event-driven-servers icon indicating copy to clipboard operation
event-driven-servers copied to clipboard
verified publisher icon MarcJHuber

Enable posix group membership lookups in ldap

Open dhoffend opened this issue 5 months ago • 2 comments

On some openldap systems group memberships are based on posixgroups. Sure a migration to groupOfNames can be done or planned, but it's easier to support posixgroups until every ldap directory and structure has been updated (which often takes time and coordination with other parties using the directory.

I've added the group membership lookup to the perl script first, the mt version should be added as well, but I wanted to hear your point first. Since posixGroups in the old RFC2307 (not RFC2307bis) don't support nested groups, we can skip this stop for the moment.

dhoffend avatar Nov 19 '25 19:11 dhoffend

Hi Daniel,

thanks, adding posixGroup support looks useful, after all other POSIX attributes are already mapped to MAVIS.

I'd probably just put posixGroup evaluation inside the main loop (the expand_* routines are for recursion mainly), and I think the gidNumber from posixAccount should also be resolved and included. Plus, adding all gidNumbers to the MAVIS GIDS attribute could be a good idea, at least for future use.

I'm a bit reluctant to add these changes right now as perl/mavis_tacplus-ng_ldap.pl, python/mavis_tacplus_ldap.py and ldapmavis-mt.c (you've already mentioned that one) should have feature parity.

Also, using the OpenLDAP dynlist overlay might possibly be an option to map posixGroup attributes to memberOf, allowing for simplified group handling.

I think I can have another look at posixGroup support options either next weekend or later next week.

Cheers,

Marc

MarcJHuber avatar Nov 20 '25 15:11 MarcJHuber

Sure. This was basically just an idea and some thoughts to get the posixGroup support completed.

I would also keep the perl implementation in sync with the py/c versions, no need to rush.

Regarding dynlist. I haven't used the overlay yet, but I know it exists. But dynlist isn't the most easiest way to handle reverse group membership resolvings, nor is there an easy guide to it, as dynlist has many usage lists.

dhoffend avatar Nov 21 '25 16:11 dhoffend

Hi Daniel,

after taking a closer look at dynlist it really doesn't look promising enough.

Changes for the three LDAP backends (Perl, Python, C) for posixGroup support are close to a git push, I think there are just some final tests missing, and these shouldn't take long. Also, ldapmavis-mt now uses the asynchronous OpenLDAP API calls for resolving nested groups to speed up lookups, and the various group lookup mechanisms can selectively be enabled/disabled.

Thanks for the pull request -- I'd likely never have looked into possible posixGroup usage, or at least not in-depth.

Cheers,

Marc

MarcJHuber avatar Dec 02 '25 17:12 MarcJHuber