feat(connector/ldap): add indirect group membership search

[yann-soubeyrand]

Signed-off-by: Yann Soubeyrand [email protected]

Overview

This PR adds the ability to search indirect group membership for a user with LDAP connector.

What this PR does / why we need it

Currently, LDAP connector cannot return indirect group membership for a user (indirect groups are groups which the user’s groups are member of). This is a problem when your users are placed in organizational groups and these organizational groups are then used to give access to services by placing them in turn in service groups. Currently, only the organizational groups are returned, whereas you need the service groups to authorize or not the user to access the service. This PR adds indirect group membership lookup, so that service groups are also returned.

Special notes for your reviewer

Does this PR introduce a user-facing change?

This PR adds a new optional recursion configuration section in the groupSearch config section.

LDAP connector: add indirect group membership lookup

[yann-soubeyrand]

Hello, can I do something to help this PR move forward?

[nabokihms]

I cannot promise, but I will try to take a look on it.

[yann-soubeyrand]

Hello @nabokihms, have you had time to have a look at this PR?

[vudex]

This helped me in FreeIPA. It works if in your scheme groups are resolved in user entry. It uses legacy settings though, I encourage maintainers to not get rid of them, or implement this behaviour in using userMatchers.