Closed m-yosefpor closed 2 months ago
@tangyang9464 @JalinWang @imp2002
@m-yosefpor can you make a PR?
@m-yosefpor can you make a PR?
There are decisions need to be made for how it works. Do we want to implement Group entities in ldap server? right now for each user we have cn=sth,ou=myorg,dc=example,dc=com
, but there are no ldap entity equivalent for groups.. So do we need to have sth like cn=mygroup,ou=groups,ou=myorg,dc=example,dc=com
and then have the users memberOf to work like:
dn: uid=6677875c-9755-4b09-bde1-d0546e372a32,cn=sth,ou=myorg,dc=example,dc=com
cn: sth
uid: 6677875c-9755-4b09-bde1-d0546e372a32
memberOf: cn=mygroup,ou=groups,ou=myorg,dc=example,dc=com
or either we can ignore having group entities in ldap, and only have sth like
dn: uid=6677875c-9755-4b09-bde1-d0546e372a32,cn=sth,ou=myorg,dc=example,dc=com
cn: sth
uid: 6677875c-9755-4b09-bde1-d0546e372a32
memberOf: myorg/mygroup
The memberOf attribute is not defined in a standard RFC. Instead, it is commonly implemented as an operational attribute by various LDAP directory services such as Microsoft Active Directory and OpenLDAP with the memberOf overlay.
Which option should be implemented? the former would be a complete implementation but requires many changes as it requires groups to have entity in ldap server, and the latter is simpler, and only returns the groups the user is member of and can be used in many use cases (including our usecase).
@m-yosefpor Casdoor has groups: https://door.casdoor.com/groups, why not use it?
@m-yosefpor Casdoor has groups: https://door.casdoor.com/groups, why not use it?
Yeah I'm using the corresponding casdoor groups you mentioned. I was only referring to the ldap format of showing those. I continued with the second format. I will also send a PR for the docs to mention the new feature.
Description:
Casdoor's LDAP server currently does not support the
memberOf
overlay, which is a significant limitation for users who need to query LDAP for users based on group memberships. This feature is essential for efficiently managing and searching user groups within LDAP.Use Case:
In many LDAP implementations, the
memberOf
overlay is used to simplify group membership management and queries. For example:grafana
group to be able to login to it.)References: