS=""
AUTH_LDAP_GROUP_TYPE=""

The LDAP search of a group returns:

objectClass: group
objectClass: groupOfUniqueNames
objectClass: goauthentik.io/ldap/group

Theses are the classes, I need to know the type I tried values like GroupOfUniqueNamesType, GroupType etc

Searching about this it seems the group type is very arbitrary. For example in the stackoverflow link, an answer says that with Open Directory you have to use PosixGroupType(name_attr='cn').

pavanfhw avatar Jun 02 '22 15:06 pavanfhw

The LDAP schema of the outpost is roughly based on RFC-2307Bis. A user's groups are listed as memberOf attribute which contains the full DN to the group.

Groups contain a member attribute with the Full DN of each user.

MemberDNGroupType('member') should work for your usecase

(I also did just notice a small contradiction, since we use objectClass: groupOfUniqueNames but then use the member attribute not uniqueMember so that should probably be fixed)

BeryJu avatar Jun 02 '22 15:06 BeryJu

Using MemberDNGroupType('member') causes the error:

<class 'django.core.exceptions.ImproperlyConfigured'>

AUTH_LDAP_GROUP_TYPE must be an LDAPGroupType instance.

pavanfhw avatar Jun 06 '22 14:06 pavanfhw

@BeryJu what can I do to debbug this?

pavanfhw avatar Jul 26 '22 15:07 pavanfhw

@pavanfhw - did you ever get this working? I'm trying to set up AWX which also uses django-auth-ldap and I'm running into the same issue.

rinseaid avatar Oct 04 '23 20:10 rinseaid

@rinseaid unfortunately not. We settled for using local auth. For AWX we use SAML, which I recommend

FelipePavan avatar Oct 04 '23 20:10 FelipePavan

@FelipePavan thank you - I will try SAML. I might keep messing with LDAP and update here if I figure it out.

rinseaid avatar Oct 04 '23 21:10 rinseaid

https://django-auth-ldap.readthedocs.io/en/latest/groups.html#finding-groups

BeryJu avatar Mar 28 '24 17:03 BeryJu