Project

General

Profile

Bug #31421

LDAP: external groups mapping does not work with groups in groups

Added by Dirk Götz 11 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authentication
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Having configured an Active Directory backend which uses groups in groups.
For login everything works fine when using a filter like memberOf:1.2.840.113556.1.4.1941:=..., so users can login while being member of a group which is member of the group used in the filter.
But external group mapping does not work as expected. When the group from the filter is used it does not map the users to the role. When the group is used which the user is directly a member of, it works like it should.

LDAP Authentication is configured with hammer like this:

hammer auth-source ldap create \
 --name "Management-AD" \
 --host "ad.example.com" \
 --tls true \
 --port 636 \
 --server-type "active_directory" \
 --account "foreman@example.com" \
 --account-password "password" \
 --base-dn "DC=example,DC=com" \
 --groups-base "DC=example,DC=com" \
 --ldap-filter "(&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=cn=Foreman,DC=example,DC=com))" \
 --onthefly-register true \
 --usergroup-sync true \
 --attr-login "sAMAccountName" \
 --attr-firstname "givenName" \
 --attr-lastname "sn" \
 --attr-mail "mail" \
 --location "location" \
 --organization "organization" 

From what I have seen the ldap_fluff has a recursive group search for active directory, but I am not sure if this is used at all.

Also available in: Atom PDF