group membership from AD nested groups
brennanma at gmail.com
Wed Dec 16 00:43:24 UTC 2020
I had replied to a post back in March about how I'm handling this. The
thread is here: http://shibboleth.net/pipermail/users/2020-March/046262.html
if it helps.
On Tue, Dec 15, 2020 at 6:51 PM Rob Gorrell via users <users at shibboleth.net>
> I know this isn't directly answering your question, but since we use
> Grouper to provision our AD groups, what are implied/nested membership in
> Grouper actually get flattened to explicit memberships when provisioned to
> AD and then our shibb IDP doesn't have to worry for the most part about
> retrieval of implied group memberships in AD. There are some groups in AD
> outside Grouper's provisioning, but these are hardly ever a concern for
> On Tue, Dec 15, 2020 at 6:19 PM IAM David Bantz <dabantz at alaska.edu>
>> I see some short discussions from years past, but am hoping for updates
>> with greater clarity.
>> Do you search nested groups in Active Directory to obtain all group
>> memberships for users?
>> 2017 exchange in this list described use of LDAP_MATCHING_RULE_IN_CHAIN
>> matching rule (OID 1.2.840.1135220.127.116.111)
>> but noted “it’s very slow”, a verdict echoed in multiple other sites.
>> I have one service asking to receive group memberships including
>> memberships implied by nested AD groups,
>> but am wary of using 1.2.840.113518.104.22.1681 from the sparse information
>> I have found.
>> Are IdP’s regularly using this technique to retrieve implied group
>> An alternative strategy (explicit iteration in some script, say)?
>> Relying only on direct group memberships or eduPersonEntitlement or other
>> “flattened” source for entitlements?
>> If you do return implicit group memberships via LDAP query to AD, can you
>> provide details?
>> (My attempt to implement in Apache Directory Studio robustly returns no
>> David St.Pierre Bantz
>> UA OIT IAM
>> For Consortium Member technical support, see
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
> Robert W. Gorrell
> IT Manager, Identity and Access Management
> University of NC at Greensboro
> PGP Key ID B36DB0CA
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users