Advanced LDAP nested group support
Yoann Gini 7 years ago • updated 7 years ago • 0
Using massively GLPI with OS X Server and Open Directory services I've a limitation with the current LDAP plugins for group import.
Indeed, Open Directory LDAP schema is a bit special, it's based on POSIX + some extensions. The group known the members but user and groups aren't stored the same way.
Here is an example for two Open Directory group:
dn: cn=it,cn=groups,dc=server,dc=example,dc=com objectClass: top objectClass: posixGroup objectClass: extensibleObject objectClass: apple-group cn: it gidNumber: 1042 apple-generateduid: DD3E22B4-3A8D-4B97-9BC4-0B10CA63273F apple-group-nestedgroup: F22A5302-5D54-4999-AB01-1FDEB090CDE0 apple-group-nestedgroup: 4F53966E-2D4D-4384-9CB1-C394D3369540 apple-group-nestedgroup: BCF923D7-C33B-4EAF-9082-F77FB17DE856 apple-group-realname: IT apple-ownerguid: 10F3F6CA-7711-42A8-A614-808B897F53DE description: IT department
And an other one
dn: cn=it-ext,cn=groups,dc=server,dc=example,dc=com objectClass: top objectClass: posixGroup objectClass: extensibleObject objectClass: apple-group cn: it-ext gidNumber: 1533 apple-generateduid: 4F53966E-2D4D-4384-9CB1-C394D3369540 apple-group-memberguid: B10E526D-4282-456B-8F0A-5A033FBDDA61 apple-group-memberguid: 34431329-95E4-496A-AB43-368A0E212F99 apple-group-realname: External IT members description: IT members who aren't employees but contractors memberUid: yoanngini memberUid: bob
As you can see with the it-ext group (the second) one, member are defined with the memberUid field and the value correspond to the user uid, regular POSIX group behavior.
But for nested group, Apple use a dedicated field apple-group-nestedgroup and the value correspond to the apple-generateduid field of the target group.
This isn't supported by GLPI at this time and it could be really awesome to add a method to support this.
Customer support service by UserEcho