LDAP: recursive groups?

Dclabaut · December 28, 2018, 7:46pm

Hello,

I created an Employees group, with a Testuser in it.
Then I created a Humans group, and set the Employee group as a member of the Humans group.

Now if I do a search with this filter:
memberOf=cn=Humans,cn=groups,dn=example,dn=com
I do not get any results.

However, a search with this filter:
memberOf=cn=Employees,cn=groups,dn=example,dn=com
Returns the Testuser.
(If that matters, the search is done from a RocketChat instance)

Is there a way to get the users that are recursively in the Humans group ?

Thanks

troeder · January 1, 2019, 6:16pm

Hello,

the OpenLDAP memberOf overlay does not support recursive lookups.
Thus a single LDAP query cannot find a user in a nested group. A piece of code is required to do the recursion.

Greetings and happy new year
Daniel Tröder

kkorte · January 4, 2019, 5:17pm

Samba4 should support searching for the Group members recursively, similar to Active Directory. Thus, if you are planning on using it, it might be a workaround.

Please be aware, that the syntax is slightly different as you need to specify the recursion:
‘(memberof:1.2.840.113556.1.4.1941:=cn=MyGroup,cn=Groups,dc=Domain,dc=com)’

Dclabaut · January 4, 2019, 7:34pm

Thank you Kevin and Daniel for your answer,
Kevin, it appears that the rule 1.2.840.113556.1.4.1941 is not recognized by openldap.
I also tried using Sets (http://www.openldap.org/faq/data/cache/1133.html) but even though the request is accepted, openldap returns nothing.

crbble · January 7, 2019, 7:42am

? The example given was for queries against the Samba4 LDAP.

Dclabaut · January 7, 2019, 3:01pm

Thank you all, I have it working now
I will leave my RocketChat configuration (from the Administration/LDAP interface) here for posterity, as there is little documentation online:

General section:
Find users after login: False (for some reason users cant connect the first time if this is set to True)
Host: IP of your host
Samba4 may not listen on all interfaces if you added them to UCS after the initial configuration, you can add them to /etc/samba/smb.conf, restart the ‘samba’ and ‘samba-ad-dc’ services and check with
netstat -tapn | grep samba

Port: 636 (LDAPS)
Reject Unauthorized: False (UCS comes with a self-signed certificate. In a production environment you should generate a correct certificate and set this to True)

Authentication section:
Enable: True
User DN: A Simple Authentication Account will not do the trick as those don’t appear to be synced to S4. You need to create an actual user. You can list existing S4 users on UCS with:
univention-s4search objectClass=user | grep ^dn

Sync/Import section:
Username Field: sAMAccountName
Unique Identifier Field: sAMAccountName
User Data Field Map: {“displayName”:“name”, “mail”:“email”}

User Search section:
Filter:
(&(objectClass=organizationalPerson)(memberOf:1.2.840.113556.1.4.1941:=cn=YourGroup,cn=groups,dc=example,dc=com))
scope: sub
Search Field: sAMAccountName