Foreman 1.12.1 and Active Directory nested groups

Stefan_Heijmans · August 22, 2016, 5:58pm

Hi,

Are AD nested groups supported with Foreman?
As I cannot login with a user which is a member of a nested group, a user
directly in a group works fine.

The rake ldap:refresh_usergroups task gives the following error message;
User group <group> could not be refreshed - LDAP source LDAP-<ldap> not
available: LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException

Stefan

Michael_Hofer · August 23, 2016, 5:56am

Hi Stefan

> Hi,
>
> Are AD nested groups supported with Foreman?
> As I cannot login with a user which is a member of a nested group, a user
> directly in a group works fine.
>
>
> The rake ldap:refresh_usergroups task gives the following error message;
> User group <group> could not be refreshed - LDAP source LDAP-<ldap> not
> available: LdapFluff::ActiveDirectory::MemberService::UIDNotFoundException
[…]

Looks similar to Bug #16231: [LDAP] Support AD Universal Groups (UIDNotFoundException) - Foreman. In our case
nested groups work though, it looks like this:

foreman_admins (group)
- server_admins (group)
- user2
foreman_users (group)
- user3
- user4

It also works on filters by using the LDAP_MATCHING_RULE_IN_CHAIN flag:

filter = memberOf:1.2.840.113556.1.4.1941:=cn=mygroup,ou=foo,ou=bar…

Cheers

Michael

···

On Mon, 22 Aug 2016 10:58:35 -0700 (PDT) Stefan Heijmans wrote:

Stefan_Heijmans · August 23, 2016, 9:35am

>
> It also works on filters by using the LDAP_MATCHING_RULE_IN_CHAIN flag:
>
> filter = memberOf:1.2.840.113556.1.4.1941:=cn=mygroup,ou=foo,ou=bar…
>
> Thanks Michael, it's working now.

···

On Tuesday, August 23, 2016 at 7:56:17 AM UTC+2, Michael Hofer wrote: