Would you please consider adding in nested group membership support for the LDAP Sync feature for Active Directory users?
AD supports Rule OID 1.2.840.113556.1.4.1941 (LDAP_MATCHING_RULE_IN_CHAIN) which is a special extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match (Requires DN).
We use it for our LdapSearchFilter already for importing users in nested groups, eg:
-but, of course, this filter alone does't help when it comes to user membership of imported groups. Maybe it could be configured as a flag in Server Configuration that changes the group membership behaviour? I think LDAPConnection::updateMembers is responsible and would need to be changed?
AD supports Rule OID 1.2.840.113556.1.4.1941 (LDAP_MATCHING_RULE_IN_CHAIN) which is a special extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match (Requires DN).
We use it for our LdapSearchFilter already for importing users in nested groups, eg:
Code Select
(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=ACL-NetXMS-Users,OU=ACL,DC=example,DC=local))
-but, of course, this filter alone does't help when it comes to user membership of imported groups. Maybe it could be configured as a flag in Server Configuration that changes the group membership behaviour? I think LDAPConnection::updateMembers is responsible and would need to be changed?