These are all changes I needed to introduce in order to get Homer running with Microsoft AD on Windows. Plus, a few added niceties, like new debug logs, that helped me troubleshoot errors.
Main issue with existing approach is that it both relies on the LDAP user groups query returning entries with cn attributes and it only allows for the value of username to be replaced in the filter template. While simple to pull off on Open LDAP (i.e. Linux) by means of memberUid, default Active Directory installations typically store group memberships on a member attribute pointing to a list of fully qualified names, not usernames.
By introducing a new "groupattribute" setting, I was able to query groups following:
An arguably better approach would have been replacing Sprintf with full templating capabilities for "*filter" values, enabling string interpolation of any LDAP attribute. In the end, I felt this was simpler.
adubovikov
commented
4 years ago
These are all changes I needed to introduce in order to get Homer running with Microsoft AD on Windows. Plus, a few added niceties, like new debug logs, that helped me troubleshoot errors.
Main issue with existing approach is that it both relies on the LDAP user groups query returning entries with
cnattributes and it only allows for the value ofusernameto be replaced in the filter template. While simple to pull off on Open LDAP (i.e. Linux) by means ofmemberUid, default Active Directory installations typically store group memberships on amemberattribute pointing to a list of fully qualified names, not usernames.By introducing a new
"groupattribute"setting, I was able to query groups following:An arguably better approach would have been replacing
Sprintfwith full templating capabilities for"*filter"values, enabling string interpolation of any LDAP attribute. In the end, I felt this was simpler.