memberOf Nested Groups

Jesse Martinich martinicj at sou.edu
Thu May 14 18:28:29 UTC 2020


We use eDirectory (with NetIQ Identity Manager) and have this working.

I can share the script we use to keep groups in check if you're interested.

Jesse

*Jesse Martinich*
Information Security Officer
Infrastructure Services Manager
Southern Oregon University | 1250 Siskiyou Blvd | Ashland OR  97520
541-552-8424




On Thu, May 14, 2020 at 11:05 AM Joseph Fischetti <
Joseph.Fischetti at marist.edu> wrote:

> > Is there a way to obtain memberOf for nested groups memberships?
>
> I do believe this is a function of your ldap server.
>
> If you can query your ldap server for a particular user and their
> 'memberOf' attribute contains groups that they're only indirect members of,
> then Shibboleth will see it the same way.
>
> IBM TDS, as an example, requires that you use the non-standard
> 'ibm-allgroups' attribute instead of 'memberOf' for getting information
> like this.  The grouping structure is also non-standard.  Groups that are
> members of other groups must be listed as "ibm-membergroup" instead of
> "member".  At least that's what I've found.
>
> I do believe OpenLDAP is more straightforward and intuitive than that, if
> that's what you're using.
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200514/f67a9415/attachment.htm>


More information about the users mailing list