Describe your question/
FreeIPA supports indirect group memberships, meaning you can be member of a group by being member of a child group.
The problem stems from how those indirect group memberships are mapped to LDAP: The group stored in a memberOf attribute of the user, but the user is not stored in a member attribute of the group.
This normally is not a problem, since many applications get the group memberships from an user's memberOf attribute. But as far as I can see, Authentik only supports getting memberships from a group attribute, which does not work correctly with FreeIPA.
Can I use a Property Mapping to set a group membership of an user?
Is there any way to map group memberships in the LDAP Source by user attributes?
Describe your question/ FreeIPA supports indirect group memberships, meaning you can be member of a group by being member of a child group. The problem stems from how those indirect group memberships are mapped to LDAP: The group stored in a
memberOf
attribute of the user, but the user is not stored in amember
attribute of the group. This normally is not a problem, since many applications get the group memberships from an user'smemberOf
attribute. But as far as I can see, Authentik only supports getting memberships from a group attribute, which does not work correctly with FreeIPA.Relevant infos We use a FreeIPA Server.