Feature #5461


Add RFC2307bis (LDAP) group membership support to user authentication

Added by Felix Wolfsteller over 8 years ago. Updated almost 4 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


As layed out and implemented in Feature #4923 (, LDAP groups can be used if they follow RFC2307.

This is e.g. used by the posixGroup scheme, where attribute (values of memberUID) in the group node specifies the "username" (UID) of the group members.

In contrast to this, RFC2307bis specifies that group memberships are given with full DN, so to speak a link to the user object, as in a groupOfNames-schema solution with members being accessed via the "member" attribute values.

I'd like to see a RFC2307bis- implementation.

The webconfigurator for LDAP Authentication sources currently shows a checkbox to enable RFC2307 group-behaviour, which is interpreted as contrast to a ActiveDirectory "memberOf"-style group-membership-assignment (there, group membership is handled at the User-, not in the Group-Object).

Instead, it could show a selectBox, with RFC23071, RFC2307bis and "AD/memberOf" entries.

Following that, (src/etc/inc/ would have to be adjusted, along these lines

elseif ($authcfg == 'ldap_rfc2307bis') {
  $ldapfilter         = "(&(objectClass={$authcfg['ldap_attr_groupobj']})({$ldapgroupattribute}={$userdn}))";

(Pardon me, I do not know PHP nor LDAP very well).

While this looks really trivial at first, the "problem" might be to get the $userdn variable set by passing it through from the users successfull authentication or deducing it somehow. As far as I understand it is not supereasiy to pass it down to getUserGroups().

Actions #1

Updated by Jim Thompson over 8 years ago

  • Assignee set to Chris Buechler

assigned to cmb for eval

Actions #2

Updated by Felix Wolfsteller over 8 years ago

Possiblly duplicate of #3410 .

Actions #3

Updated by Chris Buechler almost 8 years ago

  • Assignee deleted (Chris Buechler)
Actions #4

Updated by Jim Pingle almost 5 years ago

  • Category changed from User Manager / Privileges to Authentication
Actions #6

Updated by Viktor Gurov almost 4 years ago

  • Status changed from New to Resolved

Resolved in #9527


Also available in: Atom PDF