LDAP/AD Primary, Secondary, Membership Group

[schwos]

Can someone let me know if the SFTPGO_PLUGIN_AUTH_PRIMARY_GROUP_PREFIX is actually a prefix to a set of groups for example GROUPPREFIX_ or is is a full group name? I have been hitting my head against the wall for a bit and looking at the debug output and doesn't matter what way I put it I am not getting the result expected.

{"level":"debug","time":"2024-05-20T20:51:13.995","sender":"connection_failed","client_ip":"x.x.x.x","username":"demo_user","login_type":"password","protocol":"HTTP","error":"NOT NULL constraint failed: users_groups_mapping.group_id"}

That environment variable appears to be miss leading.

Lastly;

Do we just put the prefix in if it is a prefix or do we put the entire group name as:

cn=groupname, ou=groups, dc=domainname, dc=org etc..

edit:

After some trial and error I believe we determined how this is setup. It is just the group itself.

[SlothCroissant]

@schwos can you share your details on how you got this working? I'm struggling with the same prefix issues, and the same error.

[indoctrine]

+1, would also like to understand how this works or is configured. I've hunted through the code and it seems to be related to the LDAP group (providing the DN), but doesn't seem to actually do anything when applied. I was hoping for a way to automatically assign groups to users.

[bfd69]

hello guys !
as i'm also interested in this question so i looked into the code (please note tha i'm not related to this project) :
if your group is cn=groupname, ou=groups, dc=domainname, dc=org :
the prefix will be groupname as the DN is stripped from "cn=" and ",ou=groups, dc=domainname, dc=org"
then this will be compared to any group in your sftpgo conf that starts with "groupname"

note: the comparison is case insensitive but i recommend to use ascii characters only, for both sftp groups and ldap groups

example
if you have an ldap group your member of and that is named "mysuper" (cn=mysuper, ou=groups, dc=domainname, dc=org)
and if you have 3 groups in sftpgo that starts with mysuper, example : mysuper1, maysuper2 and mysuper3 then your user will be put these 3 groups

this is evaluated before require_groups

[indoctrine]

That's what I thought too, but in practice, it doesn't seem to do anything as the users aren't being assigned any groups. I am using this test LDAP server and logins work fine when not requiring groups.

Config:

  "plugins": [
      {
      "cmd": "/usr/local/bin/sftpgo-plugin-auth",
      "type": "auth",
      "auth_options": {
        "scope": 5
      },
      "args": [
        "serve",
        "--ldap-url=ldap://ldap.forumsys.com:389",
        "--ldap-base-dn=DC=example,DC=com",
        "--ldap-bind-dn=cn=read-only-admin,dc=example,dc=com",
        "--ldap-password=password",
        "--ldap-search-query=(&(objectClass=person)(uid=%username%))",
	"--require-groups",
	"--membership-group-prefix=scientists",
        "--skip-tls-verify=1"
      ],
      "auto_mtls": true
    }
  ]

SFTPGo groups

Logs are as you'd expect

{"level":"debug","time":"2025-04-13T23:42:33.826","sender":"plugins","message":"initialize"}
{"level":"debug","time":"2025-04-13T23:42:33.827","sender":"plugins","message":"no match for plugin process /usr/local/bin/sftpgo-plugin-auth"}
{"level":"debug","time":"2025-04-13T23:42:33.827","sender":"plugins","message":"create new auth plugin \"/usr/local/bin/sftpgo-plugin-auth\""}
{"level":"debug","time":"2025-04-13T23:42:33.827","sender":"plugins","message":"adding env vars with prefix \"SFTPGO_PLUGIN_AUTH_\" for plugin \"/usr/local/bin/sftpgo-plugin-auth\""}
{"level":"debug","time":"2025-04-13T23:42:33.827","sender":"plugins","message":"additional env vars for plugin \"/usr/local/bin/sftpgo-plugin-auth\": []"}
{"level":"info","time":"2025-04-13T23:42:33.827","sender":"plugins.auth","message":"configuring client automatic mTLS"}
{"level":"debug","time":"2025-04-13T23:42:33.841","sender":"plugins.auth","path":"/usr/local/bin/sftpgo-plugin-auth","pid":"16","message":"plugin started"}
{"level":"debug","time":"2025-04-13T23:42:33.841","sender":"plugins.auth","plugin":"/usr/local/bin/sftpgo-plugin-auth","message":"waiting for RPC address"}
{"level":"info","time":"2025-04-13T23:42:33.845","sender":"plugins.auth.sftpgo-plugin-auth","message":"[INFO]  authenticator created: dial URLs=[\"ldap://ldap.forumsys.com:389\"] base dn=\"DC=example,DC=com\" search query=\"(&(objectClass=person)(uid=%username%))\""}
{"level":"info","time":"2025-04-13T23:42:33.847","sender":"plugins.auth.sftpgo-plugin-auth","message":"configuring server automatic mTLS"}
{"level":"debug","time":"2025-04-13T23:42:33.860","sender":"plugins.auth.sftpgo-plugin-auth","address":"/tmp/plugin3562288153","network":"unix","message":"plugin address"}
{"level":"debug","time":"2025-04-13T23:42:33.860","sender":"plugins.auth","version":"1","message":"using plugin"}
{"level":"debug","time":"2025-04-13T23:42:33.870","sender":"plugins","message":"start plugins checker"}
{"level":"debug","time":"2025-04-13T23:42:33.870","sender":"plugins.auth.stdio","message":"waiting for stdio data"}
{"level":"debug","time":"2025-04-13T23:42:57.315","sender":"plugins.auth.sftpgo-plugin-auth","message":"[DEBUG] no group found: username=einstein err=\"users without group membership are not allowed\""}
{"level":"debug","time":"2025-04-13T23:42:57.315","sender":"connection_failed","client_ip":"172.22.0.1","username":"","login_type":"password","protocol":"HTTP","error":"plugin auth error for user \"einstein\": rpc error: code = Unknown desc = users without group membership are not allowed, elapsed: 1.456296697s, auth scope: 1"}

I would log a bug, but suspect I'd be told I'm just doing it wrong, but the least I can do is drop some of my troubleshooting here and hope it helps someone since I've had to do a lot of digging just to get this far.

