LDAP plugin and nesting groups of AD

Fernando Gietz

Hi,

I want to ask to the @developers if is possible nest a group inside another.

Actually I have setup the admin Group with a group of my AD, then the people that is inside doesn’t have problems to login, but this group has nested another group and the people that is in this last group can not login.

Can LDAP plugin manages groups of AD that are nested?

george1421

For AD the answer is maybe, but you must use an AD extension to ldap search. For openldap, no you can not use nested groups. I’m looking at the code to see what needs to happen to make this work. But in theory its possible.

Fernando Gietz

@george1421 said in LDAP plugin and nesting groups of AD:

For AD the answer is maybe, but you must use an AD extension to ldap search. For openldap, no you can not use nested groups. I’m looking at the code to see what needs to happen to make this work. But in theory its possible.

AD extension?

george1421

@fernando-gietz Its an extension to the query.

This is the premise of what needs to be done.

(&(objectCategory=Person)(sAMAccountName=jondoe)(memberOf:1.2.840.113556.1.4.1941:=cn=TestGroup,ou=Groups,ou=CompanyUsers,dc=test,dc=corp))

This is the code section I’m looking at about line # 505 of /var/www/html/fog/lib/plugins/ldap/class/ldap.class.php

        $filter = sprintf(
            '(&(|(objectcategory=person)(objectclass=person))(%s=%s))',
            $usrNamAttr,
            $user
        );

The (%s=%s) is roughly equivalent to (sAMAccountName=jondoe) But only for AD queries. I’m not a programmer but I think we need to add an if statement in to where $usrNamAttr == sAMAccountName then build the AD specific query. I can see what needs to be done, I just need to work it out in my head.

Fernando Gietz

@george1421 I can take a look in my develop environment and see if works

george1421

@fernando-gietz While I’m busy at the moment, we will also need to pickup the group search ou and the group name to fill out the query. To use the extended search with the oid, it looks like it needs the full ldap path to the group to be a member of. But again I didn’t look at the whole code.

I was wrong you want to focus on this function

private function _getAccessLevel($grpMemAttr, $userDN)

line 581

Fernando Gietz

I see in this fuction that is possible setup some differents groups separate by colons (I don’t know this) and with this I can solve my problem

$adminGroups = explode(',', $adminGroup);

Maybe would be good update the info in the wiki XD, I just see it and is very very old

@george1421 If you want, we can follow with this or close the ticket

george1421

@fernando-gietz You need to do what is best for your use case. Having hierarchical groups (embedded groups in groups) would be a nice add to the ldap plugin. But so far only you have asked for this feature.

Fernando Gietz

I follow with my problem
I think that the best option is ask this new feature