search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.54k stars 905 forks source link

LDAP - Querying groups should show information of parent/child groups using member and memberOf attributes #2417

Open janosmiko opened 2 years ago

janosmiko commented 2 years ago

Is your feature request related to a problem? Please describe.

Given scenario: I have 2 parent groups, 2 subgroups, 2 users.

- org1
  - team1
    - akadmin
- org2
  - team1
    - test
image

When I'm querying the groups, LDAP results are showing the two team1 groups, but it's not possible to determine which group belongs to which parent.

ldapsearch -x -h authentik.dev.example.com -p 389 -D 'cn=akadmin,DC=ldap,DC=authentik,DC=example,DC=com' -w 'PASSWORD' -b 'OU=groups,DC=ldap,DC=authentik,DC=example,DC=com' '(&(objectClass=*)(cn=team1))'

# extended LDIF
#
# LDAPv3
# base <OU=groups,DC=ldap,DC=authentik,DC=example,DC=com> with scope subtree
# filter: (&(objectClass=*)(cn=team1))
# requesting: ALL
#

# team1, groups, ldap.authentik.example.com
dn: cn=team1,ou=groups,dc=ldap,dc=authentik,dc=example,dc=com
objectClass: group
objectClass: groupOfUniqueNames
objectClass: goauthentik.io/ldap/group
member: cn=test,ou=users,dc=ldap,dc=authentik,dc=example,dc=com
goauthentik.io/ldap/superuser: false
cn: team1
uid: 7e09338f-233f-4c12-9dd1-e4390dabb68f
sAMAccountName: team1
gidNumber: 21391

# team1, groups, ldap.authentik.example.com
dn: cn=team1,ou=groups,dc=ldap,dc=authentik,dc=example,dc=com
member: cn=akadmin,ou=users,dc=ldap,dc=authentik,dc=example,dc=com
goauthentik.io/ldap/superuser: false
cn: team1
uid: e6aaaed1-398d-4438-8ae8-31dbfc9e8637
sAMAccountName: team1
gidNumber: 46327
objectClass: group
objectClass: groupOfUniqueNames
objectClass: goauthentik.io/ldap/group

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

Describe the solution you'd like

I did some research around LDAP and most of the cases this is handled from both parent->children and children->parent ways.

The parent should have a member attribute which include all its members not just the users (currently it only shows up when a parent group have users.)

The child groups should have a memberOf attribute, which shows the DN of its parent. Eg: memberOf=cn=org1,ou=groups,DC=ldap,DC=authentik,DC=example,DC=com

Manual Workaround

If I add the memberOf attribute to the subgroup directly, it will show up in LDAP and I will be able to query it.

image 
ldapsearch -x -h authentik.dev.example.com -p 389 -D 'cn=akadmin,DC=ldap,DC=authentik,DC=example,DC=com' -w 'PASSWORD' -b 'OU=groups,DC=ldap,DC=authentik,DC=example,DC=com' '(&(objectClass=*)(cn=team1)(memberOf=cn=org1,ou=groups,DC=ldap,DC=authentik,DC=example,DC=com))'

# team1, groups, ldap.authentik.example.com
dn: cn=team1,ou=groups,dc=ldap,dc=authentik,dc=example,dc=com
memberOf: cn=org1,ou=groups,DC=ldap,DC=authentik,DC=example,DC=com
goauthentik.io/ldap/superuser: false
cn: team1
uid: 7e09338f-233f-4c12-9dd1-e4390dabb68f
sAMAccountName: team1
gidNumber: 21391
objectClass: group
objectClass: groupOfUniqueNames
objectClass: goauthentik.io/ldap/group
member: cn=test,ou=users,dc=ldap,dc=authentik,dc=examle,dc=com

Further info

memberOf attribute: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/cc24555b-61c7-49a2-9748-167b8ce5a512

member attribute: https://datatracker.ietf.org/doc/html/rfc4519#section-2.17 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-ada2/763d0861-f4f6-4251-847e-7e8dedcfe73f

BeryJu commented 7 months ago

We'd implement this as only returning the direct parents/children of a group within that group, and allowing the client to recursively fetch all the other data.