ldap: made minor change to group search, and to docs

5fbe8eff · Torkel Ödegaard · c56ca57d · 5fbe8eff · 5fbe8eff · 5fbe8eff
Commit 5fbe8eff authored Sep 14, 2018 by Torkel Ödegaard
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 38 deletions

conf/ldap.toml
+3 -29

docs/sources/auth/ldap.md
+5 -3

pkg/login/ldap.go
+10 -6

No files found.
--- a/conf/ldap.toml
+++ b/conf/ldap.toml
@@ -31,37 +31,11 @@ search_filter = "(cn=%s)"
 # An array of base dns to search through
 search_base_dns = ["dc=grafana,dc=org"]
-# In POSIX LDAP schemas, without memberOf attribute a secondary query must be made for groups.
+## For Posix or LDAP setups that does not support member_of attribute you can define the below settings
-# This is done by enabling group_search_filter below. You must also set member_of= "cn"
+## Please check grafana LDAP docs for examples
-# in [servers.attributes] below.
-# Users with nested/recursive group membership and an LDAP server that supports LDAP_MATCHING_RULE_IN_CHAIN
-# can set group_search_filter, group_search_filter_user_attribute, group_search_base_dns and member_of
-# below in such a way that the user's recursive group membership is considered.
-#
-# Nested Groups + Active Directory (AD) Example:
-#
-#   AD groups store the Distinguished Names (DNs) of members, so your filter must
-#   recursively search your groups for the authenticating user's DN. For example:
-#
-#     group_search_filter = "(member:1.2.840.113556.1.4.1941:=%s)"
-#     group_search_filter_user_attribute = "distinguishedName"
-#     group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
-#
-#     [servers.attributes]
-#     ...
-#     member_of = "distinguishedName"
-## Group search filter, to retrieve the groups of which the user is a member (only set if memberOf attribute is not available)
 # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
-## Group search filter user attribute defines what user attribute gets substituted for %s in group_search_filter.
-## Defaults to the value of username in [server.attributes]
-## Valid options are any of your values in [servers.attributes]
-## If you are using nested groups you probably want to set this and member_of in
-## [servers.attributes] to "distinguishedName"
-# group_search_filter_user_attribute = "distinguishedName"
-## An array of the base DNs to search through for groups. Typically uses ou=groups
 # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+# group_search_filter_user_attribute = "uid"
 # Specify names of the ldap attributes your ldap uses
 [servers.attributes]

--- a/docs/sources/auth/ldap.md
+++ b/docs/sources/auth/ldap.md
@@ -121,9 +121,11 @@ If your ldap server does not support the memberOf attribute add these options:
 group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
 ## An array of the base DNs to search through for groups. Typically uses ou=groups
 group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
+## the %s in the search filter will be replaced with the attribute defined below
+group_search_filter_user_attribute = "uid"
 ```
-Also change set `member_of = "cn"` in the `[servers.attributes]` section.
+Also set `member_of = "dn"` in the `[servers.attributes]` section.
 ### Group Mappings
@@ -177,10 +179,10 @@ Multiple DN templates can be searched by combining filters with the LDAP OR-oper
 ```bash
 group_search_filter = "(member:1.2.840.113556.1.4.1941:=CN=%s,[user container/OU])"
 group_search_filter = "(|(member:1.2.840.113556.1.4.1941:=CN=%s,[user container/OU])(member:1.2.840.113556.1.4.1941:=CN=%s,[another user container/OU]))"
+group_search_filter_user_attribute = "cn"
 ```
-For troubleshooting, by changing `member_of` in `[servers.attributes]` to "distinguishedName" it will show you more accurate group memberships when [debug is enabled](#troubleshooting).
+For troubleshooting, by changing `member_of` in `[servers.attributes]` to "dn" it will show you more accurate group memberships when [debug is enabled](#troubleshooting).
 ## Configuration examples

--- a/pkg/login/ldap.go
+++ b/pkg/login/ldap.go
@@ -326,15 +326,19 @@ func (a *ldapAuther) searchForUser(username string) (*LdapUserInfo, error) {
 			a.log.Info("Searching for user's groups", "filter", filter)
+			// support old way of reading settings
+			groupIdAttribute := a.server.Attr.MemberOf
+			// but prefer dn attribute if default settings are used
+			if groupIdAttribute == "" || groupIdAttribute == "memberOf" {
+				groupIdAttribute = "dn"
+			}
 			groupSearchReq := ldap.SearchRequest{
 				BaseDN:       groupSearchBase,
 				Scope:        ldap.ScopeWholeSubtree,
 				DerefAliases: ldap.NeverDerefAliases,
-				Attributes: []string{
+				Attributes:   []string{groupIdAttribute},
-					// Here MemberOf would be the thing that identifies the group, which is normally 'cn'
+				Filter:       filter,
-					a.server.Attr.MemberOf,
-				},
-				Filter: filter,
 			}
 			groupSearchResult, err = a.conn.Search(&groupSearchReq)
@@ -344,7 +348,7 @@ func (a *ldapAuther) searchForUser(username string) (*LdapUserInfo, error) {
 			if len(groupSearchResult.Entries) > 0 {
 				for i := range groupSearchResult.Entries {
-					memberOf = append(memberOf, getLdapAttrN(a.server.Attr.MemberOf, groupSearchResult, i))
+					memberOf = append(memberOf, getLdapAttrN(groupIdAttribute, groupSearchResult, i))
 				}
 				break
 			}