dexidp / dex

OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors

https://dexidp.io

Apache License 2.0

9.41k stars 1.69k forks source link

Support for Nested LDAP Groups #2955

Open setpill opened 1 year ago

setpill commented 1 year ago

Preflight Checklist

[X] I agree to follow the Code of Conduct that this project adheres to.
[X] I have searched the issue tracker for an issue that matches the one I want to file, without success.

Problem Description

Being able to get all groups a user is a member of, even indirectly, would be very useful.

Proposed Solution

Indirect group memberships that match the search filter are added to the user's list of groups.

Alternatives Considered

If this is undesirable to do by default for backwards compatibility, a config option to include them.

Additional Information

838 was already created for this, but was closed as completed in an hour. However, it doesn't work at this point in time.

vudex commented 1 year ago

This discussion helped me. I use FreeIPA, where all groups are already resolved in memberOf attribute of user entry.

this is my final settings:

        groupSearch:
          baseDN: cn=groups,cn=accounts,dc=vdz,dc=novalocal
          filter:  "(|(objectClass=posixGroup)(objectClass=groupOfNames))"
          nameAttr: cn
          groupAttr: entrydn
          userAttr: memberOf
        userSearch:
          baseDN: cn=users,cn=accounts,dc=vdz,dc=novalocal
          emailAttr: mail
          filter: "(objectClass=person)"
          idAttr: uid
          nameAttr: displayName
          preferredUsernameAttr: uid
          username: uid

mlacko64 commented 1 year ago

I am using Windows AD and to get nested group working (means that user which is member of "group1" which is member of "group2"), I used following config (have to add :1.2.840.113556.1.4.1941: ). Then token generated by Dex contained both groups "group1" and "group2" .

        userSearch:
          baseDN: cn=Users,dc=baremetal,dc=xyz
          filter: "(objectClass=person)"
          username: cn
          idAttr: DN
          emailAttr: mail
          nameAttr: cn
        groupSearch:
          baseDN: cn=Users,dc=baremetal,dc=xyz
          filter: "(objectClass=group)"
          userMatchers:
          - userAttr: DN
            groupAttr: "member:1.2.840.113556.1.4.1941:"
          nameAttr: cn

lawsontyler commented 2 months ago

This seems to fail when the user is in many groups & the LDAP server is just a little too slow to retrieve all of them. The issue is that using groupSearch.userMatchers.userAttr: memberOf results in one lookup per memberOf returned by the user lookup.

The error I'm getting is:

Failed to finalize login: failed to update auth request: not found

My uneducated guess is that it's related to https://github.com/dexidp/dex/issues/1969 where garbage collection happens before it can finish looking up all the groups.

The ideal solution would be to trust the list of memberOf attributes returned from the user and bypass the group search altogether.