NetXMS Support Forum

Please login or register.

Login with username, password and session length

Author Topic: LDAP Nested Group Membership?  (Read 395 times)

Staj

  • Newbie
  • *
  • Posts: 28
    • View Profile
LDAP Nested Group Membership?
« on: October 04, 2018, 08:59:40 am »

Would you please consider adding in nested group membership support for the LDAP Sync feature for Active Directory users?

AD supports Rule OID 1.2.840.113556.1.4.1941 (LDAP_MATCHING_RULE_IN_CHAIN) which is a special extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match (Requires DN).

We use it for our LdapSearchFilter already for importing users in nested groups, eg:
Code: [Select]
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=ACL-NetXMS-Users,OU=ACL,DC=example,DC=local))
-but, of course, this filter alone does't help when it comes to user membership of imported groups. Maybe it could be configured as a flag in Server Configuration that changes the group membership behaviour? I think LDAPConnection::updateMembers is responsible and would need to be changed?
Logged

Tatjana Dubrovica

  • Global Moderator
  • Full Member
  • *****
  • Posts: 221
    • View Profile
Re: LDAP Nested Group Membership?
« Reply #1 on: October 05, 2018, 10:48:13 am »

Currently NetXMS supports "Nested Group" functionality, so I'll just add the same for LDAP sync.
Logged

Tatjana Dubrovica

  • Global Moderator
  • Full Member
  • *****
  • Posts: 221
    • View Profile
Re: LDAP Nested Group Membership?
« Reply #2 on: October 10, 2018, 03:04:23 pm »

Fixed issue in nested group sync, mostly it was working before my change.
Read again your request. We advice you so sync all intermediate groups. I have not found easy way to get all groups also nested in response under "member" attribute. Otherwise it is too big change.
Logged