LDAP configuration for Netscape/Sun/iPlanet-type Directory Servers

linux
apache
php71

#1

Pydio Community 8.2.0 running on Oracle Linux 7.5, Apache 2.4 and PHP 7.1.

I’m looking for recommendations on how to configure the LDAP authentication plugin.

Our Corporate LDAP for the team members is running a Netscape/Sun/iPlanet-type Directory Server. Our team has no control over the schema, nor can we ask to move the accounts to other OUs. What we can do is request new group objects to be created for the purpose of mapping accounts to Pydio roles and/or groups.

Unfortunately, user objects contain no reference to the groups they are members of. Instead, we can list the group objects and filter them by some prefix (eg. Pydio_*), then in each group, check for uniqueMember attributes, which contain the DN of user objects that are members of each groups.

LDAP Authentication works if we configure the plugin this way:

Users Schema

People DN: ou=people,ou=teamMembers,ou=internal,o=corporate
LDAP Filter: (objectClass=inetOrgPerson)
User attribute: uid

The problem is that all user objects are found, thus, everyone can log into Pydio. There is no attribute in user objects I can filter on to restrict the search, which is a problem, because I don’t want everyone in the business to have access.

Can we setup an LDAP group object, containing uniqueMember attributes pointing to the DN of user accounts that are given access to Pydio? How can we setup Pydio to authenticate only these users and refuse/drop any requests for users that are NOT part of that group or local DB accounts?

Thanks in advance!!


#2

Hi,
maybe those 2 pieces of documentation could help you

  1. This ldap auth doc
  2. Or this one