Nested Groups and Authorization

[mayromlo]

Hi,

Not sure if this is an error or not. If userA is part of groupA and groupA is nested (cascaded) in groupB, assuming groupB has been given authorization via the plugin to login (no role equivalent), userA can NOT login. If userA is moved out of groupA and moved into groupB, then they can login without issue.

It seems like NADI queries the user object and looks at memberof field "literally". Is there a way to introduce -- for a lack of better word -- a recursive flattening function to the above, so that cascading groups can resolve and be referenced properly?

As I mentioned, maybe I'm completely off and this function already exists, in which case I would appreciate a quick how-to if possible :-)

Thanks,
TTYL
Many

[schakko]

Hi @mayromlo,
by default nested groups are enabled so if you have the following structure

• groupA
  • groupB (member of groupA)
    • user1 (member of groupB)

and add either groupA or groupB to the authorized groups (it doesn't matter), user1 is authorized. I've just checked it against Windows Server 2016 with a single AD domain (!).
Which version of Windows Server are you using? Do you use a forest or a Global Catalog?

[mayromlo]

Hi Schakko,

Sorry I was away for a couple of days. It's simply a single AD domain running on Server 2016. I just tried it again. If I give "FCAD_AllLocal" Group access to WP and there is a cascade (user "mtest1" is in group "FCAD_AllStaff" which itself is in group "FCAD_AllLocal") then my login test fails (screens below with the debug output):

If I now move mtest1 user from FCAD_AllStaff to FCAD_AllLocal (break the cascade), it all works fine:

Hope It's something simple I'm missing :-)

Thanks,
TTYL

[mayromlo]

Hi Schakko,

I just did another test in my test domain (2016 AD) and you're correct. It works. The problem is that I need this to work on our production domain.

After speaking with the admin of the production domain, it seems like the plugin queries the user object to find it's group membership. Our prod domain allows that function, but does NOT allow users to look inside other groups, which basically causes cascading group membership lookups to fail.

What the admin was asking me was, is there a way to have the plugin do the authorization using the service account (the account you use to connect the plugin to AD)? My currently configured service account (the one I used to connect to AD in the plugin) apparently has the ability to do group membership lookups.

I'm not quite sure if this can be done easily, if at all, but thought it might be worth mentioning.

[schakko]

@mayromlo Thanks for clarifying the issue and greetings to your AD admin :-) His suggestion to use a third service account (besides Sync to WP/Sync to AD) seems plausible but this is not something we can implement in an easy way. If you really want us to implement a solution, we'd have to charge you for it. I hope you understand it.