Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP groups can only be queried by full DN #536

Closed
wyattanderson opened this issue Aug 3, 2016 · 5 comments
Closed

LDAP groups can only be queried by full DN #536

wyattanderson opened this issue Aug 3, 2016 · 5 comments
Labels
area/connector kind/documentation priority/P2

Comments

@wyattanderson
Copy link
Contributor

Our LDAP implementation uses POSIX-style groups (objectClass=posixGroup) which store a memberUid (e.g. wyatt) instead of a member (e.g. uid=wyatt,ou=People,dc=example,dc=com). Since the ID of the remote identity is set to the user's DN and the searchGroupFilter parameter only seems to support searching by the fullUserID, we can't leverage the groups functionality here because we can't search group membership by DN. Additionally, if I hard-code the searchGroupFilter for testing purposes, the group entries that come back are the full DN of the group which is mildly cumbersome for consumers to handle. It might be nice for this to be configurable.

I'm beginning to think that for our purposes it might be better to maintain a fork of Dex with a custom connector that suits our needs (and peculiarities) better, but I thought I'd throw these feature requests out there anyway if the maintainers think it would be a net positive:

  • Allow configuration of the stored identity ID field to be derived from an attribute (say, uid) instead of the DN
  • Allow group search by DN or memberUid (see this random JIRA issue from the internet that has an interesting approach)
  • Allow groups to be represented by attribute (e.g. cn) instead of DN

If these are reasonable requests, I'd be happy to submit a PR. Thanks!
@ericchiang
Copy link
Contributor

ericchiang commented Aug 3, 2016
edited
Loading

Our LDAP implementation uses POSIX-style groups (objectClass=posixGroup) which store a memberUid (e.g. wyatt) instead of a member (e.g. uid=wyatt,ou=People,dc=example,dc=com). Since the ID of the remote identity is set to the user's DN and the searchGroupFilter parameter only seems to support searching by the fullUserID, we can't leverage the groups functionality here because we can't search group membership by DN.

We could allow the format string to have a "last component" field to accomplish this. E.g. (memberUid=%u) would give you the full ID, but (memberUid=%U) would give you just the last component of the ID.

Additionally, if I hard-code the searchGroupFilter for testing purposes, the group entries that come back are the full DN of the group which is mildly cumbersome for consumers to handle. It might be nice for this to be configurable.

We considered doing this in the initial approach. Would be happy to have the groups returned also just use the last component.

Allow groups to be represented by attribute (e.g. cn) instead of DN

This would also be a reasonable option.

Ultimately we also need to figure out how to provide more expressive configuration for the LDAP connector, or this thing is going to have a ton of flags just to keep up with user's use cases.

@wyattanderson
Copy link
Contributor Author

We could allow the format string to have a "last component" field to accomplish this. E.g. (memberUid=%u) would give you the full ID, but (memberUid=%U) would give you just the last component of the ID.

That'd work, but seems like it could be confusing since %u would have a different meaning in bindTemplate.

And, to clarify, when you say "last component", do you mean the RDN (e.g. uid=XXX) or the value of the RDN (XXX)?

Ultimately we also need to figure out how to provide more expressive configuration for the LDAP connector, or this thing is going to have a ton of flags just to keep up with user's use cases.

This is probably important. Worth looking around to see how other softwares handle LDAP integration. One good example I can think of is devpi-ldap which provides very expressive configuration for LDAP.

Are you planning work on this soon? This is blocking a project for me so I'm happy to attempt a PR if you think this is weeks away.

@ericchiang
Copy link
Contributor

That'd work, but seems like it could be confusing since %u would have a different meaning in bindTemplate.

Just trying to keep things backward compatible, but yeah we may just break it in this case.

And, to clarify, when you say "last component", do you mean the RDN (e.g. uid=XXX) or the value of the RDN (XXX)?

The RDN

This is probably important. Worth looking around to see how other softwares handle LDAP integration. One good example I can think of is devpi-ldap which provides very expressive configuration for LDAP.

Are you planning work on this soon? This is blocking a project for me so I'm happy to attempt a PR if you think this is weeks away.

It's a high priority but I haven't started to explore options. A good proposal would be a big step forward.

@ericchiang ericchiang mentioned this issue Aug 15, 2016
Open
@ericchiang ericchiang mentioned this issue Oct 21, 2016
Merged
@ericchiang
Copy link
Contributor

Groups now use a full query. But, going to keep this issue open until we've added documentation.

@Calpicow Calpicow mentioned this issue Nov 18, 2016
Merged
@ericchiang
Copy link
Contributor

Documentation added here: #690

Ability to return the DN added here: #698

@keyolk keyolk mentioned this issue Dec 15, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/connector kind/documentation priority/P2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wyattanderson @ericchiang