Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to get groups from memberof attribute. #3902

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add ability to get groups from memberof attribute. #3902

wants to merge 1 commit into from

Conversation

r9odt
Copy link

@r9odt r9odt commented Dec 31, 2024

Overview

In the case of using FreeIPA, the user has a set of memberOf attributes that contain the DNs of groups, sudo rules, and HBAC. The ability to use the memberof-dn combination in UserMatchers has been added to directly retrieve groups from the user entity without additional group queries. Additionally, memberOf values that do not have the suffix defined as BaseDN or do not start with the NameAttr ({NameAttr}=groupname,{BaseDN}) are discarded

What this PR does / why we need it

When ldap user like this

dn: uid=test,cn=users,cn=accounts,dc=example,dc=com
uid: test
displayName: Test User
gecos: Test User
loginShell: /bin/bash
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=admins,cn=groups,cn=accounts,dc=example,dc=com
memberOf: ipaUniqueID=UUIDPLACEHOLDER,cn=hbac,dc=example,dc=com
memberOf: ipaUniqueID=UUIDPLACEHOLDER,cn=sudorules,cn=sudo,dc=example,dc=com
memberOf: cn=wazuh-users,cn=groups,cn=accounts,dc=example,dc=com
memberOf: cn=dex-admins,cn=groups,cn=accounts,dc=example,dc=com
sn: User
givenName: Test
cn: Test User
mail: test@example.com

and use

groupSearch:
  baseDN: cn=groups,cn=accounts,dc=example,dc=com
  nameAttr: cn
  userMatchers:
    - userAttr: memberOf
      groupAttr: dn
      groupPrefix: dex # work only if userattr is 'memberOf' and groupAttr is dn

It allow to get groups of user from user.s entity. For this example expected groups: dex-admins
If we use standart functional, it returned no groups, because (i guess), ldapsearch cannot be performed with filter like (dn=ENTITYDN).
Also we can't use member properties of groups because nested groups are mapped the same as users and more queries need to be made

Special notes for your reviewer

@r9odt
fix: Add ability to get groups dn from memberof attribute.
cf5c707 
In the case of using FreeIPA, the user has a set of memberOf attributes that contain the DNs of groups, sudo rules, and HBAC.
The ability to use the memberof-dn combination in UserMatchers has been added to directly retrieve groups from the user entity without additional group queries.
Additionally, memberOf values that do not have the suffix defined as BaseDN or do not start with the NameAttr ({NameAttr}=groupname,{BaseDN}) are discarded

Signed-off-by: Alexey R. <r9odt@yandex.ru>
@r9odt r9odt changed the title fix: Add ability to get groups dn from memberof attribute. Add ability to get groups dn from memberof attribute. Dec 31, 2024
@r9odt r9odt changed the title Add ability to get groups dn from memberof attribute. Add ability to get groups from memberof attribute. Dec 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@r9odt