Skip to content

Duplicate: Generic LDAP Nested Group Support

Description

The current EE LDAP connector only supports nested groups when using an ActiveDirectory server. After reviewing the code, it appears this could be easily extended to support nested groups in other LDAP servers that support the memberOf attribute view by allowing configuration of the objectClass for the child groups. This would allow simpler management of users in an enterprise LDAP directory and simplify provisioning of new users or adding existing users to new projects since the project groups could be members of the appropriate GitLab-specific groups, along with groups for other tools, and users could be added to those project/organizational groups in the LDAP server.

For example, FreeIPA (389) supports memberOf but uses the nestedgroup and groupofnames object classes for its Group objects. If this is implemented, I wouldn't have to "lie" to GitLab and tell it I'm using Active Directory and I could configure the query so it looks for the nestedgroup class.

Proposal

Add the following configuration options to EE LDAP:

  • nested_groups A boolean, defaulting to the value of active_directory to maintain backwards compatibility, that enables/disables searching for nested groups when querying the LDAP server

  • nested_group_object_class The objectclass, defaulting to group for backwards compatibility, used to search for nested groups in the EE::GitLab::LDAP::Adapter.nested_groups method.

Modify the EE::GitLab::LDAP::Group.member_dns method so nested members are loaded according to the nested_groups option, rather than as part of the active_directory_members method.

Modify the EE::GitLab::LDAP::Adapter.nested_groups method so it reads the nested_group_object_class property and constructs an appropriate query:

        def nested_groups(parent_dn, object_class)
          options = {
            base: config.group_base,
            filter: Net::LDAP::Filter.join(
              Net::LDAP::Filter.eq('objectClass', object_class),
              Net::LDAP::Filter.eq('memberOf', parent_dn)
            )
          }

          ldap_search(options).map do |entry|
            LDAP::Group.new(entry, self)
          end
        end

Links / references

https://gitlab.com/gitlab-org/gitlab/blob/master/ee/lib/ee/gitlab/auth/ldap/adapter.rb#L45 https://gitlab.com/gitlab-org/gitlab/blob/master/ee/lib/ee/gitlab/auth/ldap/group.rb#L52

~"feature proposal"

Edited by Andrew Winata