Help

Questions & Answers

hbarthel
New Responder
‎04-02-2024 03:59 AM

Support for Windows AD nested groups via LDAP

Hey guys,

I only see a config parameter "LDAP.IMPORT_USER.GROUP_ATTRIBUTE" to specify the memberOf LDAP attribute. But we see nested groups are not resolved by AD.

Like this it should be possible:

memberOf:1.2.840.113556.1.4.1941:={0}

where {0} is the DN of the nested group

Is there a chance to specify to resolve nested groups also with FS? Maybe also by querying the tokenGroups attribute ?

Cheers, Heiko

0 Kudos
1 Reply
hbarthel
New Responder
‎04-08-2024 01:19 AM

For the records: support told me that it's not supported. When I added "tokenGroups" to the GROUP_ATTRIBUTE, FS unfortunately reads it as String and only garbage is used. I wrote my own LoginModule as a prototype. When I set

env.put("java.naming.ldap.attributes.binary", "objectSID tokenGroups");

it will be returned as a byte[]. So I can read out the nested groups and convert it:

String sidHex = "";

for (byte b : sid) {

sidHex += "\\" + toHexString(b);

}

 

private static String toHexString(final byte b) {

String hexString = Integer.toHexString(b & 0xFF);

if (hexString.length() % 2 != 0) {

hexString = "0" + hexString;

}

return hexString;

}

 

Now I could search for this object like: (objectSid=\01\05\00\00\00\00\00\05\15\00\00\00\e9\67\bb\98\d6\b7\d7\bf\82\05\1e\6c\28\06\00\00)

0 Kudos