Chris-
This is one of the major flaws in LDAP. There are a number of
conventions for handling group membership, and no strictly followed
"standard". Listing of common names, such as CN values, or listing full
DNs. Then, there is the model of dynamic groups, where the user entry
has the group listing, vs the group having the user listing. Confused yet?
There are a couple of member-related attributes: member, memberOf and a
couple other attributes that are used for membership. I'm not an expert
in AD, but I believe I have seen instances where they use both the DN
list on the group and the dynamic group model, where the groups are
listed on the users. I think it may depend on how many "upgrades" that
AD instance has been through.a
A patch may make sense, but it would need to be consider all the weird
LDAP grouping models.
Matt Pavlovich
On 2/2/12 3:13 PM, Chris Robison wrote:
Has anyone been able to use the LDAPAuthorizationMap successfully with
Active Directory? In my investigation, I don't think it will ever work in
its current state. When looking at the code, it is making the assumption
that the value of the member attribute (or what ever attribute you are
using) is always going to be in the form "{0}={1}" (a RDN). But, according
to the OpenLDAP spec, the member attribute value is a distinguished name.
That means values are a comma delimited list of RDNs. So, for example I
have AD groups that represent MQ roles. Here's one I use:
"CN=MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". The LDAPAuthorizationMap
considers the name of the
role "MQUser,OU=Groups,OU=ActiveMQ,DC=cdr,DC=corp". Is this by design? I
would be happy to submit a patch to change this behavior. Thoughts?
Chris Robison