[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Re: group membership from AD nested groups
From: Matt Brennan <brennanma () gmail ! com>
Date: 2020-12-16 0:43:24
Message-ID: CACLBzuovmjB01+Ro1zwawJA3cQ9k54zNR=1=ho-4PoG2DT4YFA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi David,
I had replied to a post back in March about how I'm handling this. The
thread is here: http://shibboleth.net/pipermail/users/2020-March/046262.html
if it helps.
-Matt
On Tue, Dec 15, 2020 at 6:51 PM Rob Gorrell via users <users@shibboleth.net>
wrote:
> I know this isn't directly answering your question, but since we use
> Grouper to provision our AD groups, what are implied/nested membership in
> Grouper actually get flattened to explicit memberships when provisioned to
> AD and then our shibb IDP doesn't have to worry for the most part about
> retrieval of implied group memberships in AD. There are some groups in AD
> outside Grouper's provisioning, but these are hardly ever a concern for
> entitlements.
>
> -Rob
>
>
> On Tue, Dec 15, 2020 at 6:19 PM IAM David Bantz <dabantz@alaska.edu>
> wrote:
>
> > I see some short discussions from years past, but am hoping for updates
> > with greater clarity.
> >
> > Do you search nested groups in Active Directory to obtain all group
> > memberships for users?
> > 2017 exchange in this list described use of LDAP_MATCHING_RULE_IN_CHAIN
> > matching rule (OID 1.2.840.113556.1.4.1941)
> > (https://shibboleth.1660669.n2.nabble.com/AD-nested-groups-td7634561.html
> > )
> > but noted "it's very slow", a verdict echoed in multiple other sites.
> >
> > I have one service asking to receive group memberships including
> > memberships implied by nested AD groups,
> > but am wary of using 1.2.840.113556.1.4.1941 from the sparse information
> > I have found.
> > e.g.,
> > https://stackoverflow.com/questions/6195812/ldap-nested-group-membership
> >
> > https://stackoverflow.com/questions/40024425/1-2-840-113556-1-4-1941-ldap-matching-rule-in-chain-has-performance-problems
> >
> > Are IdP's regularly using this technique to retrieve implied group
> > members?
> > An alternative strategy (explicit iteration in some script, say)?
> > Relying only on direct group memberships or eduPersonEntitlement or other
> > "flattened" source for entitlements?
> >
> > If you do return implicit group memberships via LDAP query to AD, can you
> > provide details?
> > (My attempt to implement in Apache Directory Studio robustly returns no
> > results.)
> >
> > David St.Pierre Bantz
> > UA OIT IAM
> >
> >
> > --
> > For Consortium Member technical support, see
> > https://wiki.shibboleth.net/confluence/x/coFAAg
> > To unsubscribe from this list send an email to
> > users-unsubscribe@shibboleth.net
> >
>
>
> --
> Robert W. Gorrell
> IT Manager, Identity and Access Management
> University of NC at Greensboro
> 336-334-5954
> PGP Key ID B36DB0CA
> https://orcid.org/0000-0003-0158-8187
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe@shibboleth.net
>
[Attachment #5 (text/html)]
<div dir="ltr">Hi David,<div><br></div><div> I had replied to a post back in March \
about how I'm handling this. The thread is here: <a \
href="http://shibboleth.net/pipermail/users/2020-March/046262.html">http://shibboleth.net/pipermail/users/2020-March/046262.html</a> \
if it helps.</div><div><br></div><div>-Matt</div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 15, 2020 at 6:51 PM \
Rob Gorrell via users <<a \
href="mailto:users@shibboleth.net">users@shibboleth.net</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I know \
this isn't directly answering your question, but since we use Grouper to \
provision our AD groups, what are implied/nested membership in Grouper actually get \
flattened to explicit memberships when provisioned to AD and then our shibb IDP \
doesn't have to worry for the most part about retrieval of implied group \
memberships in AD. There are some groups in AD outside Grouper's provisioning, \
but these are hardly ever a concern for \
entitlements.<div><br></div><div>-Rob</div><div><br></div></div><br><div \
class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Dec 15, 2020 at 6:19 PM \
IAM David Bantz <<a href="mailto:dabantz@alaska.edu" \
target="_blank">dabantz@alaska.edu</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div><font face=".AppleSystemUIFont"><span \
style="font-style:normal">I see some short discussions from years past, but am hoping \
for updates with greater clarity.</span></font><div><font \
face=".AppleSystemUIFont"><span \
