[Check_mk (english)] LDAP contact group sync

Tobias_Brunner · January 15, 2013, 3:39pm

Hi,

How exactly does the LDAP contact group sync work? The help says "Add user to
all contactgroups where the common name matches the group name". This means to
me, that the name (not alias) of the group must match the LDAP field "cn". Is
this correct?

I've created a contact group in WATO called "NetworkAdmins" (Name and Alias is
the same). But users in this group are not added to the corresponding contact
group. The LDAP group looks like this:

dn: cn=NetworkAdmins,ou=Groups,dc=domain,dc=ch
description: Network Administrators
objectClass: groupOfUniqueNames
uniqueMember: uid=tobias,ou=People,dc=domain,dc=ch
cn: NetworkAdmins

Is this correct? Why does the match not work?

Cheers,
Tobias

PS: There is a typo on "LDAP Attribute Sync Plugins": "Contactgroup
Memberhip", should be "Contactgroup Membership"

···

--
Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich
Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13
Skype nine.ch_support

LaMi · January 16, 2013, 7:46am

Hello Tobias,

I think you got it right. One thing to notice is, that you have to configure the "LDAP Group Settings" correctly. Only groups below the given "Group Base DN" can be found by the plugin.

What kind of LDAP are you using? Which server in which version?

Regards
Lars

···

On 01/15/2013 04:39 PM, Tobias Brunner wrote:

Hi,

How exactly does the LDAP contact group sync work? The help says "Add user to
all contactgroups where the common name matches the group name". This means to
me, that the name (not alias) of the group must match the LDAP field "cn". Is
this correct?

I've created a contact group in WATO called "NetworkAdmins" (Name and Alias is
the same). But users in this group are not added to the corresponding contact
group. The LDAP group looks like this:

dn: cn=NetworkAdmins,ou=Groups,dc=domain,dc=ch
description: Network Administrators
objectClass: groupOfUniqueNames
uniqueMember: uid=tobias,ou=People,dc=domain,dc=ch
cn: NetworkAdmins

Is this correct? Why does the match not work?

Cheers,
Tobias

PS: There is a typo on "LDAP Attribute Sync Plugins": "Contactgroup
Memberhip", should be "Contactgroup Membership"

Tobias_Brunner · January 16, 2013, 8:20am

Good morning,

I think you got it right. One thing to notice is, that you have to
configure the "LDAP Group Settings" correctly. Only groups below the
given "Group Base DN" can be found by the plugin.

I've configured "ou=Groups,dc=domain,dc=ch" as Base DN and
"(objectclass=groupOfUniqueNames)" as filter. Trying this query with
ldapsearch gives me the desired resultset.

What kind of LDAP are you using? Which server in which version?

It's OpenLDAP in version 2.4.23.

Is there a logfile or debug setting which I can see what's going on during
matching?

Cheers,
Tobias

···

--
Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich
Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13
Skype nine.ch_support

Tobias_Brunner · January 16, 2013, 8:41am

Hi again,

I just had a look at the function "ldap_user_groups" in "ldap.py", there is a
LDAP filter (&(member=%s)) which does not match on our implementation of LDAP
groups. For us it should be (&(uniqueMember=%s)). What do you think of this?
Maybe there should be a field where we can configure which filter should
apply?

dn: cn=NetworkAdmins,ou=Groups,dc=domain,dc=ch
description: Network Administrators
objectClass: groupOfUniqueNames
uniqueMember: uid=tobias,ou=People,dc=domain,dc=ch
cn: NetworkAdmins

Cheers,
Tobias

PS: thanks for integrating my feedback into the code! =)

···

--
Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich
Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13
Skype nine.ch_support

Tobias_Brunner · January 16, 2013, 4:12pm

Hi everyone,

Just to say: LDAP contact group sync now works in the latest GIT trunk. Thanks
a lot to Lars for fixing this so fast!

http://git.mathias-
kettner.de/git/?p=check_mk.git;a=commit;h=bb8df359fe375b1a98449ad684965100e417e7b3

Cheers,
Tobias

···

On Tuesday 15 January 2013 16:39:54 Tobias Brunner wrote:

Hi,

How exactly does the LDAP contact group sync work? The help says "Add user
to all contactgroups where the common name matches the group name". This
means to me, that the name (not alias) of the group must match the LDAP
field "cn". Is this correct?

I've created a contact group in WATO called "NetworkAdmins" (Name and Alias
is the same). But users in this group are not added to the corresponding
contact group. The LDAP group looks like this:

dn: cn=NetworkAdmins,ou=Groups,dc=domain,dc=ch
description: Network Administrators
objectClass: groupOfUniqueNames
uniqueMember: uid=tobias,ou=People,dc=domain,dc=ch
cn: NetworkAdmins

Is this correct? Why does the match not work?

Cheers,
Tobias

PS: There is a typo on "LDAP Attribute Sync Plugins": "Contactgroup
Memberhip", should be "Contactgroup Membership"

--
Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich
Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13
Skype nine.ch_support