Linux Administration

Advanced LDAP

4 min read

LDAP Search Base

When CloudShark is configured for external authentication with LDAP it uses sssd behind the scenes to perform this. Part of configuring this includes setting an LDAP search base. This defines where CloudShark will search for users and also for information on which groups a user belongs to. For example consider an LDAP server with the following locations that contain users and groups:

ou=users,dc=example,dc=com
ou=groups,dc=example,dc=com

To lookup both users and groups with a single LDAP search base this could be specified as dc=example,dc=com. However, this would result in irrelevant searches when searching for a user, for example, as there is no need to search ou=groups,dc=example,dc=com for users. Once the LDAP server has to search many of these irrelevant locations the performance can quickly degrade leading to long logins or CloudShark may even timeout a login before sssd has completed searching every location that matches the search base.

To optimize the LDAP search we can specify separate search bases for users and groups. The following could be added to the /etc/sssd/sssd.conf configuration file to optimize the search base in the example above:

ldap_user_search_base = ou=users,dc=example,dc=com
ldap_group_search_base = ou=groups,dc=example,dc=com

Now when searching for users CloudShark will only search for users in the locations they could possibly exist.

Complex Search Bases

Some LDAP servers may have multiple places where users are groups could exist and it may be difficult to come up with a search base that is both specific enough to allow for quick logins but general enough to search each location that a user or group might exist. In this case multiple search bases can be combined to search multiple locations that are very specific. For example if we had groups in the following locations:

ou=cloudshark user groups,dc=example,dc=com
ou=cloudshark admin groups,dc=example,dc=com
ou=network team,dc=example,dc=com

We could specify multiple search bases by using the following search base:

ou=cloudshark user groups,dc=example,dc=com???ou=cloudshark admin groups,dc=example,dc=com???ou=network team,dc=example,dc=com??

This would search all three locations for group information but avoid searching any other locations in dc=example,dc=com.

The general form of this is:

<Search Base 1>???<Search Base 2>???<Search Base N>??

This type of search base could be used for the global ldap_search_base as well as ldap_user_search_base and ldap_group_search_base. The format of this must be a valid LDAP search filter as specified in RFC 25254.

LDAP Group Membership

When sssd is looking up a user in the LDAP directory it also looks up the groups that the user is a member of. Additionally sssd, by default, will perform a query to look up all of the other users belonging to these groups and cache the result. For small LDAP instances this reduces the time it takes to look up subsequent users. In large LDAP instances with groups containing many users however, this can take a long time and put a lot of strain on the LDAP server.

If you have LDAP groups with many users then you can disable caching all of the group membership information by adding the following line to your /etc/sssd/sssd.conf file:

ignore_group_members = true

Access Control

Access to CloudShark can be limited by configuring access control for sssd. This can be done by using either the simple access-control provider or the LDAP access-control provider.

Simple Access Control

To restrict access to CloudShark by either a list of users or groups that should be allowed access use the simple access-control provider by adding the following to your /etc/sssd/sssd.conf configuration file:

access_provider = simple

Then you can add one or more of the following lines to allow or deny a list of users or groups access to CloudShark:

simple_allow_users = <Comma separated list of users>
simple_deny_users = <Comma separated list of users>
simple_allow_groups = <Comma separated list groups>
simple_deny_groups = <Comma separated list groups>

For more information on using the simple access-control provider please see the manpage for sssd-simple.

LDAP Access Control

An LDAP access filter can also be used to limit access to CloudShark based on the LDAP attributes of a user. To use LDAP access filter add the following two lines to your /etc/sssd/sssd.conf configuration file:

access_provider = ldap
ldap_access_filter = <LDAP search filter>

For more information on using the LDAP access-control provider please see the manpage for sssd-ldap.