ldapcherry
ldapcherry copied to clipboard
kakwa
Creating Admin Role for an existing user
Hi @kakwa I am trying to login to ldapcherry as admin but I am not getting any idea about it. I want to create and delete users from admin account. Currently, i am able to login as normal user.
I have already setup openldap server, i have used phpldapadmin to setup some users and groups and organizational unit. The structure is something like below:
How should I add or use admin account for ldapcherry?
Create the LDAPCherry Admin role in /etc/ldapcherry/roles.yml
For example:
hello_world_admin_role:
display_name: Hello_World_Admin_Users
description: Hello World Admin Users
LC_admins: True
backends_groups:
ad:
- hello-world
- Ensure hello-world group has ben created in your LDAP Server
- Add the user that you would like to use as an LDAPCherry Admin user to this group
This has been mentioned in the docs.
https://ldapcherry.readthedocs.io/en/latest/deploy.html#defining-ldapcherry-administrator-role
Note : I am using Active Directory. My backend group name is "ad". You may have to use your ldap server variable name defined in /etc/ldapcherry/ldapcherry.ini
Hi, @vishwakumba I tried your suggestions and created a new group "AdminGroup" and created a user in it "ldap.admin".
Here is the "roles.yml" file for it:
admin-lv3:
display_name: Administrators Level 3
description: Super administrators of the system
LC_admins: True
backends_groups:
ldap:
- cn=admin,cn=AdminGroup,ou=team-xebrium,dc=connect,dc=xebrium,dc=com
# ad:
# - Administrators
# - Group Policy Creator Owners
# - Enterprise Admins
# - Schema Admins
# - Domain Admins
admin-lv2:
display_name: Administrators Level 2
description: Basic administrators of the system
backends_groups:
ldap:
- cn=india-group,ou=team-xebrium,dc=connect,dc=xebrium,dc=com
# ad:
# - Administrators
developpers:
display_name: Developpers
description: Developpers of the system
backends_groups:
ldap:
- cn=developpers,ou=Group,dc=example,dc=org
- cn=users,ou=Group,dc=example,dc=org
users:
display_name: Simple Users
description: Basic users of the system
backends_groups:
ldap:
- cn=india-group,ou=team-xebrium
But it did't work. If i set "auth.mode = 'none'" then all users get administrator rights.
I also tried setting groups like below with no luck:
admin-lv3:
display_name: Administrators Level 3
description: Super administrators of the system
LC_admins: True
backends_groups:
ldap:
- AdminGroup
May I ask which LDAP Server, Operating System and Python version are you using? I use Python 2.7.5, Centos 7.2 and AWS Directory Service (microsoft active directory) and the active directory backend works fine for me.
Note: I had to make a small change in the active directory backend (base dn and user dn path) as I am using AWS Directory Service.
Hello,
Sorry for the delay, there is no notion of an "admin" account in ldapcherry, what you have instead is "ldapcherry admins", basically you set LC_admins: True on one of the role, and the users having this role (ie, being member of all the groups of that role), will have admin rights in ldapcherry (add/del fully modify users).
That being said, there is a bit of a chicken and egg problem when the ldap is first created: you need an admin user to connect to ldapcherry to create an admin user. For that, either create one manually with ldapadd or something like that, or alternatively, you can disable the authentication on ldapcherry:
[auth]
auth.mode = 'none'
Just be cautious to restrict it somewhat.
To simplify bootstrapping, I'm thinking of creating a companion CLI tool running locally to create users, but it would require some restructuring of the code to better separate role/group/backends/atrributes management and the web part.
For troubleshooting the issue, you can launch ldapcherry in debug mode (-D), it should display the roles and the groups of the user your are login with. Not sure what is the layout of your ldap for the group part, but you may need to tweak the ldap.group_filter_tmpl and ldap.groupdn depending on your deployment.
As for testing, personally I use OpenLdap for the ldap backend, and Samba 4 for the AD backend.
@kakwa Thanks a lot for your reply.
I was also a bit suspicious about ldap.group_filter_tmpl and ldap.groupdn. Whenever I launch ldapcherry in debug mode with -D option and login with any user, it is not able to pull the group details of the user and for every user it shows:
user 'ldap.admin' groups: {'ldap': []}
user 'ldap.admin' roles: {'unusedgroups': {}, 'roles': set()}
I will try to change the filters for group and groupdn.
Finally found a solution to my issue, hope this should help others as well.
I used phpldapadmin initially to access opanldap server, the structure is shown above (https://user-images.githubusercontent.com/5787318/56347737-91e94d80-61e2-11e9-92a1-f713dfe70da5.png).
My issue was that upon login from web-console of ldapcherry using any username, the ldapcherry was not able to fetch the group name of the user, due to this roles.yml files was not able to define any roles of users logged in from web-console.
I first created a separate group viz AdminGroup, created a POSIXuser in that group and created a new attribute of the group namely memberUid using Add New Attribute inside group details of phpldapadmin.
Then I added the desired users in that memberUid, after that I used ldap.group_filter_tmpl = '(&(cn=*)(memberUid=%(username)s))' inside /etc/ldapcherry/ldapcherry.ini file.
This resolved my issue.
