Ask Question
« General Questions on Nuxeo

LDAP, Active Directory, and Handling of Subgroups - Any Other Thoughts?

Several years back I wanted to use Active Directory as a LDAP server for Nuxeo but I ran into issues using groups with subgroups. The issue, I believe, was that sub-groups would not resolve and so only single level groups could be used for access controls. In any case, my question is, from 5.4.2 onward are nested AD groups supported in Nuxeo? If yes, then what if anything is required to configure this (apart from the obvious contribution to enable group handing)?

My group contribution looks as follows…LDIF snippets are added below the group contribution (Dec 28/2011).

<component name="org.nuxeo.ecm.directory.ldap.storage.groups">
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPDirectoryDescriptor" />
<implementation class="org.nuxeo.ecm.directory.ldap.LDAPServerDescriptor" />
<require>org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory</require>
<require>org.nuxeo.ecm.directory.ldap.storage.users</require>

<extension target="org.nuxeo.ecm.directory.ldap.LDAPDirectoryFactory" point="directories">
    <directory name="groupLdapDirectory">
        <!-- Reuse the default server configuration defined for userDirectory -->
        <server>default</server>
        <schema>group</schema>
        <idField>groupname</idField>
        <searchBaseDn>OU=_MAILGROUPS,DC=test,DC=com</searchBaseDn>
        <searchFilter>
            ((objectClass=group))
        </searchFilter>         
        <searchScope>subtree</searchScope>
        <readOnly>true</readOnly>
        <!-- comment <cache* /> tags to disable the cache -->
        <!-- cache timeout in seconds -->
        <cacheTimeout>3600</cacheTimeout>
        <!-- maximum number of cached entries before global invalidation -->
        <cacheMaxSize>2000</cacheMaxSize>
        <creationBaseDn>DC=test,DC=com</creationBaseDn>
        <creationClass>top</creationClass>
        <creationClass>group</creationClass>
        <!-- Maximum number of entries returned by the search -->
        <querySizeLimit>500</querySizeLimit>
        <!-- Time to wait for a search to finish. 0 to wait indefinitely -->
        <queryTimeLimit>0</queryTimeLimit>
        <rdnAttribute>sAMAccountName</rdnAttribute>
        <fieldMapping name="groupname">sAMAccountName</fieldMapping>
        <references>
            <ldapReference field="members" directory="userLdapDirectory" forceDnConsistencyCheck="false"
                staticAttributeId="member" dynamicAttributeId="memberURL" />
            <ldapReference field="subGroups" directory="groupLdapDirectory" forceDnConsistencyCheck="false"
                staticAttributeId="uniqueMember" dynamicAttributeId="memberURL" />
            <inverseReference field="parentGroups" directory="groupLdapDirectory" dualReferenceField="subGroups" />
            <ldapTreeReference field="directChildren" directory="unitDirectory" scope="onelevel" />
            <ldapTreeReference field="children" directory="unitDirectory" scope="subtree" />
        </references>
    </directory>
</extension>
</component>

======= Snippet one - group contained in the 'all' group

dn: CN=grpUSA,OU=MAILGROUPS,DC=test,DC=com objectClass: top objectClass: group cn: grpUSA member: CN=grpA,OU=MAILGROUPS,DC=test,DC=com member: CN=grpB,OU=MAILGROUPS,DC=test,DC=com member: CN=grpC,OU=MAILGROUPS,DC=test,DC=com distinguishedName: CN=grpUSA,OU=MAILGROUPS,DC=test,DC=com instanceType: 4 : memberOf: CN=all,OU=MAILGROUPS,DC=test,DC=com name: grpUSA : sAMAccountName: grpUSA sAMAccountType: 268435457 groupType: 2 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=test,DC=com :

======= Snippet two - group contained in the 'grpUSA' group above dn: CN=grpC,OU=MAILGROUPS,DC=test,DC=com objectClass: top objectClass: group cn: grpC member: CN=Rocky,OU=Retired Accounts,DC=test,DC=com member: CN=Rustin,OU=Users,OU=SEATTLE,DC=test,DC=com member: CN=Larry,OU=Users,OU=SEATTLE,DC=test,DC=com member: CN=Delane,OU=Users,OU=SEATTLE,DC=test,DC=com member: CN=Karen,OU=Users,OU=SEATTLE,DC=test,DC=com member: CN=Alissa,OU=Users,OU=SEATTLE,DC=test,DC=com distinguishedName: CN=grpC,OU=MAILGROUPS,DC=test,DC=com instanceType: 4 : memberOf: CN=grpUSA,OU=MAILGROUPS,DC=test,DC=com memberOf: CN=all,OU=MAILGROUPS,DC=test,DC=com name: grpC : sAMAccountName: grpC sAMAccountType: 268435457 groupType: 2 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=test,DC=com :

Anyone else running AD integration with nested groups for Access Control?

bruce Grant
Member (7.6K)   2   7   6 		12/22/2011 ( History)
0 votes
1 answers
3771 views
ANSWER
ANSWERS

It depends on what you call a “nested” subgroups. Can you please update you question by including a LDIF snippet giving a description of a 2 such nested subgroups as stored in your AD server and I will update my answer to tell you if changes are need on your configuration file to resolve them from nuxeo.

Olivier Grisel
Member (2.1K)   1   4   3 		12/28/2011 ( History)
0 votes
bruce Grant
question updated!
01/03/2012
Follow
Tags
Linked Questions
Related Questions
can't list member of the group and groups of a member
Impossible de voir les le groupe d'un utilisateur LDAP
Unable to grant access right to Active Directory Group
Impossible to see groups them or it of a user LDAP
Unable to create users or Groups in Nuxeo when connected to Active Directory
creating groups fails with gidNumber: value #0 invalid per syntax
LDAP : impossible de voir les groupes
Nuxeo LDAP groups not loading
Nuxeo 7.10 ldap authentication