Request an Active Directory server where groups "member" does not exist but users have a "memberOf" attribute

dalibo / ldap2pg

:elephant: :busts_in_silhouette: Manage PostgreSQL roles and privileges from YAML or LDAP

https://labs.dalibo.com/ldap2pg

PostgreSQL License

206 stars 33 forks source link

Request an Active Directory server where groups "member" does not exist but users have a "memberOf" attribute #445

Closed mdouchin closed 1 year ago

mdouchin commented 1 year ago

What do you want?

Hi !

I must synchronize with an Active Directory server which does not return any member attribute when requesting the groups details, but instead adds a memberOf attribute when requesting a user details.

I have not found in the documentation any example showing how to get the user groups by requesting this memberOf attribute.

I have not yet tested it fully, but I would like to know if this "reversed" logic will fit the ldap2pg way of requesting the LDAP server ?

Thanks in advance

mdouchin commented 1 year ago

I would like to create the roles and grant them to their parents. What I would do with

GRANT "a-group-of-users" TO "role-a";

Perhaps with this config ?

sync_map:
- ldapsearch:
    ...
  role:
    name: "{sAMAccountName}"
    parent: "{memberOf.cn}"
    comment: "Role generated from LDAP entry {sAMAccountName}."

bersace commented 1 year ago

You should use a custom filter. I don't have access to an AD to test this but there is a lost example at https://ldap2pg.readthedocs.io/en/latest/ldap/#examples .

Each LDAP directory has its own set of filters. See your AD documentation for available filters.

mdouchin commented 1 year ago

Thanks for your answer. I will try ASAP and report

bersace commented 1 year ago

Let's close. Please reopen for updates.