Hi all,
as stated in the topic title, this is actually not a privacyIDEA specific topic but rather kind of a problem with LDAP queries to Active Directory - maybe someone can give me a slight push in the right direction.
I’d like to assign policies to specific users based on their group membership in Active Directory.
Using a filter like
(&(sAMAccountName=*)(objectClass=person)(!(objectClass=computer))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
in the respective LDAP resolver I get a list of all matching users - with all groups they are direct members of as memberOf attributes. Unfortunately our Active Directory heavily relies on nested groups so that I only get a fraction of the groups of which the user is a nested member.
Is there a possibility to solve this problem and if so, how could it be done?
Thanks for this hint. I already know LDAP_MATCHING_RULE_IN_CHAIN, but I don’t have any clue how to use it in my current situation.
As far as I know LDAP_MATCHING_RULE_IN_CHAIN is used to return all members of a given group (in a filter like (memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x)) or all groups of a given user (as in (member:1.2.840.113556.1.4.1941:=cn=user1,cn=users,DC=x)), but I need to get all users with all groups for usage in a LDAP user resolver.
But to get all groups a user is member of through nesting privacyIDEA needs to use LDAP_MATCHING_RULE_IN_CHAIN in fetching the user object. Is there any way to make it behave that way?
I think this is not possible, since the matching rule OID 1.2.840.113556.1.4.1941 LDAP_MATCHING_RULE_IN_CHAIN can only be used in the match filter but not in the return value.
privacyIDEA does not actively modify or enhance the return value (aka objects or attributes), returned by the LDAP server.