cisco-garyoppel
commented
3 years ago @stoege Thank you for opening this request.
To make sure I understand the request, can you clarify if the recursion is not being performed on the OU or group level?
Closed stoege closed 5 months ago
cisco-garyoppel
commented
3 years ago @stoege Thank you for opening this request.
To make sure I understand the request, can you clarify if the recursion is not being performed on the OU or group level?
stoege
commented
3 years ago hi garry, thank you for your answer and support.
we are not sure, but we assume that the ldap recursion on the OU level is not done with iPSK. here is an example and a solution which may better describe our problem: https://stackoverflow.com/questions/33342910/php-ldap-get-allrecursive-activedirectory-users-in-a-node
let me know if it's still not clear or you need other kind of information.
Regards Daniel
ciesinsn
commented
11 months ago @stoege Can you expand more on the issue? Are you talking about nested groups? That I can reproduce. But, I'm not able to reproduce users being in different OU's from where the group is. If you issue is not nested group support can you send screenshots of your directory structure showing the setup and a screenshot on how your groups are defined in iPSK?
Thanks
Nick
ciesinsn
commented
5 months ago @stoege While I can't reproduce the issue how you wrote it out with multi-level groups and a recursion issue as long as I have the search base set correctly if you actually where referring to nested group support I just added that into the dev-saml-support branch. There is a option in platform settings to enable AD nested group support.
The dev-saml-support branch will be merging soon into the main branch.
ciesinsn
commented
5 months ago Closing issue with merge of nested group support in main branch
Describe the bug hi, we're using ipsk to authenticate against LDAP/AD and it's mostly working fine. recently, we experienced an error for some users who couldn't login to the sponsor portal. we did some tests and figured out, that recursive lookups against the LDAP/AD are not working. so, all the users for a certain group must be in the same ou.
is it possible to fix/update this that small recursion is possible (propose 2-3 levels, or may a variable for this ?).
To Reproduce create an external group and and assing:
External Group Distinguished Name: cn=highlevel,OU=Groups,OU=Users,DC=d,DC=comapany,DC=ch
-> all users in group highlevel can login to the portal
Users in the OU "cn=lowerleven,OU=highlevel,OU=Groups,OU=Users,DC=d,DC=comapany,DC=ch" for example are not able to login. we assume that recursion is not done
in the Database, we found the following two related lines: 1676 2020-11-16 13:07:25 823c0a55-5fb26a43 /var/www/iPSK-Manager/supportfiles/portals/sponsorportal/default/login.inc.php 224 REQUEST:FAILURE{1}[user_authz_failure];ACTION:SPONSORAUTHZ;REMOTE-IP:xx.xx.xx.xx;USERNAME:xxxxxx;AUTHDIRECTORY:; 1677 2020-11-16 13:07:25 823c0a55-5fb26a43 /var/www/iPSK-Manager/supportfiles/portals/sponsorportal/default/index.inc.php 29 REQUEST:FAILURE[index_error]];ACTION:SPONSORPORTAL;CLIENTIP:xx.xx.xx.xx;HOSTNAME:hostname.domain;TCPPORT:8443;
Expected behavior Users from "Highlevel" and "Lowerlevel" can login to the Portal
Screenshots Not needed ..
Desktop (please complete the following information):
Thank you for your effort with iPSK. Hightly appreciated.
Regards Daniel