New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to expand nested groups for Active Directory authentication #2713
Comments
I converted the configuration to use LDAP since it has a statement specifically to enable nestedGroups but it still yields the same result.
|
We had a similar problem, one of our guys found that replacing:
with
did the trick. Some details as to why: https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx |
@BenPhegan |
Confirmed! This should be in the documentation. |
This solution even works with nestedGroups="false". So the nestedgroups lookup in rundeck self still broken/misconfigured. |
nestedGrops="true" seems to invoke this behavior:
Then when determining user roles, query the user roles normally, and recursively add recorded "sub roles" from the previously created map. I do not know if that is the correct way to do it in Active Directory, (not my code), but if maybe someone else understands a better way..? |
roleMemberAttribute="member:1.2.840.113556.1.4.1941:" worked a treat and is the normal way to flatten nested groups:
We use it a lot for other LDAP connected applications, just I never thought I could twiddle roleMemberAttribute to use this LDAP matching rule. Rundeck should prefer this for LDAP servers that support (AD does) over local application logic. |
There haven't been much activity here. This is stale. Is it still relevant? This is a friendly reminder to please resolve it. :-) |
In an effort to focus on bugs and issues that impact currently supported versions of Rundeck, we have elected to notify GitHub issue creators if their issue is classified as stale and close the issue. An issue is identified as stale when there have been no new comments, responses or other activity within the last 12 months. If a closed issue is still present please feel free to open a new Issue against the current version and we will review it. If you are an enterprise customer, please contact your Rundeck Support to assist in your request. |
Issue type: Bug report/Enhancement Request
My Rundeck detail
Expected Behavior
I have an admins and a users group configured for Rundeck in AD to authenticate against. It is able to see at base DN level of users that belong to each group and allow login with respect to the security role and ACL configuration. I want to nest groups (ie. Domain Admins into Rundeck Admins) into these Rundeck groups so that users belonging to a nested group that is a member of the Rundeck group is allowed to complete the login successfully.
The groups are:
Rundeck Admins
Rundeck Users
web.xml Security Roles
My sanitized AD configuration
Actual Behavior
After nesting a group that the users I want to give access, if they try to login, the !role error page is shown. And the current documentation on the website does not mention anything about nested group configuration for AD.
How to reproduce Behavior
Per description above.
The text was updated successfully, but these errors were encountered: