Hi, Please use the LDAP_MATCHING_IN_RULE_CHAIN_OID for filtering for nested groups:
filter = memberOf:1.2.840.113556.1.4.1941:=CN=parent-group For displaying nested groups please set the group_member_attribute of your group backend to the following (adjust memberAttribute): group_member_attribute = "memberAttribute:1.2.840.113556.1.4.1941:” Following issues for reference: https://dev.icinga.org/issues/9612 https://dev.icinga.org/issues/10121 Please report back whether this works for you. Cheers, Eric > On Jan 5, 2016, at 2:25 PM, Zdenek Pizl <[email protected]> wrote: > > Hi, > > we're using FreeIPA as LDAP backend and have met an issue with indirect > group membership of users. > > Indirect group membership means that user is member of group in LDAP but this > group has additional attribute(s) defining that group is member of another > group also. > > In example: > # developers, groups, accounts, company.com > dn: cn=developers,cn=groups,cn=accounts,dc=company,dc=com > member: uid=name.surname,cn=users,cn=accounts,dc=company,dc=com > member: uid=other.surname,cn=users,cn=accounts,dc=company,dc=com > objectClass: top > objectClass: groupofnames > objectClass: nestedgroup > objectClass: ipausergroup > objectClass: ipaobject > objectClass: posixgroup > description: Developers > cn: developers > ipaUniqueID: aaa-bbb-12313f0b2a57 > gidNumber: 394200323 > memberOf: cn=rwicinga,cn=groups,cn=accounts,dc=company,dc=com > memberOf: cn=swengineers,cn=groups,cn=accounts,dc=company,dc=com > and so on > > And then, not surprisingly, user "name.surname" has listed group developers > in icingaweb2, there is no groups rwicinga and/or swengineers although that > user is member of them. > > Any hint how to prepare filter or is this usecase even supported? > > Thank you, regards .zp. > > -- > > Zdenek Pizl > [email protected] > _______________________________________________ > icinga-users mailing list > [email protected] > https://lists.icinga.org/mailman/listinfo/icinga-users -- Eric Lippmann Lead Senior Developer NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg Tel: +49 911 92885-0 | Fax: +49 911 92885-77 CEO: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 http://www.netways.de | [email protected] ** OSDC 2016 - April - netways.de/osdc ** ** OSBConf 2016 - September - osbconf.org ** _______________________________________________ icinga-users mailing list [email protected] https://lists.icinga.org/mailman/listinfo/icinga-users