style="font-style:normal"><br></span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">Do you search nested groups \
in Active Directory to obtain all group memberships for \
users?</span></font></div><div><font face=".AppleSystemUIFont"><span \
style="font-style:normal">2017 exchange in this list described use of <span \
style="color:rgb(36,39,41)">LDAP_MATCHING_RULE_IN_CHAIN matching rule (OID \
1.2.840.113556.1.4.1941)</span> </span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">(<a \
href="https://shibboleth.1660669.n2.nabble.com/AD-nested-groups-td7634561.html" \
target="_blank">https://shibboleth.1660669.n2.nabble.com/AD-nested-groups-td7634561.html</a>)</span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">but noted "it's very slow", \
a verdict echoed in multiple other sites.</span></font></div><div><font \
face=".AppleSystemUIFont"><span \
style="font-style:normal"><br></span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">I have one service asking \
to receive group memberships including memberships implied by nested AD \
groups,</span></font></div><div><font face=".AppleSystemUIFont"><span \
style="font-style:normal">but am wary of using <span \
style="color:rgb(36,39,41)">1.2.840.113556.1.4.1941 from the sparse information I \
have found.</span></span></font></div><div><font face=".AppleSystemUIFont"><span \
style="font-style:normal"><span style="color:rgb(36,39,41)">e.g., \
</span></span></font><a \
href="https://stackoverflow.com/questions/6195812/ldap-nested-group-membership" \
target="_blank">https://stackoverflow.com/questions/6195812/ldap-nested-group-membership</a></div><div> \
<a href="https://stackoverflow.com/questions/40024425/1-2-840-113556-1-4-1941-ldap-matching-rule-in-chain-has-performance-problems" \
target="_blank">https://stackoverflow.com/questions/40024425/1-2-840-113556-1-4-1941-ldap-matching-rule-in-chain-has-performance-problems</a></div><div><font \
face=".AppleSystemUIFont"><span \
style="font-style:normal"><br></span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">Are IdP's regularly using \
this technique to retrieve implied group members?</span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">An alternative strategy \
(explicit iteration in some script, say)?</span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">Relying only on direct \
group memberships or eduPersonEntitlement or other "flattened" source for \
entitlements?</span></font></div><div><font face=".AppleSystemUIFont"><span \
style="font-style:normal"><br></span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">If you do return implicit \
group memberships via LDAP query to AD, can you provide \
details?</span></font></div><div><font face=".AppleSystemUIFont"><span \
style="font-style:normal">(My attempt to implement in Apache Directory Studio \
robustly returns no results.)</span></font></div><div><font \
face=".AppleSystemUIFont"><span \
style="font-style:normal"><br></span></font></div><div><font \
face=".AppleSystemUIFont"><span style="font-style:normal">David St.Pierre \
Bantz</span></font></div><div><font face=".AppleSystemUIFont"><span \
style="font-style:normal">UA OIT IAM</span></font></div><div><font \
face=".AppleSystemUIFont"><span \
style="font-style:normal"><br></span></font></div><div><br></div></div>
-- <br>
For Consortium Member technical support, see <a \
href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="noreferrer" \
target="_blank">https://wiki.shibboleth.net/confluence/x/coFAAg</a><br> To \
unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" \
target="_blank">users-unsubscribe@shibboleth.net</a><br> </blockquote></div><br \
clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div \
dir="ltr"><div><div dir="ltr"><div>Robert W. Gorrell<br>IT Manager, Identity and \
Access Management <br></div> <div>University of NC at Greensboro<br><span \
style="white-space:nowrap">336-334-5954</span><br>PGP Key ID \
B36DB0CA<br></div><div><a href="https://orcid.org/0000-0003-0158-8187" \
target="_blank">https://orcid.org/0000-0003-0158-8187</a><br></div></div></div></div></div></div></div>
-- <br>
For Consortium Member technical support, see <a \
href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="noreferrer" \
target="_blank">https://wiki.shibboleth.net/confluence/x/coFAAg</a><br> To \
unsubscribe from this list send an email to <a \
href="mailto:users-unsubscribe@shibboleth.net" \
target="_blank">users-unsubscribe@shibboleth.net</a><br> </blockquote></div>
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic