SystemLink Forum

cancel
Showing results for 
Search instead for 
Did you mean: 

SystemLink LDAP group as admin configuration

Solved!
Go to solution

Hi,

 

I have a problem configuring the use of LDAP group names as admin in SystemLink.

The figures below contain my settings and results:

 

Defining an LDAP group as admin result in my user that is part of that group to be logged on as standard user.

NI Web Server Configuration - Roles - LDAP Admin GroupNI Web Server Configuration - Roles - LDAP Admin GroupNI SystemLink Portal - LDAP user login (LDAP Group configured as admin)NI SystemLink Portal - LDAP user login (LDAP Group configured as admin) 

Defining an LDAP user as admin result in my user to be logged on as admin user.

NI Web Server Configuration - Roles - LDAP user as adminNI Web Server Configuration - Roles - LDAP user as adminNI SystemLink Portal - LDAP user login (LDAP user configured as admin)NI SystemLink Portal - LDAP user login (LDAP user configured as admin)

Below my LDAP settings, which work for users since I am able to logon as LDAP user. And I double checked that the user is part of the SystemLink_Admins group in the directory server.

NI Web Server Configuration - Authentication - LDAP settingsNI Web Server Configuration - Authentication - LDAP settings

Please advise.

Regards,
André (CLA, CLED)
0 Kudos
Message 1 of 5
(3,327 Views)

Hi André,

 

For adding LDAP groups to roles, you need to specify the group's distinguished name. Based on your screenshots, this could be something like:

 

CN=SystemLink_Admins,DC=systemlink,DC=carya,DC=net

 

You would likely have some OU=... entries in there as well between the CN and the DCs depending on how your LDAP directory is organized.

 

For additional reference, the LDAP User entry is easier because it always matches the first attribute you specify in the LDAP URL (uid in your case). If you changed uid to distinguishedName, you would also have to specify the user's distinguished name in the role (and when you log in to the web server).

0 Kudos
Message 2 of 5
(3,296 Views)

I think I see where you are heading, but I can't seem to get to work.

 

I configured an admin group with value "CN=SystemLink_Admins,DC=systemlink,DC=carya,DC=net".

 

I left my LDAP url the same and logged on with just the user name (uid). I still logs me on as normal user although the user is member of the admin group.

 

Where do I go wrong? I have very limited knowledge of LDAP and am using a Synology Directory Server (openLDAP based). I only configured groups and users.

 

Thanks.

Regards,
André (CLA, CLED)
0 Kudos
Message 3 of 5
(3,286 Views)

I'm not familiar with Synology Directory Server, but you should be able to use a tool such as ldapsearch (on Linux) to browse the directory:

 

ldapsearch -D [your bind user] -W -H [your LDAP protocol://host:port] -LLL "(cn=SystemLink_Admins)" dn

Or you can look up the memberOf attributes for a user that you know is in the group and find it that way.

 

According to this documentation, "the distinguished name of the group in the LDAP database is cn=[groupname],cn=groups,cn=[Base_DN]". Which by that I'm guessing they mean it would be "CN=SystemLink_Admins,CN=groups,DC=systemlink,DC=carya,DC=net" but it's not clear to me what Base_DN would be since they put cn= there.

Message 4 of 5
(3,281 Views)
Solution
Accepted by topic author andre.buurman@carya

Hi pspangler,

 

You where right after some fiddling I got it to work with "cn=systemlinkadmins,cn=groups,dc=systemlink,dc=carya,dc=net" as group identifier.

I changed the group name in the process to rule out any special characters and also used all lower case to rule out case-sensitivity.

Regards,
André (CLA, CLED)
0 Kudos
Message 5 of 5
(3,273 Views)