shawnweeks
commented
1 year ago If anyone else sees this feel free to look at it however I'm going to attempt to contribute a solution once I get the dev environment figured out.
Open shawnweeks opened 1 year ago
shawnweeks
commented
1 year ago If anyone else sees this feel free to look at it however I'm going to attempt to contribute a solution once I get the dev environment figured out.
shawnweeks
commented
1 year ago I have a working solution for FreeIPA and Active Directory at https://github.com/goauthentik/authentik/pull/3936 but I'm working to get some performance tests run to see how it might affect sync times.
d-sko
commented
1 year ago This would be very useful as I have the same problem with an Active Directory currently
shawnweeks
commented
1 year ago @d-sko I'll be real honest, I'm not sure when I'll have time to come back to this. Test cases and stuff need to be built out and it will probably be end of this month before I can get back to looking at this.
d-sko
commented
1 year ago @shawnweeks Oh that's fine, I just wanted to say that I'm interested in this feature too, not to get an ETA or something, take your time. Thank you for your work:)
v1k7g85
commented
1 year ago Hi! Are there any changes in this issue?
terion-name
commented
11 months ago +1 absolutely required behaviour
SirHardware
commented
9 months ago Is this still something that will be implemented? In my opninion this is a required behaviour and at the moment it makes this unusable.
shawnweeks
commented
9 months ago @SirHardware The organization I work with switched to Keycloak, which already does this, so it's unlikely I'll get back to working on this. I'm a huge fan of the project though and this is a pretty critical feature for lots of organizations so hopefully someone will be able to contribute a solution.
SirHardware
commented
9 months ago @shawnweeks yeah since it's my own Infrastructure where I wanted to use Authentik I'm probably also going to switch to Keycloak. Also the fact that such an important topic is unresolved for this long doesn't make the best impression (as well as some other topics like #3986). Authentik has potential but there are still some major missing features which makes it not realy suitable for enterprise needs (or people that work in enterprise and want similar things at home)
pulderdev
commented
7 months ago I have been setting up authentik recently and I also noticed that this is an absolutely necessary way of working when you want a decent ldap integration. All platforms I already implemented with ldap sync on memberOf property of the username instead of member property of the group. Working with memberOf is necessary to get nesting working.
BeryJu
commented
4 months ago This should've been possible since #528 but we'll do some testing on this
cybertschunk
commented
4 months ago We are having the same issue with a FreeIPA installation. Unfortunately nested groups don't work.
fdisamuel
commented
4 months ago Hello! At my company, we've recently implemented Authentik for testing, enabling us to use our AD groups and members to log into applications that require OpenID Connect protocols and IDPs. However, I've discovered that the nested group memberships haven't been synchronized with their corresponding groups in Authentik. I suspect this is due to the absence of nested group support in Authentik when using LDAP/AD as the authenticating backend. Is it possible to integrate this critically important feature into the product, so there's no need to manually recreate all the groups in our Authentik instance? Thank you in advance!
Is your feature request related to a problem? Please describe. I'm unable to use Authentik LDAP Group Sync with nested groups in FreeIPA because Authentik only considers group membership based on the Groups
memberattribute instead of also considering the UsersmemberOfattribute.Describe the solution you'd like I would like Authentik to provide the option to determine group membership based on the User's
memberOfattribute.Describe alternatives you've considered The only alternative is not using nested groups which makes it much more difficult to combine common sets of permissions into a single group.
Additional context To futhur explain lets assume you have the group
company_adminandwiki_admin, in FreeIPAcompany_adminis a member ofwiki_admin. If you query for a user who's a member ofcompany_adminFreeIPA will actually show bothcompany_adminandwiki_adminlisted in the usersmemberOfattributes even though the user is only a direct member ofcompany_admin. If you look at thememberattributes onwiki_adminhowever you will only seecompany_admin. I'm not sure if Active Directory also works this way but this must be common enough because other applications like Atlassian Crowd and Sonatype Nexus both support doing group mappings this way from LDAP.