group membership from AD nested groups
IAM David Bantz
dabantz at alaska.edu
Tue Dec 15 23:19:34 UTC 2020
I see some short discussions from years past, but am hoping for updates
with greater clarity.
Do you search nested groups in Active Directory to obtain all group
memberships for users?
2017 exchange in this list described use of LDAP_MATCHING_RULE_IN_CHAIN
matching rule (OID 1.2.840.113556.1.4.1941)
(https://shibboleth.1660669.n2.nabble.com/AD-nested-groups-td7634561.html)
but noted “it’s very slow”, a verdict echoed in multiple other sites.
I have one service asking to receive group memberships including
memberships implied by nested AD groups,
but am wary of using 1.2.840.113556.1.4.1941 from the sparse information I
have found.
e.g.,
https://stackoverflow.com/questions/6195812/ldap-nested-group-membership
https://stackoverflow.com/questions/40024425/1-2-840-113556-1-4-1941-ldap-matching-rule-in-chain-has-performance-problems
Are IdP’s regularly using this technique to retrieve implied group members?
An alternative strategy (explicit iteration in some script, say)?
Relying only on direct group memberships or eduPersonEntitlement or other
“flattened” source for entitlements?
If you do return implicit group memberships via LDAP query to AD, can you
provide details?
(My attempt to implement in Apache Directory Studio robustly returns no
results.)
David St.Pierre Bantz
UA OIT IAM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201215/cdd9e955/attachment.htm>
More information about the users
mailing list