LDAP authentication hints

Not that accustomed to ldap yet, are there any examples of configuring a new base to use ldap for authentication? In particular, where ldapwhoami works already for uid’s and mail’s for users in the tryton group.


We use LDAP to authenticate the user and also check if the user is allowed to login. The LDAP-server is also used to: login into the Windows machines using pGina, Samba shares and Email. Changing passwords within Tryton is not allowed, only with pGina. We are very happy how the whole system works and are working to get also Kerberos into the equation for SSO possibilities.

Thanks, yeah… this is more or less the intention.

Turns out my problem was twofold:
Since it seems the typical usage of ‘sub’ in the URI doesn’t work
(tryton.jsonrpc.Fault: <Fault “‘sub’”:…)
using ‘subtree’ instead seems to work okay:P

Also, steep learning curve about the vagaries of openldap default ‘nis’ schema
and ‘rfc2307bis’ (or later) when wanting to use ‘memberOf’ for posixGroups (which doesn’t work)

The case at hand being reasonably straight-forward, simply creating a new Apps organizationalUnit
with a cn: Tryton having groupOfNames objectclass including as members the user names of the tryton users, allows the memberOf overlay to work as intended.

So now I have working (using an openldap server)

uri = ldap://localhost:389/ou=People,dc=example,dc=org??subtree?(&(objectclass=inetOrgPerson)(memberOf=cn=Tryton,ou=Apps,dc=example,dc=org))


ps: I decided not to drop the idea to using an email address since it seems it’s either ‘uid’ or
another attribute, such as ‘mail’.
Too bad the configuration parameter ‘uid’ isn’t an ordered list like sessions->authentications