[bfd69]

how is you user constructed in your ldap ?
as i understand it, your user must have memberOf entries, and openldap dont present them by default, this functionnality is provided by the memberOf "overlay"
if you want to know if your openldap support this overlay you can execute this command :

slapcat -n 0 | grep olcModuleLoad

and you should get something like this :

olcModuleLoad: {0}back_mdb
olcModuleLoad: {1}memberof
olcModuleLoad: {2}refint

if you have this module installed you should create groupsOfUniqueNames, not GroupOfNames !
inside it add your members with uniqueMember entries (see the screenshots) not memberUid !

and the membership will be automatically reflected in the user account as memberOf entries.

maybe you should set SFTPGO_PLUGIN_AUTH_LDAP_GROUP_ATTRIBUTES with "memberOf"

note : on most of ldap browsers you have to set something like "retrieve operational attributes" to make memberOf appear. maybe because its part of an overlay...
even with ldapsearch you should explicitely ask for memberOf attributes as they are not reftrieved by default

hope this will help you

[indoctrine]

I changed tack and spun up an Active Directory because it's closer to my end state and what the plugin expects by default. I was using a public OpenLDAP server to try and lab up the concept before implementing for real, so I have no idea how it was originally configured. I'm using the default setup for AD now and all my groups and Users are in CN=Users,DC=example,DC=com

Config now looks like this:

      "args": [
        "serve",
        "--ldap-url=ldap://172.31.xxx.xxx",
        "--ldap-base-dn=CN=Users,DC=example,DC=com",
        "--ldap-bind-dn=CN=Administrator,CN=Users,DC=example,DC=com",
        "--ldap-password=XXXXXXX",
        "--ldap-search-query=(&(objectClass=user)(sAMAccountType=805306368)(sAMAccountName=%username%))",
        "--membership-group-prefix=cats",
        "--skip-tls-verify=1"
      ],

I have a user that is part of the cats group, there is an SFTPGo group called cats-readonly and still, it is not mapping the two together. The memberOf attribute for my user is filled out with CN=cats,CN=Users,DN=example,DC=com. Same result as above - able to login using LDAP, but no groups are assigned to the user.

[bfd69]

it was a good idea to switch to AD for tests puposes.
could you please share with us your debug logs ?
can you try to create/rename sftpgo group "cats-readonly" to "cats" so that ldap group name matches the sftpgo group name ?

maybe prefix acts just as a filter for ldap query...

[indoctrine]

Looks like an exact match for the SFTPGo group was the ticket. It's now working correctly.

Thank you so much for your help even though you were under no obligation to. 😄 Hopefully this issue can stand as documentation for anyone that stumbles across it.

P.S. I never actually got the environment variables working for this plugin, so just ended up just mounting my own copy of the sftpgo.json file into the container. So that's another tidbit that might help someone else.

[bfd69]

you made it work !!, i'm happy for you, it sure will serve me later, as im trying right now to make my own entrypoint for sftpgo.
personally i found the prefix idea confusing, most of similar projects just matches the ldap group with local groupsn even creating them on the fly.
hope this will help someone else too
have a good day !

[paulrosberg]

Was looking into this the other day and just wanted share my experience.

I have been using the env lines in /etc/sftpgo/env.d/sftpgo-plugin-auth and during my testing I defined this:
SFTPGO_PLUGIN_AUTH_PRIMARY_GROUP_PREFIX="sftpgo_primary_"
SFTPGO_PLUGIN_AUTH_SECONDARY_GROUP_PREFIX="sftpgo_secondary_"
SFTPGO_PLUGIN_AUTH_MEMBERSHIP_GROUP_PREFIX="sftpgo_membership_"

I now created three groups in the AD called:
sftpgo_primary_test
sftpgo_secondary_test
sftpgo_membership_test

I also created the same groups in SFTPGO (exactly the same names as in the AD).

Now if I add the user test to the sftpgo_primary_test in the AD, it will be added to the group sftpgo_primary_test in SFTPGO as a primary group for user test. It works the same way with the other groups.

Another thing to keep in mind is that if you ex. Create the group sftpgo_membership_test in the AD and add user test to this group but do NOT add the group sftpgo_membership_test to SFTPGO, the user will not be able to log in!
On SFTP prommpt you get "Permission denied, please try again." Looking in the debug logs you see something like:
"error":"NOT NULL constraint failed: users_groups_mapping.group_id"

So a AD group that matches the configured group prefix MUST also exist in SFTPGO.

Another finding is that if you use this env:
SFTPGO_PLUGIN_AUTH_PRIMARY_GROUP_PREFIX="SFTPGO_PRIMARY_"
and you create a AD group called "SFTPGO_PRIMARY_TEST"
the group in SFTPGO can not be in UPPERCASE but needs to be in lowercase!
So the group in SFTGO in this case needs to be "sftpgo_primary_test"