search

casdoor / casdoor

An open-source UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform with web UI supporting OAuth 2.0, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, RADIUS, Google Workspace, Active Directory and Kerberos
https://casdoor.org
Apache License 2.0
9.81k stars 1.16k forks source link

[feature] Add Support for `memberOf` Overlay in LDAP Server #3067

Closed m-yosefpor closed 2 months ago

m-yosefpor commented 2 months ago

Description:

Casdoor's LDAP server currently does not support the memberOf overlay, which is a significant limitation for users who need to query LDAP for users based on group memberships. This feature is essential for efficiently managing and searching user groups within LDAP.

Use Case:

In many LDAP implementations, the memberOf overlay is used to simplify group membership management and queries. For example:

References:

casbin-bot commented 2 months ago

@tangyang9464 @JalinWang @imp2002

hsluoyz commented 2 months ago

@m-yosefpor can you make a PR?

m-yosefpor commented 2 months ago

@m-yosefpor can you make a PR?

There are decisions need to be made for how it works. Do we want to implement Group entities in ldap server? right now for each user we have cn=sth,ou=myorg,dc=example,dc=com, but there are no ldap entity equivalent for groups.. So do we need to have sth like cn=mygroup,ou=groups,ou=myorg,dc=example,dc=com and then have the users memberOf to work like:

dn: uid=6677875c-9755-4b09-bde1-d0546e372a32,cn=sth,ou=myorg,dc=example,dc=com
cn: sth
uid: 6677875c-9755-4b09-bde1-d0546e372a32
memberOf:  cn=mygroup,ou=groups,ou=myorg,dc=example,dc=com

or either we can ignore having group entities in ldap, and only have sth like

dn: uid=6677875c-9755-4b09-bde1-d0546e372a32,cn=sth,ou=myorg,dc=example,dc=com
cn: sth
uid: 6677875c-9755-4b09-bde1-d0546e372a32
memberOf:  myorg/mygroup

The memberOf attribute is not defined in a standard RFC. Instead, it is commonly implemented as an operational attribute by various LDAP directory services such as Microsoft Active Directory and OpenLDAP with the memberOf overlay.

Which option should be implemented? the former would be a complete implementation but requires many changes as it requires groups to have entity in ldap server, and the latter is simpler, and only returns the groups the user is member of and can be used in many use cases (including our usecase).

hsluoyz commented 2 months ago

@m-yosefpor Casdoor has groups: https://door.casdoor.com/groups, why not use it?

m-yosefpor commented 2 months ago

@m-yosefpor Casdoor has groups: https://door.casdoor.com/groups, why not use it?

Yeah I'm using the corresponding casdoor groups you mentioned. I was only referring to the ldap format of showing those. I continued with the second format. I will also send a PR for the docs to mention the new feature.