Issue with Dynamic Groups in OpenLDAP

Question

I'm trying to move our current web-apps to retreive roles and authentication against and openLDAP system. I'm having a bit of an issue with dynamic groups (groupOfURLs) and openLDAP. I'm using OpenLDAP 2.4.33 and spring 3.2 .

I've got my authentication working successfully, however now i'm having an issue in setting up a system to use dynamic groups for roles using the dynamic group overlay.

On the spring side, I'm attempting to use a DefaultLdapAuthoritiesPopulator with a groupSearchFilter = “(member={0})”. The issue i'm having is that spring does not find any members in my dynamic group, however it can find members of static groups (groupofnames) (.

This doesn't seem to be a spring issue as I have the same issue using the ldapsearch command. The issue i'm having is best illustrated by example.

I'm using the following LDIF

dn: ou=Groups,dc=myapp,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups


dn: ou=Users,dc=myapp,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Users


dn: uid=userA,ou=Users,dc=myapp,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: userA
cn: test-forename
sn: test-surname
mail: userA@mail.com
userPassword:: e1NTSEF9bVpJVGxZRlFYdnhBemhLQkdxWll0VnlRQjRUdjBaelhEZkpaZnc9PQ==


dn: uid=userB,ou=Users,dc=myapp,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: userB
cn: test-forename
sn: test-surname
mail: userB@mail.com
userPassword:: e1NTSEF9bVpJVGxZRlFYdnhBemhLQkdxWll0VnlRQjRUdjBaelhEZkpaZnc9PQ==


dn: cn=DynamicGroup,ou=Groups,dc=myapp,dc=com
cn: DynamicGroup
objectClass: top
objectClass: groupOfURLs
ou: Groups
memberURL: ldap:///ou=Users,dc=myapp,dc=com??sub?mail=userA@mail.com


dn: cn=StaticGroup,ou=Groups,dc=myapp,dc=com
cn: StaticGroup
objectClass: top
objectClass: groupofnames
ou: Groups
member: uid=userA,ou=Users,dc=myapp,dc=com

This creates two users and two groups, one static and one dynamic.

If I do a simple search I get

ldapsearch.exe -v -x -h localhost -p 389 -D "cn=admin,dc=myapp,dc=com" -w secret -LL -b "ou=Groups,dc=myapp,dc=com" "(objectClass=*)" dn member 

In this i'm searching using ("(objectClass=*)" dn member), I get the following result

ldap_initialize( ldap://localhost:389 )
filter: (objectClass=*)
requesting: dn member
version: 1

dn: ou=Groups,dc=myapp,dc=com

dn: cn=DynamicGroup,ou=Groups,dc=myapp,dc=com
member: uid=dbunit,ou=Users,dc=myapp,dc=com
member: uid=userA,ou=Users,dc=myapp,dc=com
member: uid=userB,ou=Users,dc=myapp,dc=com

dn: cn=StaticGroup,ou=Groups,dc=myapp,dc=com
member: uid=dbunit,ou=Users,dc=myapp,dc=com

Clearly this illustrates that the query returns results for both the static and dynamic group. This indicates that it is correctly configured and that it has an attribute member.

The issue that I have is when I add a filter on the member attributrs.

ldapsearch.exe -v -x -h localhost -p 389 -D "cn=admin,dc=myapp,dc=com" -w secret -LL -b "ou=Groups,dc=myapp,dc=com" "(member=*)" dn member

In this case I'm applying the filter "(member=*)".

ldap_initialize( ldap://localhost:389 )
filter: (member=*)
requesting: dn member
version: 1

dn: cn=StaticGroup,ou=Groups,dc=myapp,dc=com
member: uid=dbunit,ou=Users,dc=myapp,dc=com

In this case all that is returned is the static group. It appears that the filter doesn't seem to have access to the member attribute.

Has anyone else come accross this issue?

Any help would be appreciated.

Answer 1

Its clear that this is not how dynamic groups don't work. In the end I decided to use static groups.

A good answer can be found at : stackoverflow.com/questions/4603570/openldap-dynlist-posixgroup