LDAP groups and roles mapping

Paul Fertser fercerpav at gmail.com
Tue Jan 11 08:00:33 AEDT 2022


On Mon, Jan 10, 2022 at 06:56:32PM +0300, Alexander A. Filippov wrote:
> On Mon, Jan 10, 2022 at 05:40:02PM +0300, Paul Fertser wrote:
> > On Mon, Jan 10, 2022 at 05:12:46PM +0300, Alexander A. Filippov wrote:
> > > Our customers want LDAP groups and roles mapping working not only by primary
> > > group, but also by the membership in one of these groups.
> > > And this requirement seems to me reasonable.
> > 
> > A sidenote: windows active directory admins might also want you to
> > take nested groups into consideration. I suggest you check with the
> > customers if that's the case or not.
> > 
> 
> Yes, it looks like a problem.
> I'm afraid that the recursive queries will execute too long and PAM will give
> rejection by timeout.

But phosphor-ldap-config already special-cases
ConfigIface::Type::ActiveDirectory so instead of

        confData << "filter passwd (&(objectClass=user)(objectClass=person)"
                    "(!(objectClass=computer)))\n";

it can use something like

filter passwd (&(Objectclass=user)(!(objectClass=computer))(memberOf:1.2.840.113556.1.4.1941:=cn=cumuluslnxadm,ou=groups,ou=support,dc=rtp,dc=example,dc=test))

(phosphor-ldap-config generates /etc/nslcd.conf; this particular
example is from Cumulus Linux, instead of
cn=cumuluslnxadm,ou=groups,ou=support,dc=rtp,dc=example,dc=test full
DN of any group can be specified)

> But `phosphor-user-manager` allows to create mappings of several LDAP groups
> into one role and thus, I suppose, we can claim that we don't support the nested
> groups.

Please consider supporting nested groups at least for AD, this seems
to be easy enough.

-- 
Be free, use free (http://www.gnu.org/philosophy/free-sw.html) software!
mailto:fercerpav at gmail.com


More information about the openbmc mailing list