0

I'm using FreeIPA as an LDAP-backend for my flask-app. So far I've used flask-simpleldap with OpenLDAP to get the group membership of a user, which works fine with the following options:

LDAP_BASE_DN="dc=myrealm,dc=com"
LDAP_REALM_NAME="MyFunRealm"
LDAP_OBJECTS_DN="dn"
LDAP_USER_OBJECT_FILTER="(&(objectclass=inetorgperson)(uid=%s))"
LDAP_GROUP_MEMBERS_FIELD="member"
LDAP_GROUP_OBJECT_FILTER="(&(objectclass=groupofnames)(member=%s))"
LDAP_GROUP_MEMBER_FILTER="member=%s"
LDAP_GROUP_MEMBER_FILTER_FIELD="cn"

I want to change the LDAP structure of my users to place groups inside groups, but the above settings only gives the users' "first level" group. (Sorry I'm unfamiliar with LDAP and it's terminology).

How can I change the query/filter to get a list of all groups the user is a member of through group-in-group membership?

Lars
  • 1,006
  • 1
  • 9
  • 29
  • What do you mean by group in group? The filter `(&(objectclass=groupofnames)(member=%s))` will give you all the groups the user `%s` is `memberOf` regardless of where the group is in the tree. – Esteban Sep 12 '17 at 09:08
  • A group could contain users or other groups. If a user is in a group that is a member of another group, I want both of these groups to appear in the search. The search in my question only returns the direct group membership. – Lars Sep 12 '17 at 09:46

1 Answers1

0

I don't think it is possible considering your setup (ie flask + openldap)

OpenLDAP does not (from my knowledge) have built in mechanism to perform filter on nested groups. And flask does the request for you, so you can't implement the recursive search easily.

In other directory (AD for example) you can specify the extensible matching rule for filtering nested groups, something along this line :

(&(objectclass=groupofnames)(member:1.2.840.113556.1.4.1941:=%s))

But this specific extensible matching rule does not exist in OpenLDAP

Esteban
  • 1,752
  • 1
  • 8
  • 17