group membership from AD nested groups

Matt Brennan brennanma at gmail.com
Wed Dec 16 00:43:24 UTC 2020 

Hi David,

  I had replied to a post back in March about how I'm handling this. The
thread is here: http://shibboleth.net/pipermail/users/2020-March/046262.html
if it helps.

-Matt

On Tue, Dec 15, 2020 at 6:51 PM Rob Gorrell via users <users at shibboleth.net>
wrote:

> I know this isn't directly answering your question, but since we use
> Grouper to provision our AD groups, what are implied/nested membership in
> Grouper actually get flattened to explicit memberships when provisioned to
> AD and then our shibb IDP doesn't have to worry for the most part about
> retrieval of implied group memberships in AD. There are some groups in AD
> outside Grouper's provisioning, but these are hardly ever a concern for
> entitlements.
>
> -Rob
>
>
> On Tue, Dec 15, 2020 at 6:19 PM IAM David Bantz <dabantz at alaska.edu>
> wrote:
>
>> I see some short discussions from years past, but am hoping for updates
>> with greater clarity.
>>
>> Do you search nested groups in Active Directory to obtain all group
>> memberships for users?
>> 2017 exchange in this list described use of LDAP_MATCHING_RULE_IN_CHAIN
>> matching rule (OID 1.2.840.113556.1.4.1941)
>> (https://shibboleth.1660669.n2.nabble.com/AD-nested-groups-td7634561.html
>> )
>> but noted “it’s very slow”, a verdict echoed in multiple other sites.
>>
>> I have one service asking to receive group memberships including
>> memberships implied by nested AD groups,
>> but am wary of using 1.2.840.113556.1.4.1941 from the sparse information
>> I have found.
>> e.g.,
>> https://stackoverflow.com/questions/6195812/ldap-nested-group-membership
>>
>> https://stackoverflow.com/questions/40024425/1-2-840-113556-1-4-1941-ldap-matching-rule-in-chain-has-performance-problems
>>
>> Are IdP’s regularly using this technique to retrieve implied group
>> members?
>> An alternative strategy (explicit iteration in some script, say)?
>> Relying only on direct group memberships or eduPersonEntitlement or other
>> “flattened” source for entitlements?
>>
>> If you do return implicit group memberships via LDAP query to AD, can you
>> provide details?
>> (My attempt to implement in Apache Directory Studio robustly returns no
>> results.)
>>
>> David St.Pierre Bantz
>> UA OIT IAM
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
>
> --
> Robert W. Gorrell
> IT Manager, Identity and Access Management
> University of NC at Greensboro
> 336-334-5954
> PGP Key ID B36DB0CA
> https://orcid.org/0000-0003-0158-8187
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201215/ee4df2df/attachment.htm>

More information about the users mailing list