New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for AD nested groups #1436
Comments
Also looking for this. With the current implementation src/main/java/org/graylog2/security/ldap/LdapConnector.java needs to do a query for each group to see if those are a member of some other group (member:1.2.840.113556.1.4.1941:=CN=) |
"member:1.2.840.113556.1.4.1941:=CN=" is good for authentication but it would be great if group mapping support nested groups |
👍 |
Yup, this is a big issue for our setup too. We separate our group into access groups which have one-to-one relationships with specific permissions and services and role groups, which contain users and are members of different access groups. In fact I'm surprised this issue hasn't gotten more attention! It's been open for a year. |
Ditto. We've just started getting complaints of people not having the correct access and ended up tracking it back to a nested groups issue |
We are also in dire need for this functionality. |
+1 for this feature since we have to use our organizational groups instead of the permission groups defined in Active Directory, so we have change the permissions twice if anything is to be changed. |
Hi, is there any news about this feature ? |
We would really need this. |
@jalogisch is it possible to "donate" this feature? Via BountySource or similar? |
@shakalandy Please contact our sales team at https://graylog.org/contact-sales or via sales@graylog.com for finding out how this aligns with our general business strategy. |
Any news on this feature? I assume it's not being considered for the v3 release? |
I'm also very interested on this. It would be a very useful feature. |
+1 |
+1 |
1 similar comment
+1 |
Not sure if this helps but the query needed here is Where It looks like graylog2-server/graylog2-server/src/main/java/org/graylog2/security/ldap/LdapConnector.java Line 200 in 20ab732
|
This has been open for three years.. are you planning to implement this at all? I'd love to see this feature as well. |
Is this related to the fact that I cannot map any groups from this cn=groups,dc=subdomain,dc=domain,dc=tld ? (nothing show up in LDAP group mapping) |
@pirona likely not - or did you have groups in groups in that? |
No, no sublevels in this folder. Sorry for the topic mismatch then. |
Hi, |
It seems that this issue is not longer exist? Actually we tested it with nested groups from a Active Directory and it seems to work fine without any occurrence of error messages in the log. Also the relation for the groups have been set accordingly. Workaround/SolutionUse a major group where the other groups are nested in your Active Directory. Then use a "User Search Pattern" with memberOf-Function. Steps to Reproduce
Tested Environment
@bernd @jalogisch could this be the solution or workaround for that issue? Can you may please add some explanation from the code perspective to this? A possible Attribute Option in the product would be still good and could still be a valid feature request. At least it would make things easier for some people. |
@xtruthx I've tried what you suggest with following setup on Graylog 3.2.2, but it does not seem to work. Do you see anything I could have missed? My AD structure:
For user in Graylog_Admin group, the login works as expected. Logging in with user from Graylog_AdminNested fails with error:
|
Without your settings in Graylog in special without your search queries i can not give you a valid answer. |
For us the actual problem is not to limit the users to the members of one group. We need to use the group mapping feature to map members of nested groups to roles in graylog. The before mentioned LDAP filter is no help at all for our usage scenario. |
I managed to make it work actually. i've created the following structure:
With this setup and using filters: Users: Groups: Results: Hope that helps! |
Nested group support is now part of Graylog Enterprise 4.0. See the following links for more details:
|
It would be great if Graylog could support so-called nested groups in AD.
The easiest way to do this would be to have the group member attribute configurable. You can then use a special object ID as described in https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx.
Some information on how this is handled in some other tool (Nexus): https://support.sonatype.com/entries/31005457-How-to-Configure-Nexus-to-use-Active-Directory-Nested-Groups
The text was updated successfully, but these errors were encountered: