[DOCS-8426] OpsManager LDAP support clarification Created: 26/Jul/16  Updated: 23/Sep/16  Resolved: 22/Sep/16

Status: Closed
Project: Documentation
Component/s: Ops Manager
Affects Version/s: None
Fix Version/s: 3.4.0, mongodb-3.4p1

Type: Improvement Priority: Critical - P2
Reporter: Ricardo Lorenzo Assignee: Anthony Sansone (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 7 years, 20 weeks, 5 days ago
Epic Link: 3.4: LDAP Authorization
Story Points: 0.5

 Description   

Due the current design for the LDAP membership, it is likely that OpsManager isn't able to support most of the directory implementations (ie. RedHat 389, Oracle Directory Server, IBM Tivoli Directory Server, etc).

I believe we should state that we only support Active Directory (with some important restrictions). For example, if the groups in the directory are using a nested membership, OpsManager won't be able to detect the membership as per the Microsoft documentation in relation to the memberOf attribute

Be aware that this attribute lists the groups that contain the user in their member attribute—it does not contain the recursive list of nested predecessors. For example, if user O is a member of group C and group B and group B were nested in group A, the memberOf attribute of user O would list group C and group B, but not group A.

This attribute is not stored—it is a computed back-link attribute.

The support for memberOf like attributes in other directories is not compatible with the current implementation. For example, the memberOf overlay available for OpenLDAP, requires the attribute to be invoked from the JNDI query. I guess we should test if that overlay works with the current OpsManager version but I would say it won't work as I can't see any specific attribute specification in the LDAP search.

The OpenLDAP behaviour is usually the same for the rest of directory implementations as you can see in the on-line documentation from other directories.

Attribute specific to this Directory Server instance and version of the schema.

Operational attribute used by the directory service; returned in ldapsearch only when specifically requested.

The value of this attribute may only be modified by the server.

I suggest mentioning that the only supported directory is ActiveDirectory which is supported with limitations like the lack of nested groups support.

https://docs.opsmanager.mongodb.com/current/tutorial/configure-for-ldap-authentication/#prerequisites



 Comments   
Comment by Githook User [ 23/Sep/16 ]

Author:

{u'username': u'atsansone', u'name': u'Tony Sansone', u'email': u'tony.sansone@mongodb.com'}

Message: (DOCS-8426): Added note about no nested groups in LDAP.
Branch: master
https://github.com/10gen/mms-docs/commit/e19e5edafc67638f45db73b7df4a9cf8ec3e669f

Comment by Ricardo Lorenzo [ 16/Sep/16 ]

Thanks cory.mintz!. I'm sorry for the delay in my answer.

The workaround should work in my opinion. We can test it against OpenLDAP overlay, and it should be the same physics laws for the rest of the directories. Thanks again!

Comment by Cory Mintz [ 15/Sep/16 ]

ricardo.lorenzo, this is the code path you were looking for, which includes the configured group attribute.
https://github.com/10gen/mms/blob/6abf4e8c0afdaf80221356ccd5cbfccaac3b8a1b/server/src/main/com/xgen/svc/mms/svc/user/UserSvcLdap.java#L362

Comment by Cory Mintz [ 15/Sep/16 ]

Ops Manager 3.4 QA is coming up soon, so I can tell you what we find in terms of the memberOf attribute being returned from OpenLDAP.

Comment by Cory Mintz [ 15/Sep/16 ]

I do not have a comprehensive list as to what directory services are supported and which aren't. To be honest I haven't used them all. I can say that when this feature was built and during QA, OpenLDAP was used. I think the point about nested groups is definitely true and should be added to the docs.

cc jordan.sumerlus / andrew.davidson

Comment by Timothy Olsen (Inactive) [ 13/Sep/16 ]

I honestly have no idea. cory.mintz Do you know or know someone who does?

Generated at Thu Feb 08 07:56:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.