Support for Windows AD nested groups via LDAP

Zendesk API User

• 2 avril 2024 10:59

Author: hbarthel
Publication Date: 4/2/2024 10:59

Hey guys,

I only see a config parameter "LDAP.IMPORT_USER.GROUP_ATTRIBUTE" to specify the memberOf LDAP attribute. But we see nested groups are not resolved by AD.

Like this it should be possible:

memberOf:1.2.840.113556.1.4.1941:={0}

where {0} is the DN of the nested group

Is there a chance to specify to resolve nested groups also with FS? Maybe also by querying the tokenGroups attribute ?

Cheers, Heiko

0

• 

  Zendesk API User

  • 8 avril 2024 08:19

  Author: hbarthel - 4/8/2024 8:19
  

  For the records: support told me that it's not supported. When I added "tokenGroups" to the GROUP_ATTRIBUTE, FS unfortunately reads it as String and only garbage is used. I wrote my own LoginModule as a prototype. When I set

  env.put("java.naming.ldap.attributes.binary", "objectSID tokenGroups");

  it will be returned as a byte[]. So I can read out the nested groups and convert it:

  String sidHex = "";

  for (byte b : sid) {

  sidHex += "\\" + toHexString(b);

  }

   

  private static String toHexString(final byte b) {

  String hexString = Integer.toHexString(b & 0xFF);

  if (hexString.length() % 2 != 0) {

  hexString = "0" + hexString;

  }

  return hexString;

  }

   

  Now I could search for this object like: (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)

  0

Vous devez vous connecter pour laisser un commentaire.