OpenLDAP Group Owners

LDAP is common in most organizations and its groups are often used to limit access to different services. However having people from the Operations team managing group members does not scale in a bigger organizations. A solution could be to add more administrators but that isn’t very secure in the long run, it’s better to delegate group administration the members or specific group administrators. This is were the OpenLDAP Access Control come in handy, the documentation take some time to get around so that’s why I’m giving some examples on how to manage group membership in OpenLDAP

Let’s look at the necessary ACL allowing members in a posixGroup to add/remove other members in that group. I recommend using ldapvi to manage cn=config which holds the database configuration.

sudo ldapvi -h ldapi:/// -Y EXTERNAL -b cn=config will take you to the configuration and ACLs are usually located under olcDatabase={1}hdb,cn=config

The following line allow memberUid attributes to be changed for entries under ou=Groups,dc=jhaals,dc=se by users included in that group.

olcAccess: to dn.sub="ou=Groups,dc=jhaals,dc=se" attrs=memberUid by set="this/memberUid & user/uid" write by * read

Please note that the ordering of the olcAccess entries is important as well as your previous ACLs. If your having problems it might help changing the ordering of the olcAccess entries. It’s done by changing the id number inside the curly braces {0}.

More control

There are situations where you don’t want to allow modifications by every group member but rather specific “group owners”. There are unfortunately no owner attribute in a regular posixGroup and the groupofuniquenames objectClass cannot be combined with a posixGroup. My solution is a custom schema where the posixGroup can be extended with objectClass: owner that allows multiple ownerUid: attributes


gidNumber: 20001
cn: ops
memberUid: jhaals
memberUid: stefan
memberUid: nils
ownerUid: jhaals
objectClass: owner
objectClass: posixGroup
objectClass: top

owner.ldif required for the functionality

dn: cn=owner,cn=schema,cn=config
changetype: add
objectClass: olcSchemaConfig
cn: owner
olcAttributeTypes: ( NAME 'ownerUid' DESC 'MANDATORY: Group Owner' EQUALITY octetStringMatch SYNTAX )
olcObjectClasses: ( NAME 'owner' DESC
'MANDATORY: Group owner objectclass' SUP top AUXILIARY MAY ( ownerUid $ cn ) )

Import using sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f owner.ldif

Updated ACL

olcAccess: to dn.sub="ou=Groups,dc=jhaals,dc=se" attrs=memberUid,ownerUid by set="this/ownerUid & user/uid" write by * read

Group owners can now change the memberUid and the ownerUid attributes for a group where they are added as owners.

Teach your users how to use ldapvi(ldapvi -D "cn=jhaals,ou=Users,dc=jhaals,dc=se" --discover) and let them bind as themself or preferebly write a shiny interface to manage users.

Group administration can now be delegated! \o/