Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product RHEL RFE): Bug 977488
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: SSSD does not check for nested groups when using ldap access filter against AD. ldap_access_filter = memberOf = ...
AFAIU filter is used as is to search. To check the nested groups in AD we need to walk the tree. May be we have to intoduce an alternative filter? ldap_access_filter_group = foo
If defined this filter would supersede the value of ldap_access_filter i.e. ldap_access_filter will be ignored. ldap_access_filter_group will be treated as a list of groups (with nesting) that the user should be a member of.
Just a thought...
I've been saying for years that we really ought to just change the example filter in the manpage. We opted for that as an example simply because it happened to work with FreeIPA.
The ldap_access_filter is ANDed with the base-search for the user, so adding nested searches would be prohibitively difficult. Besides, this is already solved sufficiently by the use of the simple access provider's 'simple_allow_groups' option.
I think this FAR better handled by resolving https://fedorahosted.org/sssd/ticket/1326 instead, so you can use the ldap_access_provider for the 'expire', 'authorized_service' and 'host' options and the simple provider for group membership.
blockedby: => 1326 blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => review: True => 0 selected: => testsupdated: => 0
Fields changed
milestone: NEEDS_TRIAGE => SSSD Deferred type: defect => enhancement
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=977488 977488] => [https://bugzilla.redhat.com/show_bug.cgi?id=977488 977488] todo
We have documented this for AD with #3218. Since for other generic LDAP servers there is no general way of solving this, I suggest to close this ticket.
mark: => 0 review: 0 => 1 sensitive: => 0
resolution: => worksforme status: new => closed
Metadata Update from @dpal: - Issue marked as depending on: #1326 - Issue set to the milestone: SSSD Patches welcome
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3046
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.