[omd-devel] Matching group membership in LDAP for "posixGroup"

Steven Bakker Steven.Bakker at ams-ix.net
Thu Jul 18 10:31:00 CEST 2013


Hi,

I noticed that the LDAP authentication module for check_mk supports
mapping groups from LDAP to privilege levels in check_mk. However, the
code assumes that group membership is implemented as a "groupOfNames" or
"groupOfUniqueNames" using attributes "member" or "uniqueMember", resp.
That attribute is supposed to hold a member's "dn":

  dn: cn=daltons,ou=groups,dc=example,dc=com
  objectClass: groupOfNames
  cn: daltons
  member: uid=joe,ou=people,dc=example,dc=com
  member: uid=jack,ou=people,dc=example,dc=com
  member: uid=william,ou=people,dc=example,dc=com
  member: uid=averell,ou=people,dc=example,dc=com
  ...

This does not integrate well with those of us who use "posixGroup"
objects, which use the "memberUid" attribute to specify group
membership:

  dn: cn=daltons,ou=groups,dc=example,dc=com
  objectClass: posixGroup
  cn: daltons
  memberUid: joe
  memberUid: jack
  memberUid: william
  memberUid: averell
  ...

It turns out that the patch to support the latter is almost trivial, see
attached. I'd appreciate it if this could be considered for inclusion in
a future release.

Best regards,

Steven Bakker

PS: OMD/check_mk rocks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_mk-ldap-posixgroup-patch.diff
Type: text/x-patch
Size: 704 bytes
Desc: not available
URL: <http://lists.mathias-kettner.de/pipermail/omd-devel/attachments/20130718/5e5e1d37/attachment.bin>


More information about the omd-devel mailing list