LDAP groups and roles mapping
Alexander A. Filippov
a.filippov at yadro.com
Tue Jan 11 02:56:32 AEDT 2022
On Mon, Jan 10, 2022 at 05:40:02PM +0300, Paul Fertser wrote:
> Hi,
>
> On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote:
> > Our customers want LDAP groups and roles mapping working not only by primary
> > group, but also by the membership in one of these groups.
> > And this requirement seems to me reasonable.
>
> A sidenote: windows active directory admins might also want you to
> take nested groups into consideration. I suggest you check with the
> customers if that's the case or not.
>
Yes, it looks like a problem.
I'm afraid that the recursive queries will execute too long and PAM will give
rejection by timeout.
But `phosphor-user-manager` allows to create mappings of several LDAP groups
into one role and thus, I suppose, we can claim that we don't support the nested
groups.
> AFAIK there's no standard way to do that (other than recursively walk
> through the group membership) but microsoft has
> LDAP_MATCHING_RULE_IN_CHAIN OID:
> https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax
>
> --
> Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
> mailto:fercerpav at gmail.com
--
Alexander
More information about the openbmc
mailing list