Using CentOS 7.5, Apache 2.4.6. Running in a VM. No SSL.
I followed https://linuxhostsupport.com/blog/how-to-install-ldap-on-centos-7/ and configured OpenLDAP.
I created users and used the ldap_bind($ds, $userid, $password) to check if a valid user & password exists.
Now I am trying to find if a user is a member of a particular group. For that, I looked at ldap query for group members (among others)
I think that I am making a mistake in creating the group.
Should I create an organizationalRole, group or posixGroup? As the final objective is to check which users are authorized to use which applications and functions therein (add/update/delete/etc.) I would say that organizationalRole is the thing to make. At the moment, I used:
groups.ldif:
dn: cn=MyAppUsers,dc=mydept,dc=mycompany
objectClass: top
objectclass: posixGroup
cn: Authorized App1 Users
description: Users allowed to use App1
users.ldif:
dn: cn=MyAppUsers,dc=mydept,dc=mycompany
changetype: modify
add: memberUid
memberUid: cn=user1,ou=People,dc=mydept,dc=mycompany
memberUid: cn=user2,ou=People,dc=mydept,dc=mycompany
I tried different combinations of filters in ldap_search($ds,$basedn,$filter) but just can't seem to find the correct one. So, I'm thinking that it's not the query which is wrong, but the manner in which the group was created.
Both LDIF above are actually updating the same entry. The first one creates it, the second one adds members to the group. However the users added are referenced by Distinguished Names (DN) and the memberUID just expects a User Id. So they should be:
memberUid: user1
memberUid: user2
Then you can check if a user is part of the group with
ldap_search($ds, "cn=MyAppUsers,dc=mydept,dc=mycompany", "(memberUid=user1)")
Or you can search for all groups the user is part of with
ldap_search($ds, "dc=mydept,dc=mycompany", "(&(objectclass=posixGroup)(memberUid=user1))")