Group #1 / member #1: No matching user name found for group member attribute "member"

[d0lb33]

When specifying a group DN, it fails to find members of the group. My guess is that the users are not included in the same OU as the GroupDN so it cant find them?

I've removed the groupdn query and it works, but I have a bunch of unwanted groups.

It also works if I specify the group dn to point to an OU with users, and groups that are assigned users.

My config for reference.

[Adambean]

Are you sure you're using the right attributes for groupMemberAttribute?

I've just checked on my own Active Directory instance. My "sMAAccountName" is "Adam Reece", but looking at the groups I'm in, "member" refers to my user's whole DN -- not just the username. I would expect that "memberUid" is necessary because that would match what I've got for "sAMAccountName" used by userUniqueAttribute.

[d0lb33]

Is the warning I get.

This is the attribute for members for one of the groups:

memberUid is blank for the group. and user doesn't have one.

[Adambean]

It likely works for me as I have the "Subsystem for UNIX-based Applications" feature installed, so POSIX attributes such as "uid" and "memberUid" are automatically present in my AD.

The problem you've got here is that your user's "sMAAccountName" and group's "member" attributes simply don't match identically. You can overrule this behaviour with userMatchAttribute. Specifically this part:

For instance, in some Microsoft Active Directory versions, groups possess a "member" attribute that lists the "distinguishedName" attributes of each member of the group. The user name however is a different attribute of each user being attributed to that group. In this case, set userMatchAttribute to "distinguishedName" and userUniqueAttribute to your user name attribute.

[d0lb33]

Thanks for the help, I am not too familiar with AD/LDAP so this is all a learning experience.

I've made those changes, and get the same error as before:

[d0lb33]

Actually, I think it worked.

But, the problem is my group has another group in it.

So I have GitLab Admins (members -> SDMI Admins)...

Is there a way to resolve that group to indiviudal members kind of how I did with my user filter? "memberOf:1.2.840.113556.1.4.1941"

The group with just users synced fine.

[Macleykun]

Actually, I think it worked.

But, the problem is my group has another group in it.

So I have GitLab Admins (members -> SDMI Admins)...

Is there a way to resolve that group to indiviudal members kind of how I did with my user filter? "memberOf:1.2.840.113556.1.4.1941"

The group with just users synced fine.

heya, have you been able to find out how to work the nesting out?