Open dinoschachten-bnitm opened 4 months ago
Kipjr
commented
4 months ago Hi,
Thanks for contacting me. It would seem you need to use this feature
https://serverfault.com/questions/978336/ldap-filter-for-members-of-a-group
Can you test this with the filter on configuration page?
dinoschachten-bnitm
commented
4 months ago Hi,
thanks for the swift reply!
Is "User Object Filter" the correct field?
I have not yet gotten this to work - here's what I've tried:
In the field "User Object Filter" I entered my filter in this format: memberOf:1.2.840.113556.1.4.1941:=cn=groupname,ou=parentOU,dc=ad,dc=example,dc=com
The segment starting at "cn=groupname..." is identical to the group I specified in the field "Group corresponding with users".
I also tried the filter with brackets: (memberOf:1.2.840.113556.1.4.1941:=cn=groupname,ou=parentOU,dc=ad,dc=example,dc=com)
Noticing the "Required for user filter" note, but uncertain if I understood it correctly, I also tried these three variations:
(&(&(objectClass=user)(Username_Attribute=userPrincipalName))(memberOf:1.2.840.113556.1.4.1941:=cn=groupname,ou=parentOU,dc=ad,dc=example,dc=com)
(&(&(objectClass=user)(userPrincipalName=*))(memberOf:1.2.840.113556.1.4.1941:=cn=groupname,ou=parentOU,dc=ad,dc=example,dc=com)
(&(&(objectClass=user)(userPrincipalName=Login_Form_username))(memberOf:1.2.840.113556.1.4.1941:=cn=groupname,ou=parentOU,dc=ad,dc=example,dc=com)
With the second variant (brackets), direct members of the group can log in, however indirect ones still cannot.
With all other variants, no LDAP users can log in.
I assume I still haven't gotten the syntax right... btw.: Do I have to clear the User Object Class and Username Attribute fields?
Using Piwigo 14.4 with LDAP Plugin 13.8, PHP 8.2.18, connecting to a Microsoft Active Directory:
Not working as expected: Users in nested groups can not log in. However they can log in if they are added directly to the "Group corresponding with users"/"The group that will get user rights".
My scenario: In my case there are certain departments in which all users are supposed to have access to Piwigo. In that case I have added their department group to the Piwigo users group ("Group corresponding with users"/"The group that will get user rights").
In other words: My users are members of the department group, which in turn is a member of the "Group corresponding with users"/"The group that will get user rights".
Expected behaviour: LDAP queries are done recursively, enabling the plugin to find members in nested groups, allowing these users to log in successfully (even if they are not added directly (but indirectly) to the specified group).
Looking at the plugin's configuration options, the Wiki and the history of issues, I could not find any information on whether this plugin supports a recursive LDAP search in order to find members of nested groups.