Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-9674

Support Active Directory Recursive Group Membership Lookup

    Details

    • Sprint:
      AM Sustaining Sprint 57, AM Sustaining Sprint 58
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      If creating PATCH add this to the patch install instructions:

      Once the patch has been installed, please run the following ssoadm commands to add the new recursive group search attributes to the service configuration for AD and ADAM:

      ssoadm add-attrs -s sunIdentityRepositoryService -t Organization -F RecursiveGroupSearchAttribute.xml -c LDAPv3ForAD -u amadmin -f pass.txt

      ssoadm add-attrs -s sunIdentityRepositoryService -t Organization -F RecursiveGroupSearchAttribute.xml -c LDAPv3ForADAM -u amadmin -f pass.txt

       

       

      When resolving the group memberships with Active Directory as a Data Store only the groups that a user is a direct member of are resolved. Active Directory has support for resolving nested groups by specifying a special extensible match filter.

      It would be handy if OpenAM had the option to enable resolving nested groups for AD.

      For example, currently if looking up group memberships via the unique member attribute, it uses the following as the filter

      (member=$userdn)
      

      Simply changing this to:

      (member:1.2.840.113556.1.4.1941:=$userdn)
      

      Will ask AD to do a recursive lookup of groups.

      See:

        Attachments

          Activity

            People

            • Assignee:
              lawrence.yarham Lawrence Yarham
              Reporter:
              japearson Joel Pearson
            • Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: