openldap的memberof属性,有很多应用在接入用户组的时候,会判断memberof这个属性,属于哪个组,例如apache kylin,grafana等,配置了ldap用户组的角色以后,只需要把用户添加到相应的组即可,用户就有应用的权限了

1.配置ldap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
[dev] [root@dev-bigdata-haproxy memof]# cat memof.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModuleLoad: memberof.la
olcModulePath: /usr/lib64/openldap

dn: olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf




[dev] [root@dev-bigdata-haproxy memof]# cat refint1.ldif
dn: cn=module{0},cn=config
add: olcmoduleload
olcmoduleload: refint


[dev] [root@dev-bigdata-haproxy memof]# cat refint2.ldif
dn: olcOverlay={1}refint,olcDatabase={2}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {1}refint
olcRefintAttribute: memberof member manager owner

2.执行:

1
2
3
4
5
6
7
8
9
10
[dev] [root@dev-bigdata-haproxy-2 myconf]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f memof.ldif
adding new entry "cn=module,cn=config"

adding new entry "olcOverlay={0}memberof,olcDatabase={2}hdb,cn=config"

[dev] [root@dev-bigdata-haproxy-2 myconf]# ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f refint1.ldif
modifying entry "cn=module{0},cn=config"
[dev] [root@dev-bigdata-haproxy-2 myconf]# ldapadd -Q -Y EXTERNAL -H ldapi:/// -f refint2.ldif

adding new entry "olcOverlay={1}refint,olcDatabase={2}hdb,cn=config"

3.验证结果

1
2
3
4
5
6
7
8
9
[dev] [root@dev-bigdata-haproxy memof]# ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=xiaomao)" -b dc=oneops,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: uid=xiaomao,ou=People,dc=oneops,dc=com
memberOf: cn=Kylin_Admin_Group,ou=Group,dc=oneops,dc=com
memberOf: cn=Admin,ou=Group,dc=oneops,dc=com

通过上面命令查到memberOf有显示说明配置成功。

需要注意的是:只有新建的用户组才能生效,对于之前的用户组,需要重新添加才行。