Support nested groups

I have bumped into the same problem too... Did anyone find a way to deal with this? I would be grateful if anyone can point me to good posts!

I ended up writing my own code to deal with this. We use Active Directory with groups associated with a group.

By any means it is not the most refined, but, as far as I can see (given not a lot of testing), it works for our circumstance where the nested groups under a group uses "member" attr. (I guess one can make this to be another parameter.) Hope this would be a use to someone.... Or at least a starting point to someone.

This function returns an array of the groups a user's groups belong to recursively.

// recursively collecting of groups until it does not find anymore
function ldapgroups_detect_group_recur($ldapgroups_ldap,$branch,$entries_groups,$arr_pickstr) {
        foreach ($entries_groups as $gp){
                $member_line[0][] = "member=".$gp;
        }
        $grp_stacker = null;
        $quit = false;
        $level = 0;
        while (!$quit) {
                $result = false;
                $temp_member_line = null;
                $next_level = $level+1;
                $level_result = false;
                // this will be going though every level
                foreach ($member_line[$level] as $ea_member_line) {
                        $entries_g = $ldapgroups_ldap->search($branch,$ea_member_line,$arr_pickstr);
                        if ($entries_g["count"] > 0) {
                                // this level will go thorugh each searching node
                                foreach ($entries_g as $idx => $entry_g) {
                                        if (isset($entry_g["dn"])) {
                                                $grp_stacker[] = $entry_g["dn"];
                                                $member_line[$next_level][] = "member=".$entry_g["dn"];
                                                $result = true;
                                        }
                                }
                                // if there is ever true in the next level, we will proceed.
                                // if everything is false, we come out of while loop.
                        }
                }
                if (!$result) {
                        $quit = true;
                }
                if (isset($member_line[$next_level])) $level++;
                $loopcnt++;
        }
        return $grp_stacker;
}

For instance, I have the following code in function called function _ldapgroups_detect_groups() calling above function ldapgroups_detect_group_recur(). The function generates the additional array to add to $entries_groups. (I use the section 3 here because that is what I use in LDAP group setting.)

  // Strategy 3: groups as entries
  $entries_groups = array();
  if ($groups_as_entries && $branches = $group_entries) {
    $branches_array = explode("\r\n", $branches);
    $group_attr = ($row->ldap_group_entries_attribute ? $row->ldap_group_entries_attribute : LDAP_DEFAULT_GROUP_ENTRIES_ATTRIBUTE);
    foreach ($branches_array as $branch) {
      $entries = $ldapgroups_ldap->search($branch,  "$group_attr=$user->ldap_dn", array($group_attr));
      if ($entries['count'] == 0) {
        $entries = $ldapgroups_ldap->search($branch,  "$group_attr=$user->name", array($group_attr));
      }
      foreach ($entries as $entry) {
        if (isset($entry['dn'])) { 
          $entries_groups[] = $entry['dn'];
        }
      }
      // === start of the custom code ===
      foreach ($branches_array as $branch) {
        $grps = ldapgroups_detect_group_recur($ldapgroups_ldap,$branch,$entries_groups,array("memberof"));
        if (is_array($grps)){
          foreach ($grps as $grp) {
            $entries_groups[] = $grp;
          }
        }
      }
      // === end of  the code ==
    }

Hm...I solved this problem without any coding, you can read about in How to map AD role to custom named role.

Cheers.

I am glad your problem resolved that way. I really did not want to have to code either.

I also looked into the way you pointed while I was looking for options, but we really could not afford any resources to manually map groups. As we have many departments and groups, I really do not want to have to amend it manually as the logistics of communicating the organisational changes were a nightmare-ish at our place.

Also, may I suggest a few improvements:

1. When you have a multiple domains to juggle, it would be a good idea to be able to select your domain at the login stage. It seems like other LDAP authenticated applications do something similar like that. This will make the authentication process speedier.

2. I saw this in Confluence, but it would also be a good idea if the groups can be mass populated initially in Drupal. Not at the point to of login. This would allow us to organise the access levels in advance.

These may already be addressed and apologies in advance if I am already circumventing anyone's effort...

Manually setting up role mappings in no way solves the lack of support for LDAP group-in-groups. Someone (me, if I ever find time) needs to take a stab at adapting #2 to 6.x. Also see comment #1 at http://drupal.org/node/143217 for things to think about when implementing this.

Work has also been done on this at #436962: LDAP Groups module does not recurse through AD security group containers to discover nested group members.

For anyone needing a temporary solution to add nested groups in 6.x, the code by jipsi in #436962-7: LDAP Groups module does not recurse through AD security group containers to discover nested group members works beautifully with ldapgroups 6.x-1.0-beta2, but you must be using "Strategy 2"/"groups in user attributes".

I found bugs in jipsi's code referenced in #6 -- it wasn't picking up all nested groups.

The attached patch against 6.x-1.0-beta2 gives better nested group support for "Strategy 2"/"groups in user attributes" (see code).

If someone were to add nested group support for the other two strategies, we'd have full support. This is a handy work-around for now, though.

EDIT: I've already found flaws with this code (doesn't handle infinite recursion) but I'm not certain it's appropriate to fill this ticket with bug fixes. For now I'll do development on this code at http://drupal.org/sandbox/claar/1459160

FYI - The current dev includes support for a hook to alter / add groups detected. See, hook_ldap_user_groups_alter() in the ldapgroups.api.php file. So, rather than trying to maintain a branched version of ldap integration, you can create now create a separate module to support recursive groups.

For full details of what's new see: #1475272: 6.x-1.0 Release Candidate 1 Status

Marking this as postponed since it can be handled with an external module now and the effort to make a generically useful version part of ldap integration seems to be more than the demand for it. But if someone wants to create a patch....

The 6.x most likely is not supported anymore. Feel free to re-open for 7.x