group membership from AD nested groups
Rob Gorrell
rwgorrel at uncg.edu
Tue Dec 15 23:50:35 UTC 2020
I know this isn't directly answering your question, but since we use
Grouper to provision our AD groups, what are implied/nested membership in
Grouper actually get flattened to explicit memberships when provisioned to
AD and then our shibb IDP doesn't have to worry for the most part about
retrieval of implied group memberships in AD. There are some groups in AD
outside Grouper's provisioning, but these are hardly ever a concern for
entitlements.
-Rob
On Tue, Dec 15, 2020 at 6:19 PM IAM David Bantz <dabantz at alaska.edu> wrote:
> I see some short discussions from years past, but am hoping for updates
> with greater clarity.
>
> Do you search nested groups in Active Directory to obtain all group
> memberships for users?
> 2017 exchange in this list described use of LDAP_MATCHING_RULE_IN_CHAIN
> matching rule (OID 1.2.840.113556.1.4.1941)
> (https://shibboleth.1660669.n2.nabble.com/AD-nested-groups-td7634561.html)
> but noted “it’s very slow”, a verdict echoed in multiple other sites.
>
> I have one service asking to receive group memberships including
> memberships implied by nested AD groups,
> but am wary of using 1.2.840.113556.1.4.1941 from the sparse information
> I have found.
> e.g.,
> https://stackoverflow.com/questions/6195812/ldap-nested-group-membership
>
> https://stackoverflow.com/questions/40024425/1-2-840-113556-1-4-1941-ldap-matching-rule-in-chain-has-performance-problems
>
> Are IdP’s regularly using this technique to retrieve implied group members?
> An alternative strategy (explicit iteration in some script, say)?
> Relying only on direct group memberships or eduPersonEntitlement or other
> “flattened” source for entitlements?
>
> If you do return implicit group memberships via LDAP query to AD, can you
> provide details?
> (My attempt to implement in Apache Directory Studio robustly returns no
> results.)
>
> David St.Pierre Bantz
> UA OIT IAM
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
--
Robert W. Gorrell
IT Manager, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA
https://orcid.org/0000-0003-0158-8187
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201215/1d5210a4/attachment.htm>
More information about the users
mailing list