LDAP, Active Directory, and Handling of Subgroups - Any Other Thoughts?

bruce_Grant — Thu, 22 Dec 2011 15:04:28 GMT

Several years back I wanted to use Active Directory as a LDAP server for Nuxeo but I ran into issues using groups with subgroups. The issue, I believe, was that sub-groups would not resolve and so only single level groups could be used for access controls. In any case, my question is, from 5.4.2 onward are nested AD groups supported in Nuxeo? If yes, then what if anything is required to configure this (apart from the obvious contribution to enable group handing)?

My group contribution looks as follows...LDIF snippets are added below the group contribution (Dec 28/2011).

<component name="org.nuxeo.ecm.directory.ldap.storage.groups">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<require>org.nuxeo.ecm.directory.ldap.storage.users</require>

<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">
	<directory name="groupLdapDirectory">
		<!-- Reuse the default server configuration defined for userDirectory -->
		<server>default</server>
		<schema>group</schema>
		<idField>groupname</idField>
		<searchBaseDn>OU=_MAILGROUPS,DC=test,DC=com</searchBaseDn>
		<searchFilter>
			((objectClass=group))
		</searchFilter>			
		<searchScope>subtree</searchScope>
		<readOnly>true</readOnly>
		<!-- comment <cache* /> tags to disable the cache -->
		<!-- cache timeout in seconds -->
		<cacheTimeout>3600</cacheTimeout>
		<!-- maximum number of cached entries before global invalidation -->
		<cacheMaxSize>2000</cacheMaxSize>
		<creationBaseDn>DC=test,DC=com</creationBaseDn>
		<creationClass>top</creationClass>
		<creationClass>group</creationClass>
		<!-- Maximum number of entries returned by the search -->
		<querySizeLimit>500</querySizeLimit>
		<!-- Time to wait for a search to finish. 0 to wait indefinitely -->
		<queryTimeLimit>0</queryTimeLimit>
		<rdnAttribute>sAMAccountName</rdnAttribute>
		<fieldMapping name="groupname">sAMAccountName</fieldMapping>
		<references>
			<ldapReference field="members" directory="userLdapDirectory" forceDnConsistencyCheck="false"
				staticAttributeId="member" dynamicAttributeId="memberURL" />
			<ldapReference field="subGroups" directory="groupLdapDirectory" forceDnConsistencyCheck="false"
				staticAttributeId="uniqueMember" dynamicAttributeId="memberURL" />
			<inverseReference field="parentGroups" directory="groupLdapDirectory" dualReferenceField="subGroups" />
			<ldapTreeReference field="directChildren" directory="unitDirectory" scope="onelevel" />
			<ldapTreeReference field="children" directory="unitDirectory" scope="subtree" />
		</references>
	</directory>
</extension>
</component>

======= Snippet one - group contained in the 'all' group

dn: CN=grpUSA,OU=_MAILGROUPS,DC=test,DC=com objectClass: top objectClass: group cn: grpUSA member: CN=grpA,OU=_MAILGROUPS,DC=test,DC=com member: CN=grpB,OU=_MAILGROUPS,DC=test,DC=com member: CN=grpC,OU=_MAILGROUPS,DC=test,DC=com distinguishedName: CN=grpUSA,OU=_MAILGROUPS,DC=test,DC=com instanceType: 4 : memberOf: CN=all,OU=_MAILGROUPS,DC=test,DC=com name: grpUSA : sAMAccountName: grpUSA sAMAccountType: 268435457 groupType: 2 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=test,DC=com :

======= Snippet two - group contained in the 'grpUSA' group above dn: CN=grpC,OU=_MAILGROUPS,DC=test,DC=com objectClass: top objectClass: group cn: grpC member: CN=Rocky,OU=_Retired Accounts,DC=test,DC=com member: CN=Rustin,OU=Users,OU=_SEATTLE,DC=test,DC=com member: CN=Larry,OU=Users,OU=_SEATTLE,DC=test,DC=com member: CN=Delane,OU=Users,OU=_SEATTLE,DC=test,DC=com member: CN=Karen,OU=Users,OU=_SEATTLE,DC=test,DC=com member: CN=Alissa,OU=Users,OU=_SEATTLE,DC=test,DC=com distinguishedName: CN=grpC,OU=_MAILGROUPS,DC=test,DC=com instanceType: 4 : memberOf: CN=grpUSA,OU=_MAILGROUPS,DC=test,DC=com memberOf: CN=all,OU=_MAILGROUPS,DC=test,DC=com name: grpC : sAMAccountName: grpC sAMAccountType: 268435457 groupType: 2 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=test,DC=com :

Anyone else running AD integration with nested groups for Access Control?

Re: LDAP, Active Directory, and Handling of Subgroups - Any Other Thoughts?

Olivier_Grisel — Wed, 28 Dec 2011 17:06:57 GMT

It depends on what you call a "nested" subgroups. Can you please update you question by including a LDIF snippet giving a description of a 2 such nested subgroups as stored in your AD server and I will update my answer to tell you if changes are need on your configuration file to resolve them from nuxeo.

Re: LDAP, Active Directory, and Handling of Subgroups - Any Other Thoughts?

bruce_Grant — Tue, 03 Jan 2012 14:50:00 GMT

question updated!

topic Re: LDAP, Active Directory, and Handling of Subgroups - Any Other Thoughts? in Nuxeo Forum

LDAP, Active Directory, and Handling of Subgroups - Any Other Thoughts?

Re: LDAP, Active Directory, and Handling of Subgroups - Any Other Thoughts?

Re: LDAP, Active Directory, and Handling of Subgroups - Any Other Thoughts?