LDAP plugin and nesting groups of AD


  • Developer

    Hi,

    I want to ask to the @developers if is possible nest a group inside another.

    Actually I have setup the admin Group with a group of my AD, then the people that is inside doesn’t have problems to login, but this group has nested another group and the people that is in this last group can not login.

    Can LDAP plugin manages groups of AD that are nested?


  • Developer

    I follow with my problem :(
    I think that the best option is ask this new feature :)


  • Moderator

    @fernando-gietz You need to do what is best for your use case. Having hierarchical groups (embedded groups in groups) would be a nice add to the ldap plugin. But so far only you have asked for this feature.


  • Developer

    I see in this fuction that is possible setup some differents groups separate by colons (I don’t know this) and with this I can solve my problem :)

    $adminGroups = explode(',', $adminGroup);
    

    Maybe would be good update the info in the wiki XD, I just see it and is very very old

    @george1421 If you want, we can follow with this or close the ticket


  • Moderator

    @fernando-gietz While I’m busy at the moment, we will also need to pickup the group search ou and the group name to fill out the query. To use the extended search with the oid, it looks like it needs the full ldap path to the group to be a member of. But again I didn’t look at the whole code.

    I was wrong you want to focus on this function

    private function _getAccessLevel($grpMemAttr, $userDN)
    

    line 581


  • Developer

    @george1421 I can take a look in my develop environment and see if works


  • Moderator

    @fernando-gietz Its an extension to the query.

    This is the premise of what needs to be done.

    (&(objectCategory=Person)(sAMAccountName=jondoe)(memberOf:1.2.840.113556.1.4.1941:=cn=TestGroup,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))
    

    This is the code section I’m looking at about line # 505 of /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php

            $filter = sprintf(
                '(&(|(objectcategory=person)(objectclass=person))(%s=%s))',
                $usrNamAttr,
                $user
            );
    
    

    The (%s=%s) is roughly equivalent to (sAMAccountName=jondoe) But only for AD queries. I’m not a programmer but I think we need to add an if statement in to where $usrNamAttr == sAMAccountName then build the AD specific query. I can see what needs to be done, I just need to work it out in my head.


  • Developer

    @george1421 said in LDAP plugin and nesting groups of AD:

    For AD the answer is maybe, but you must use an AD extension to ldap search. For openldap, no you can not use nested groups. I’m looking at the code to see what needs to happen to make this work. But in theory its possible.

    AD extension?


  • Moderator

    For AD the answer is maybe, but you must use an AD extension to ldap search. For openldap, no you can not use nested groups. I’m looking at the code to see what needs to happen to make this work. But in theory its possible.


Log in to reply
 

492
Online

6.2k
Users

13.6k
Topics

128.0k
Posts