1

Due to the way a software we use interacts with Unix, when I am setting up a certain application to interact with LDAP I need to use Posix attributes instead of normal LDAP attributes.

So far all I have found is that for authentication.ldap.groupObjectClass I must use posixgroup instead of group and for authentication.ldap.userObjectClass I must use posixuser instead of user.

My question is what about things like authentication.ldap.groupMembershipAttr which I have to set to member or authentication.ldap.usernameAttribute which I have set to sAMAccountName. Is there some way I can query my LDAP schema to see my options for these settings?

Sorry if this is a ridiculous question. I'm a Hadoop admin and mostly interact with Unix so I don't have much experience with LDAP so I definitely am lacking understanding.

Let me attempt to give some more details. We're setting up a LDAP Proxy and there is currently a bug in it, with the work around to use posix information.

For example, if I use the following search filter (&(objectCategory=group)(sAMAccountName=groupname)) occasionally a GUID,SID, and CN/OU path gets outputted for the members instead of just CN=User,OU=my,OU=container,DC=my,DC=domain

If I use the search filter (&(objectclass=Posixgroup)(cn=groupname)), the only thing that comes across is the correct CN/OU/DC path and the bug is not encountered. Essentially I am trying to update Ambari (Management service of Hadoop) to use the correct LDAP settings that reflect what's used in this search filter, so when users are synced the sync will not encounter the bug and fail.

Current user/group attributes and values

authentication.ldap.baseDn=DC=my,DC=domain,DC=com
authentication.ldap.bindAnonymously=false
authentication.ldap.dnAttribute=DC=my,DC=domain,DC=com
authentication.ldap.groupMembershipAttr=memberUid
authentication.ldap.groupNamingAttr=cn
authentication.ldap.groupObjectClass=posixgroup
authentication.ldap.managerDn=CN=username,OU=Application Accounts,DC=my,DC=domain,DC=com
authentication.ldap.managerPassword=/path/to/file
authentication.ldap.pagination.enabled=false
authentication.ldap.primaryUrl=my.ldap.proxy:389
authentication.ldap.referral=follow
authentication.ldap.secondaryUrl=my.ldap.proxy:389
authentication.ldap.useSSL=false
authentication.ldap.userObjectClass=posixuser
authentication.ldap.usernameAttribute=cn

Example of group LDAP string

CN=MYGROUP,OU=Groups,DC=my,DC=domain,DC=com

Example of user LDAP string

cn=username,ou=northamerica,ou=user accounts,dc=my,dc=domain,dc=c om

Josh
  • 111
  • 4
  • If you want a way to browse your schema easily to help figure this out, JXplorer from jxplorer.org is a great utility and it is free and open source. – brent Mar 23 '18 at 13:43
  • I'm currently using ApacheDirectoryStudio but since I don't exactly know what I'm looking for it's a bit difficult. – Josh Mar 23 '18 at 13:46

1 Answers1

0

LDAP's a bit of a complicated thing so without exactly knowing what your directory server is, or what application this is for, it's a bit out of scope to be able to recommend exactly what you need, but you could try cn for authentication.ldap.usernameAttribute and memberUid for authentication.ldap.groupMembershipAttr

brent
  • 3,521
  • 3
  • 26
  • 37
  • What are the attributes/values on an example user and on an example group? Feel free to anonymize the values – brent Mar 23 '18 at 14:36
  • Changing to the values you suggested gives me the LDAP error `Caught exception running LDAP sync. [LDAP: error code 32 - No Such Object]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - No Such Object]; remaining name 'DC=my,DC=domain,DC=com'` – Josh Mar 23 '18 at 14:46
  • What are the actual attributes returned from the LDAP server for a group and a user? – brent Mar 23 '18 at 14:52
  • Is that not what I have below my configuration? – Josh Mar 23 '18 at 14:54