dex icon indicating copy to clipboard operation
dex copied to clipboard
verified publisher icon dexidp

Support for Nested LDAP Groups

Open setpill opened this issue 2 years ago • 3 comments

Preflight Checklist

  • [X] I agree to follow the Code of Conduct that this project adheres to.
  • [X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Being able to get all groups a user is a member of, even indirectly, would be very useful.

Proposed Solution

Indirect group memberships that match the search filter are added to the user's list of groups.

Alternatives Considered

If this is undesirable to do by default for backwards compatibility, a config option to include them.

Additional Information

#838 was already created for this, but was closed as completed in an hour. However, it doesn't work at this point in time.

setpill avatar May 17 '23 15:05 setpill

This discussion helped me. I use FreeIPA, where all groups are already resolved in memberOf attribute of user entry.

this is my final settings:

        groupSearch:
          baseDN: cn=groups,cn=accounts,dc=vdz,dc=novalocal
          filter:  "(|(objectClass=posixGroup)(objectClass=groupOfNames))"
          nameAttr: cn
          groupAttr: entrydn
          userAttr: memberOf
        userSearch:
          baseDN: cn=users,cn=accounts,dc=vdz,dc=novalocal
          emailAttr: mail
          filter: "(objectClass=person)"
          idAttr: uid
          nameAttr: displayName
          preferredUsernameAttr: uid
          username: uid

vudex avatar Jun 30 '23 00:06 vudex

I am using Windows AD and to get nested group working (means that user which is member of "group1" which is member of "group2"), I used following config (have to add :1.2.840.113556.1.4.1941: ). Then token generated by Dex contained both groups "group1" and "group2" .

        userSearch:
          baseDN: cn=Users,dc=baremetal,dc=xyz
          filter: "(objectClass=person)"
          username: cn
          idAttr: DN
          emailAttr: mail
          nameAttr: cn
        groupSearch:
          baseDN: cn=Users,dc=baremetal,dc=xyz
          filter: "(objectClass=group)"
          userMatchers:
          - userAttr: DN
            groupAttr: "member:1.2.840.113556.1.4.1941:"
          nameAttr: cn

mlacko64 avatar Aug 11 '23 13:08 mlacko64

This seems to fail when the user is in many groups & the LDAP server is just a little too slow to retrieve all of them. The issue is that using groupSearch.userMatchers.userAttr: memberOf results in one lookup per memberOf returned by the user lookup.

The error I'm getting is:

Failed to finalize login: failed to update auth request: not found

My uneducated guess is that it's related to https://github.com/dexidp/dex/issues/1969 where garbage collection happens before it can finish looking up all the groups.

The ideal solution would be to trust the list of memberOf attributes returned from the user and bypass the group search altogether.

lawsontyler avatar Jul 26 '24 14:07 lawsontyler