Advanced LDAP nested group support

8 years ago • updated 8 years ago • 0

Hello

Using massively GLPI with OS X Server and Open Directory services I've a limitation with the current LDAP plugins for group import.

Indeed, Open Directory LDAP schema is a bit special, it's based on POSIX + some extensions. The group known the members but user and groups aren't stored the same way.

Here is an example for two Open Directory group:

dn: cn=it,cn=groups,dc=server,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: extensibleObject
objectClass: apple-group
cn: it
gidNumber: 1042
apple-generateduid: DD3E22B4-3A8D-4B97-9BC4-0B10CA63273F
apple-group-nestedgroup: F22A5302-5D54-4999-AB01-1FDEB090CDE0
apple-group-nestedgroup: 4F53966E-2D4D-4384-9CB1-C394D3369540
apple-group-nestedgroup: BCF923D7-C33B-4EAF-9082-F77FB17DE856
apple-group-realname: IT
apple-ownerguid: 10F3F6CA-7711-42A8-A614-808B897F53DE
description: IT department

And an other one

dn: cn=it-ext,cn=groups,dc=server,dc=example,dc=com
objectClass: top
objectClass: posixGroup
objectClass: extensibleObject
objectClass: apple-group
cn: it-ext
gidNumber: 1533
apple-generateduid: 4F53966E-2D4D-4384-9CB1-C394D3369540
apple-group-memberguid: B10E526D-4282-456B-8F0A-5A033FBDDA61
apple-group-memberguid: 34431329-95E4-496A-AB43-368A0E212F99
apple-group-realname: External IT members
description: IT members who aren't employees but contractors
memberUid: yoanngini
memberUid: bob

As you can see with the it-ext group (the second) one, member are defined with the memberUid field and the value correspond to the user uid, regular POSIX group behavior.

But for nested group, Apple use a dedicated field apple-group-nestedgroup and the value correspond to the apple-generateduid field of the target group.

This isn't supported by GLPI at this time and it could be really awesome to add a method to support this.

Vote

Replies 0
Oldest first
- Newest first
- Oldest first

Customer support service by UserEcho