Note: the basic LDAP module is sufficient in most cases. Use only this module if the basic LDAP module does not return all groups (especially nested groups).
This module was created to work around the issue where the memberOf property doesn’t return all the groups the user belongs to.
Prerequisite: make sure that the groups have been created in Kadeck before this module is activated.
Kadeck will fetch all the users that match the original query and add those users to the database and then assign the groups to the users by performing a member search per group (finding the users for each group configured in Kadeck).
Activate the module
Replace the env var xeotek_kadeck_authentication_method value with ldap-nested to activate the module and keep all the other xeotek_kadeck_authentication_ldap_* vars unchanged.
Configure the Module
Add two environment variables:
The filter to get the distinguished name of the group, e.g.: (&(objectClass=groupOfNames)(cn=%s))
Please note the %s in the value above as that’s where we will inject the group configured in kadeck
The filter for the members of each group including the membership property with the magic token similar to the xeotek_kadeck_authentication_ldap_filter but without the group constraint, e.g.: (&(objectClass=person)(memberOf:1.2.840.1135126.96.36.1991:=%s))
Please not the %s in the value above as that’s where we will inject the DN of the group that we just queried for.
To debug, set the environment variable xeotek_kadeck_authentication_ldap_debug to true. Kadeck will then output the results of all steps to the log.