LDAP Group Membership
Phil Mayers
p.mayers at imperial.ac.uk
Fri Apr 25 14:54:37 CEST 2014
On 25/04/14 00:19, Arran Cudbard-Bell wrote:
> I think Phil mentioned something about a magic attribute you could
> search for in AD (with all those rebinds i'm guessing this is AD)
> which supported nested grouping.
>
> I started to look at adding it, and wrote most of the code, but didn't
> have time to finish it.
>
> If Phil can confirm that, that feature would help in this situation, I'll
> finish it off and merge the code.
That was the tokenGroups magic/virtual attribute, which is *only*
queriable from a "base" scope query on the user DN. The values are
binary-encoded SIDs which then need to be resolved to the groups via
objectSid lookups. The latter bit was moderately hard which is why I
didn't roll a patch.
Someone else has already mentioned the other magic "deref nested groups"
control OID you can put in the filter.
Both are useful IMO.
More information about the Freeradius-Users
mailing list