I was reluctant to add “TLS_REQCERT never” to the image, because it’s only necessary if you have a self signed certificate. I think it’s best to have a fixed ldap.conf as part of the piler rpm package, eg. right next to the docker-compose.yaml file with the following content:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
TLS_REQCERT never
$config['ENABLE_LDAP_AUTH'] = 1;
$config['LDAP_HOST'] = 'ldaps://nsdc-ns7loc12.ad.nethservertest.org';
$config['LDAP_HELPER_DN'] = 'ldapservice@AD.NETHSERVERTEST.ORG';
$config['LDAP_HELPER_PASSWORD'] = 'k7aL_gMQPatrENJJ';
$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'user';
$config['LDAP_MAIL_ATTR'] = 'userPrincipalName';
$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'group';
$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'member';
// set this if you want to limit the scope of the ldap query
$config['LDAP_BASE_DN'] = 'dc=ad,dc=nethservertest,dc=org';
// admin@nethservertest.org is admin of piler
$config['LDAP_ADMIN_MEMBER_DN'] = 'CN=admin,CN=Users,DC=ad,DC=nethservertest,DC=org';
// members of PilerAuditor are auditors
$config['LDAP_AUDITOR_MEMBER_DN'] = 'CN=famille,CN=Users,DC=ad,DC=nethservertest,DC=org';
I think I have an issue with openldap to retrieve the group for auditor, it is workable with samba AD. This is the slapcat output, we can see the memberUid without domain DC|DN
dn: cn=famille,ou=Groups,dc=directory,dc=nh
gidNumber: 1002
cn: famille
objectClass: posixGroup
structuralObjectClass: posixGroup
entryUUID: f4126658-d67e-103a-9353-618194e739f1
creatorsName: cn=libuser,dc=directory,dc=nh
createTimestamp: 20201219194847Z
memberUid: stephane
memberUid: helene
memberUid: maxime
entryCSN: 20201219194955.372605Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20201219194955Z
this is what I added to piler to authenticate, I can login but obviously the group is not retrieved, I think it is because piler use user@domain.com and not user
$config['ENABLE_LDAP_AUTH'] = 1;
$config['LDAP_HOST'] = 'ldaps://ns7loc11.nethservertest.org';
$config['LDAP_HELPER_DN'] = 'cn=ldapservice,dc=directory,dc=nh';
$config['LDAP_HELPER_PASSWORD'] = 'V_85617fr2bK3Csj';
$config['LDAP_MAIL_ATTR'] = 'mail';
$config['LDAP_BASE_DN'] = 'dc=directory,dc=nh';
$config['LDAP_ACCOUNT_OBJECTCLASS'] = 'posixAccount';
$config['LDAP_DISTRIBUTIONLIST_ATTR'] = 'memberUid';
$config['LDAP_DISTRIBUTIONLIST_OBJECTCLASS'] = 'posixGroup';
// admin.com is admin of piler
$config['LDAP_ADMIN_MEMBER_DN'] = 'uid=admin,ou=People,dc=directory,dc=nh';
// members of PilerAuditor are auditors
$config['LDAP_AUDITOR_MEMBER_DN'] = 'cn=famille,ou=Groups,dc=directory,dc=nh';
will update my rpm…maybe I will need a hand on this
with openldap, piler can authenticate the user, grant him admin right if it is admin, retrieve its email address, the issue is piler cannot retrieve the group
with samba AD it is worth strange, piler can authenticate the user but piler does not know the email address and the group. This is a big issue because without email address, piler is completely lost.
Piler first tries to query your email addresses associated with the user ldap object. Then it uses both your email and your user’s object’s DN value to find the groups you are member of. When I tried to authenticate against the local openldap db I found that the group object doesn’t have any email addresses.
I can see that the famille group has 3 members, but no email address. The same is true for the samba group object. Btw. did you enable email address for these groups? If so, then perhaps the group object should or might be extended with an email field.
Btw. just to show what my openldap stuff looks like. My group has no email address field either. However, I used the “description” ldap field to hold an email address, and added “description” to the mailattrs variable in config-site.php. I know, it’s ridiculous and it sucks, but it worked
I think I need to extend the group object with some proper email attributes. Just didn’t have the time to work on it. Perhaps the nethserver team has an ldap expert.