Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Active Directory primary groups #59

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Enable Active Directory primary groups #59

wants to merge 1 commit into from

Conversation

mtkraai
Copy link

@mtkraai mtkraai commented Apr 2, 2019

Include primary group relationships when searching groups by users, or users by group. Active Directory does not include this relationship in the member and memberOf collections in LDAP queries.

Enable Active Directory primary groups
0f696f2 
Include primary group relationships when searching groups
by users, or users by group.  Active Directory does not
include this relationship in the member and memberOf
collections in LDAP queries.
@ares
Copy link
Member

ares commented Apr 3, 2019

@ezr-ondrej any chance you could take a look and test?

ezr-ondrej
ezr-ondrej reviewed Apr 22, 2019
View reviewed changes
Copy link
Member

@ezr-ondrej ezr-ondrej left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry for the delay! Me 👎 😞
I have tested it and I have few comments, probably based just on my poor AD knowledge. 🙂

  1. Is there a performance impact anticipated? The primary-group-token is a computed attribute and the primary group walk is going to happen always. Won't that be a problem in larger instances?
  2. Would you mind to explain the business case backing it? Because as I understand it, changing of primary group is not recommended. So in all ADs I have seen it would only result in adding the "Domain Users" and "Users" for group_list in most cases. And obviously list of all users by user_list on "Domain Users" is that really helpful or is there some better use case?
  3. (nit) The user_list for "Domain Users" returns [] as it does not respond any method, so _groups_from_ldap_data will not be even hitted and we introduce a bit of an inconsistency as group_list('user') gives [..."Domain Users"...], but user_list('Domain Users') is not returning the user.

Otherwise it works smooth and apart those three points I generally like it. If you would please explain the business use case, I will be happy to approve 👍

dLobatog
dLobatog reviewed May 27, 2019
View reviewed changes
Copy link
Member

@dLobatog dLobatog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mtkraai ping?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ezr-ondrej ezr-ondrej ezr-ondrej left review comments

@dLobatog dLobatog dLobatog left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mtkraai @ares @dLobatog @ezr-ondrej