Advanced: LDAP Module for nested groups
Note: the basic LDAP module is sufficient in most cases. Use only this module if the basic LDAP module does not return all groups (especially nested groups).
This module was created to work around the issue where the memberOf property doesn’t return all the groups the user belongs to.
Prerequisite: make sure that the groups have been created in Kadeck before this module is activated.
Kadeck will fetch all the users that match the original query and add those users to the database and then assign the groups to the users by performing a member search per group (finding the users for each group configured in Kadeck).
Activate the module
Replace the env var xeotek_kadeck_authentication_method value with ldap-nested to activate the module and keep all the other xeotek_kadeck_authentication_ldap_* vars unchanged.
Configure the Module
Add two environment variables:
xeotek_kadeck_authentication_ldap_group_search_filter
The filter to get the distinguished name of the group, e.g.: (&(objectClass=groupOfNames)(cn=%s))
Please note the %s in the value above as that’s where we will inject the group configured in kadeck
xeotek_kadeck_authentication_ldap_group_search_user_filter
The filter for the members of each group including the membership property with the magic token similar to the xeotek_kadeck_authentication_ldap_filter but without the group constraint, e.g.: (&(objectClass=person)(memberOf:1.2.840.113556.1.4.1941:=%s))
Please not the %s in the value above as that’s where we will inject the DN of the group that we just queried for.
Debug
To debug, set the environment variable xeotek_kadeck_authentication_ldap_debug to true. Kadeck will then output the results of all steps to the log.
Related Articles
Configure LDAP Basic module
Active Directory (AD) and OpenLDAP are supported to authenticate users. LDAP is only available to specific licenses. LDAP is configured via Startup Parameters with the prefix xeotek_kadeck_authentication_ldap. To enable LDAP, the ...Groups and users
What are users? Users can be created by admins and assigned to groups. Roles can be assigned to users either through groups or by direct attachment. Create users To create users go to the Users page in the Organisation section of the Administration ...Consumer Right Management
Troubleshooting consumer groups is an important task in Apache Kafka environments. This includes identifying slow consumers, skipping a so-called "poison pill", a record that always crashes the consumer and prevents it from progressing, as well as ...Manage rights and roles
What are roles? Roles are a collection of rights that can be assigned either to groups or directly to users. The rights define the scope of functionality and data to which a user has access. Create roles and rights Go to the Roles screen in the ...Startup Parameters / Environment variables
The following list of startup parameters needs to be supplied through environment variables to the Kadeck Teams instance. Prefix "xeotek_kadeck_" required All values in the table need to be prefixed with 'xeotek_kadeck_', e.g. xeotek_kadeck_secret. ...