Hi we have hacked ldap to support this feature long time ago and I have cleaned up a bit the code and updated for latest dev branch.

I'm not really sure if this is already supported but I have tried many ldap configurations to use nested groups with our AD configuration and groups are not catched when they are part of the same OU.

Here is the example AD configuration, we have a bunch of groups in an OU called Intranet.

This groups reference to eachother for different porpouses.

For example we have a group called Intranet - Barcelona office and this group is memberOf Intranet - Offices, when user is part of Intranet - Barcelona office it should be part too of Intranet - Offices, easy.

AD skeleton

The thing is that this group is not discovered with any configuration.

With supplied patch you can specify a group property to get groups member of like for the user object in server config page.

server config

And nested logic will search for each group attribute referencing other groups.

If that is something current ldap module could support, any help to setting it up will be appreciated.

\BR

CommentFileSizeAuthor
#13 ldap_authorization-2227163-13.patch5.63 KBabarpetia
#7 ldap_authorization-2227163-7.patch8.27 KBhaydeniv
#2 2227163-Support-for-nested-groups-from-memberOf-attribute.patch16.95 KBvgalindus
#1 LDAP_CONFIG.PNG28.14 KBvgalindus
LDAP_AD_CONF.png125.66 KBvgalindus
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

vgalindus’s picture

vgalindus CreditAttribution: vgalindus commented
Issue summary: View changes
FileSize
LDAP_CONFIG.PNG28.14 KB
vgalindus’s picture

vgalindus CreditAttribution: vgalindus commented
FileSize
2227163-Support-for-nested-groups-from-memberOf-attribute.patch16.95 KB
johnbarclay’s picture

johnbarclay CreditAttribution: johnbarclay commented
Title: Support for nested groups from memberOf attribute » LDAP Authorization: Support for nested groups from memberOf attribute
Issue tags: +D7+stable+release+blocker

This idea makes sense. "Groups" in this module are defined in a variety of ways, but all seem to have plenty of use cases.

carlovdb’s picture

carlovdb CreditAttribution: carlovdb commented

When I try to apply this patch, he gives me this error..

Only garbage was found in the patch input.

haydeniv’s picture

haydeniv CreditAttribution: haydeniv commented

As a work around, if you have a small number of nested groups I just use the Mapping of LDAP to drupal role mapping to map the nested group to the drupal role. So if I had:
LDAP_Group_A|Drupal_Role_A
Nested_LDAP_Group B|Drupal_Role_ A

kenorb’s picture

kenorb CreditAttribution: kenorb commented
Status: Active » Needs review
haydeniv’s picture

haydeniv CreditAttribution: haydeniv commented
FileSize
ldap_authorization-2227163-7.patch8.27 KB

Let's see if this patch applies any better.

pahles’s picture

pahles CreditAttribution: pahles commented

Tried the patch, but this broke my whole configuration. We are using the LDAP Authorization - OG module to make the user member of an OG based on their membership of an AD group. I will try to investigate.

wendyschuppenasster’s picture

wendyschuppenasster CreditAttribution: wendyschuppenasster commented

hi, i was wondering if someone applied the patch above and if this works?

larowlan’s picture

larowlan
Location 🇦🇺🏝.au GMT+10
CreditAttribution: larowlan at PreviousNext commented
Status: Needs review » Needs work
Issue tags: -D7+stable+release+blocker +7.x-2.0 release blocker, +Needs tests

This needs some tests, there is a lot of code here, and hence lots of things that could go awry

  1. +++ b/ldap_servers/LdapServer.class.php
@@ -1539,8 +1545,7 @@ class LdapServer {
- /**
-  /**
+ /**  ¶

    unneeded 

  2. +++ b/ldap_servers/LdapServer.class.php
@@ -1766,29 +1772,46 @@ class LdapServer {
+        $member_id = ldap_servers_get_first_rdn_value_from_dn($group_entry['dn'], $this->groupMembershipsAttrMatchingUserAttr);          ¶
...
+      	    foreach($goc as $g) {
+      	      $g=drupal_strtolower($g);
+      	      if($g == $this->groupObjectClass) {
+            		// found a group, current user must be member in it - so:
+            		if ($this->detailed_watchdog_log) {
+            		  watchdog('ldap_server', 'adding %mi', array('%mi'=>$member_id));
+          		  }
+            		$member_id=$group_entry['dn'];
+            		break;
+      	      }
+      	    }
+      	  }
+      	}
...
+            $tmember_id = ldap_servers_get_first_rdn_value_from_dn($value, $this->groupMembershipsAttrMatchingUserAttr);          ¶

    whitespace issues here

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Status: Needs work » Needs review

Status: Needs review » Needs work

The last submitted patch, 7: ldap_authorization-2227163-7.patch, failed testing.

abarpetia’s picture

abarpetia CreditAttribution: abarpetia commented
FileSize
ldap_authorization-2227163-13.patch5.63 KB

Any one got this working? I have rerolled #7 patch but could not got this working. Attaching patch incase someone like to review.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Issue tags: +D8 stable release blocker
nimoatwoodway’s picture

nimoatwoodway
Location Tyrol / Austria
CreditAttribution: nimoatwoodway commented

Is there any way to achieve this with a drupal 8 version of this module?

nimoatwoodway’s picture

nimoatwoodway
Location Tyrol / Austria
CreditAttribution: nimoatwoodway commented

Already works as designed with version 8.x-3!

My config was not correct.

This hint helped me: https://www.drupal.org/project/ldap/issues/1917254#comment-8975207 in any case someone else has the same problem.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Status: Needs work » Closed (outdated)

Closing issue as outdated due to no further development on 7.x, if you feel this issue is still relevant and you are willing to work on a patch and/or debug the problem, please reopen.