OpenLDAP auth backend - how to get groups back?

  • I've got an OpenLDAP directory of the form:


    I can get the auth to work against the users by setting

      Authentication containers  :  ou=People,dc=localdomain
      User naming attribute      : uid

    However, it fails as soon as I try to get the group names returned, so the user is never reported as being a member of a group. Membership is stored in the 'uniquemember' attribute of the group, so I've set:

      Extended query          : ou=Groups,dc=localdomain
      Group naming attribute  :  cn
      Group member attribute  :  uniquemember

    This doesn't work, possibly because the 'uniquemember' attribute holds 'uid=User,ou=People,dc=localdomain' (this is created automatically within the directory and can't be changed).

    Is there anything I can do to get this working, perhaps with the 'Extended Query' value?


    Forgot to mention, this is for 2.1.

  • Rebel Alliance Developer Netgate

  • Thanks, that looks the same as something that resulted in me making some changes based on the post at, so I've now got a 'memberOf' attribute for each user.

      Extended query          : memberOf=cn=AGroup,ou=Groups,dc=localdomain
      Group naming attribute  :  cn
      Group member attribute  :  memberOf

    This resulted in the auth passing only if the user is a member of the group, but the group name still doesn't get returned - it's simply being passed on the 'Extended query' finding a match. The means the user can login, but they get "No pages assigned".

    BTW, the name specified in the 'Group naming attribute' doesn't look like it's being used - I can set it to 'thiscanbeanything' and an auth test will pass. I've had a look at the code for ldap_get_groups() in

            if(is_array($info[0][$ldapgroupattribute])) {
                    /* Iterate through the groups and throw them into an array */
                    foreach ($info[0][$ldapgroupattribute] as $member) {
                            if (stristr($member, "CN=") !== false) {
                                    $membersplit = explode(",", $member);
                                    $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);

    Should this be using the 'Group naming attribute' rather than being hard-coded to 'CN'?

    I've got a solution that I can usel. I've modified my LDAP directory (easy in this case as it's a new install  ;)) so that the users have a memberOf attribute which is built up automatically from the group objects (using the memberOf plugin within 389 Directory Server). That way I don't need the "Extended query" at all.

  • I submitted a pull request a while back in this area (, but it looks a bit orphaned ;)

    Not quite the same, but this did make the auth work with nicely with openLDAP.

Log in to reply