fdisamuel
commented
2 months ago Hello! I'm inquiring about the potential implementation of this feature in the near future. I think it's essential for many organisations that depend on nested Groups for their AD/LDAP management.
Also, while awaiting an official response, are you aware of any workaround that could enable nested AD Groups to function within Authentik RBAC @craige1 ? Many thanks,
Scenario: Users only member of groups representing their position. These groups in-turn are members of groups representing roles, which in turn are members of groups that provide the access to resources. Users are not directly members of any group that provide access to resources. This is designed around Role-Based access control and least privilege principals.
Currently Authentik ignores group objectclasses as members when syncing groups. This prevent the role based structure of group membership to sync across into Authentik. Authentik already "flattens" its inbuilt nested groups when acting as a provider, so utilizing a "role" group from Authentik when providing access to resources already works. This feature request will allow the group structure to sync across from an LDAP source, preserving the RBAC hierarchy, allowing the existing Authentik flatting to perform. This will allow nested groups to work across from Active Directory into Authentik.
Request to have group objects persist as members of groups when syncing from LDAP sources such as Active Directory. The
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered. Utilizing memberOf or memberOf:1.2.840.113556.1.4.1941:= (LDAP_MATCHING_RULE_IN_CHAIN) filter rules, doesnt look to be the right way to solve this issue with nested groups from Active Directory.