Patch: Add Apple Open Directory memberUid support in group lookup
This is a patch that adds compatibility to do memberUid style lookups used in Apple's Open Directory. Specifically, when the user record does not contain any "reverse" group information. The ldap_get_groups function is modified to have a dual-search filter, it looks for user account(s) that match as well as group's whose memberUid (or rather the group membership variable defined by the user) has the username.
I have been able to test against OS X Server 10.9 and it works as expected. While the original functionality should still work, I do not have any LDAP servers that are configured that way so I cannot test. If somebody can test that I would love to hear if it is working or not.
Attached is the diff containing the changes.
- Target version set to 2.2
- Affected Version deleted (
could you please submit a pull request on github to master?
- Assignee set to Jim Pingle
assigned to Pingle. Once a CLA has been signed, we can look at incorporating this.
I believe I signed one in the correct place just now (portal.pfsense.org). Please let me know if I need to do anything else.
The ICLA looks OK, I show that it was signed and submitted. Thanks!
I added some comments on the pull request for potential refinement, or at least some things that need clarified before we can merge the patch.
I'm going to push this to 2.3 unless something happens in the next week on this request.
- Target version changed from 2.2 to 2.3
- Status changed from New to Feedback
- Target version deleted (
I suspect this was actually solved by #4923 -- need feedback from OP or someone else with a similar setup.
I have sense moved our system to Active Directory so I am unable to test #4923 against an Open Directory setup. I thought I had updated this already to reflect that I no longer needed OD, but maybe it was something else.
Possible duplicate of issue #5461 .
- Status changed from Feedback to Resolved
Closing for lack of feedback.
Also available in: Atom