Knowledgebase:
Using OpenLDAP for authorising MarkLogic security roles
02 December 2016 11:22 AM

Introduction

MarkLogic uses the LDAP "memberOf" attribute to determine group membership for authorising access to specific security roles, however by default, the "memberOf" attribute is not enabled in an OpenLDAP server. This article will show to enable the "memberOf" attribute in an OpenLDAP server so that MarkLogic can successfully determine group membership and authorise access to a Role.

Configuring OpenLDAP to support the "memberOf" attribute

1. Create a LDIF file with the following contents

memberOf.ldif

dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
objectclass: top
olcModuleLoad: memberof.la
olcModulePath: /usr/lib64/openldap

dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectclass: olcconfig
objectclass: olcMemberOf
objectclass: olcoverlayconfig
objectclass: top
olcoverlay: memberof

Check that the database name assigned to "olcDatabase" is the same on your system as different Linux distributions may use other names, e.g hdb instead of bdb.

/etc/openldap/slapd.d/cn=config

drwxr-x--- 2 ldapldap 40 Nov 28 18:13 olcDatabase={2}bdb

Check the OpenLDAP library name and path (olcModuleLoadolcModulePath) are valid, as with the database name this can vary with different Linux distributions.

2.  Issue the following command to add "memberOf" support and restart OpenLDAP

ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/memberof.ldif

If the LDAPI:// is not active on the system add the following parameter to the OpenLDAP Configuration in "/etc/sysconfig/ldap" and restart OpenLDAP first.

SLAPD_LDAPI=yes

3. It should now be able to add users to LDAP and assign them as a member to the required LDAP groups, OpenLDAP will then add the attribute “memberOf” to their LDAP entry, e.g


dn: uid=appadmin,ou=Users,dc=MarkLogic,dc=Local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: appadmin
sn: MarkLogic App Admin
uid: appadmin
userPassword:: cGFzc3dvcmQ=

dn: cn=AppAdmin,ou=Groups,dc=MarkLogic,dc=Local
objectClass: top
objectClass: groupOfNames
cn: AppAdmin
member: uid=appadmin,ou=Users,dc=MarkLogic,dc=Local

Note

OpenLDAP assigns the "memberOf" to the user LDAP entry as an operational attribute, as such it will not be visible when you using a normal "ldapsearch" command, e.g

ldapsearch   -x -h localhost -D "cn=Manager,dc=MarkLogic,dc=local" -W -b "uid=appadmin,ou=Users,dc=MarkLogic,dc=Local"

In order to display the operational attributes add an additional "+" parameter to the end of the search command, e.g.

[admin@kerberos tmp]# ldapsearch -x -h localhost -D "cn=Manager,dc=MarkLogic,dc=local" -W -b "uid=appadmin,ou=Users,dc=MarkLogic,dc=Local" +
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=appadmin,ou=Users,dc=MarkLogic,dc=Local> with scope subtree
# filter: (objectclass=*)
# requesting: +
#

# appadmin, Users, MarkLogic.Local
dn: uid=appadmin,ou=Users,dc=MarkLogic,dc=Local
structuralObjectClass: inetOrgPerson
entryUUID: 299e5620-49e2-1036-8750-e5471d51d42c
creatorsName: cn=Manager,dc=MarkLogic,dc=Local
createTimestamp: 20161128181352Z
entryCSN: 20161128181352.705449Z#000000#000#000000
modifyTimestamp: 20161128181352Z
memberOf: cn=AppAdmin,ou=Groups,dc=MarkLogic,dc=Local
modifiersName: cn=Manager,dc=MarkLogic,dc=Local
entryDN: uid=appadmin,ou=Users,dc=MarkLogic,dc=Local
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Additional reading

Assigning external LDAP group membership to a Role.

OpenLDAP memberOf overlay manual

(0 vote(s))
Helpful
Not helpful

Comments (0)