Open setpill opened 1 year ago
This discussion helped me. I use FreeIPA, where all groups are already resolved in memberOf
attribute of user entry.
this is my final settings:
groupSearch:
baseDN: cn=groups,cn=accounts,dc=vdz,dc=novalocal
filter: "(|(objectClass=posixGroup)(objectClass=groupOfNames))"
nameAttr: cn
groupAttr: entrydn
userAttr: memberOf
userSearch:
baseDN: cn=users,cn=accounts,dc=vdz,dc=novalocal
emailAttr: mail
filter: "(objectClass=person)"
idAttr: uid
nameAttr: displayName
preferredUsernameAttr: uid
username: uid
I am using Windows AD and to get nested group working (means that user which is member of "group1" which is member of "group2"), I used following config (have to add :1.2.840.113556.1.4.1941: ). Then token generated by Dex contained both groups "group1" and "group2" .
userSearch:
baseDN: cn=Users,dc=baremetal,dc=xyz
filter: "(objectClass=person)"
username: cn
idAttr: DN
emailAttr: mail
nameAttr: cn
groupSearch:
baseDN: cn=Users,dc=baremetal,dc=xyz
filter: "(objectClass=group)"
userMatchers:
- userAttr: DN
groupAttr: "member:1.2.840.113556.1.4.1941:"
nameAttr: cn
This seems to fail when the user is in many groups & the LDAP server is just a little too slow to retrieve all of them. The issue is that using groupSearch.userMatchers.userAttr: memberOf
results in one lookup per memberOf
returned by the user lookup.
The error I'm getting is:
Failed to finalize login: failed to update auth request: not found
My uneducated guess is that it's related to https://github.com/dexidp/dex/issues/1969 where garbage collection happens before it can finish looking up all the groups.
The ideal solution would be to trust the list of memberOf
attributes returned from the user and bypass the group search altogether.
Preflight Checklist
Problem Description
Being able to get all groups a user is a member of, even indirectly, would be very useful.
Proposed Solution
Indirect group memberships that match the search filter are added to the user's list of groups.
Alternatives Considered
If this is undesirable to do by default for backwards compatibility, a config option to include them.
Additional Information
838 was already created for this, but was closed as completed in an hour. However, it doesn't work at this point in time.