Hi Eric, till now I was living in conviction that your proposed solution is possible just for MS Active directory. I am not aware FreeIPA server does support it. Or did I miss something?
Thank you, regards .zp. On Tue, Jan 5, 2016 at 3:09 PM, Eric Lippmann <[email protected]> wrote: > Hi, > > Please use the LDAP_MATCHING_IN_RULE_CHAIN_OID for filtering for nested > groups: > > filter = memberOf:1.2.840.113556.1.4.1941:=CN=parent-group > > For displaying nested groups please set the group_member_attribute of your > group backend to the following (adjust memberAttribute): > > group_member_attribute = "memberAttribute:1.2.840.113556.1.4.1941:” > > Following issues for reference: > https://dev.icinga.org/issues/9612 > https://dev.icinga.org/issues/10121 > > Please report back whether this works for you. > > Cheers, > Eric > > > On Jan 5, 2016, at 2:25 PM, Zdenek Pizl <[email protected]> wrote: > > > > Hi, > > > > we're using FreeIPA as LDAP backend and have met an issue with indirect > group membership of users. > > > > Indirect group membership means that user is member of group in LDAP but > this group has additional attribute(s) defining that group is member of > another group also. > > > > In example: > > # developers, groups, accounts, company.com > > dn: cn=developers,cn=groups,cn=accounts,dc=company,dc=com > > member: uid=name.surname,cn=users,cn=accounts,dc=company,dc=com > > member: uid=other.surname,cn=users,cn=accounts,dc=company,dc=com > > objectClass: top > > objectClass: groupofnames > > objectClass: nestedgroup > > objectClass: ipausergroup > > objectClass: ipaobject > > objectClass: posixgroup > > description: Developers > > cn: developers > > ipaUniqueID: aaa-bbb-12313f0b2a57 > > gidNumber: 394200323 > > memberOf: cn=rwicinga,cn=groups,cn=accounts,dc=company,dc=com > > memberOf: cn=swengineers,cn=groups,cn=accounts,dc=company,dc=com > > and so on > > > > And then, not surprisingly, user "name.surname" has listed group > developers in icingaweb2, there is no groups rwicinga and/or swengineers > although that user is member of them. > > > > Any hint how to prepare filter or is this usecase even supported? > > > > Thank you, regards .zp. > > > > -- > > > > Zdenek Pizl > > [email protected] > > _______________________________________________ > > icinga-users mailing list > > [email protected] > > https://lists.icinga.org/mailman/listinfo/icinga-users > > > -- > Eric Lippmann > Lead Senior Developer > > NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg > Tel: +49 911 92885-0 | Fax: +49 911 92885-77 > CEO: Julian Hein, Bernd Erk | AG Nuernberg HRB18461 > http://www.netways.de | [email protected] > > ** OSDC 2016 - April - netways.de/osdc ** > ** OSBConf 2016 - September - osbconf.org ** > _______________________________________________ > icinga-users mailing list > [email protected] > https://lists.icinga.org/mailman/listinfo/icinga-users > -- Zdenek Pizl [email protected]
_______________________________________________ icinga-users mailing list [email protected] https://lists.icinga.org/mailman/listinfo/icinga-users
