Posted by johnbarclay on January 6, 2011 at 4:15am
3 followers
Jump to:
| Project: | Lightweight Directory Access Protocol (LDAP) |
| Version: | 7.x-2.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | johnbarclay |
| Status: | closed (fixed) |
| Issue tags: | D7 stable release blocker |
Issue Summary
Authorization of users who belong to a group that belongs to a group.
Use Case: In an enterprise scenario, it is very likely that users will be added to a departmental group and that group will be added to an application group. This way, a new member of the department only has to be added to one group to receive all their services.
Comments
#1
see also #436962: LDAP Groups module does not recurse through AD security group containers to discover nested group members for starter code.
#2
#3
Subscribe -- critical feature for all enterprise installations.
#4
I'm open to a patch for 7.x-1.x if someone can articulate the ldap user attributes to write a simpletest for this.
#5
The best way to implement nested groups is:
1) articulate what nested groups means in variety of ldaps (Active Directory, novell, openldap)
2) pseudo code the user interface and recursing process.
3) Submit the psuedo code here so everyone can see if that recursion works in their LDAP flavor.
At that point the code itself may turn out to be quite simple. I've been told this is critical to many enterprise implementations going all the way back to drupal 5 ldap_integration, but haven't seen a lick of code toward it.
#6
Just a thought; I believe recursion needs to be performed BEFORE any group-to-role filtering happens, since at least in our usage of Drupal, a user might be in the "DrSmithStudent" Active Directory group, which is in the "AllStudentWorkers" group, which is mapped to a Drupal role. So even filtered-out groups need to be considered when recursing -- at least in our usage.
#7
Here is an example of what I mean in #5. Hope this helps illustrate what I am looking for.
Nested Group Definition #1. Active Directory OU (organizational unit)
Group is defined by which ous a user object is contained in. Nested groups signified by hierarchy of ous.
Example
user dn:
cn=jbarclay,ou=campus accounts,ou=college of education,dc=ad,dc=uiuc,dc=eduuser groups: campus accounts, college of education
Psuedo Code
When nested groups checked and "II.A. Derive drupal role from DN" has a setting of "cn", groups contained will include all ou values (e.g. campus accounts, college of education)
#8
We figured out a good way to implement this for one ldap impementation type at a time. We are working on Active Directory currently. See [#comment-5103276]
If you have another ldap implementation and want to write the code to support nested groups, post to this thread.
#9
D7 stable release blocker
#10
That link should be: http://drupal.org/node/1115704#comment-5103276.
The shell of this is already written.
For the 7.1 release I'm going to implement Active Directory and a generic ldap, probably open ldap. Open ldap logic may belong in the abstract class "LdapTypeAbstract.class,php". I will also implement a custom extension module for the university I work at as a proof of concept to extending the server class for local customization.
Implementation Steps:
Test Coverage:
Should be integrated into the current ldap authorization tests, with additional nested mock groups and nested checks turned on and off.
#11
#12
Made some progress on this for groups method IIB (groups are in user's ldap attributes). Here's the pseudo code:
given:
- user ldap entry ($user_ldap_entry)
- attribute containing groups (e.g. memberOf), configurable
- objectype of group (e.g. group), configurable
- list of base dns (e.g. OU=Education,DC=ad,DC=uiuc,DC=edu, OU=Campus Accounts,DC=ad,DC=uiuc,DC=edu)
(1) Add all $user_ldap_entry memberOf attribute values to $authorizations
(2) query 1: get entries of all groups that have memberOf values (all groups that have parents)
basedn=OU=Education,DC=ad,DC=uiuc,DC=edufilter=(&(objectCategory=group)(memberOf=*)(|
(distinguishedName=$user_ldap_entry['memberOf'][1])
(distinguishedName=$user_ldap_entry['memberOf'][2])
...
}
attributes = memberOf
(3) Loop through resulting entries of query and add all memberOf attributes to $authorizations (that were not already in $authorizations).
(4) Construct a query like #2 with parent groups and add memberOf attributes
(5) ...and so on as long as limit of 10 is not hit and new authorizations are being added. This involves 1 query for each level of nesting instead of once query for each ancestor-descendant relationship. This may be problematic if someone is in more than 1000 groups, but could be done in batches of 100 or so also.
At my university, I get 219 groups with 4 levels of queries (8 queries for 2 basedns). If you use N basedns the number of queries multiplies by n so I'm going to start just using one higher basedn: this has the advantage of not running into barriers when querying for groups outside of your basedns.
I'll commit this code after I do the nested groups for case IIC, but I wanted to get feedback on the approach. I also was wondering if the following were well known for ldap implementations:
- configurable attribute containing groups (e.g. memberOf),
- configurable objectype of group (e.g. group)
Novell's eDirectory:
- member or groupMember ?
- groupOfNames
Active Directory:
- memberOf
- group
Oracle and Netscape:
(http://docs.oracle.com/cd/E22289_01/html/821-1273/defining-groups.html#d...)
- uniquemember
- groupOfUniqueNames
Open LDAP:
- ?
#13
#14
The UI and code for strategy IIB and IIC nested groups is in 7.x-1.x-dev. Can those of you using this, look through the following and see if it makes sense for your LDAP implementations:
Overview of how it is implemented in IIC is at:
http://drupalcode.org/project/ldap.git/blob_plain/refs/heads/7.x-1.x:/ld...
And unit tests for how it is implemented in IIB are at:
http://drupalcode.org/project/ldap.git/tree/refs/heads/7.x-1.x:/ldap_aut...
#15
OpenLDAP implementation has not distinguishedName attribute. This needs to be reworked to all setting the attribute holding the DN OR iterate through more ldap queries.
#16
#17
Automatically closed -- issue fixed for 2 weeks with no activity.