AD nested groups not working

Issue #123 resolved
Christian Eiden
created an issue

Our AD groups often contain subgroups, but they are not working in SCM Manager.

Comments (10)

  1. Christian Eiden reporter

    Here are two ldifs. The following setup is included:

    The user Christian Eiden is member of the group G_BSH-DEVEL. G_BSH-DEVEL is member of the group G_BSH.

    So when I give permission to G_BSH for a specific repository, Christian Eiden doesn't have the permissions.

  2. Sebastian Sdorra repo owner

    I've created a test version of the ldap plugin. Could please test this version:

    Install test version:

    • Login in as administrator
    • Open Config->General
    • Change "Plugin Repository" parameter snapshot from false to true
    • Open Plugins
    • Install version 1.12-SNAPSHOT of scm-auth-ldap-plugin
    • Restart your applicationserver
    • Enable nested ad groups in Config->General->AD Authentication
  3. DRayX

    I just tried the snapshot version, and it seemed to work fine in my environment, it even seems to work fine for groups nested multiple levels (only checked up to 2). The one thing that was a little off, I had to switch my ldap configuration out of Active Directory to custom and back again for the option to be enabled. A really simple fix for this would be to include the check box in the Active Directory configuration options.

  4. Sebastian Sdorra repo owner

    Yes you are right. If you do an update of the plugin the nested group checkbox is not enabled in the ActiveDirectory profile. When you do a fresh installation of the plugin (without an existing config), the nested group feature is enabled by default in the ActiveDirectory profile. I think the best way is to check for an update and enable the nested group feature if the ActiveDirectory profile is used.

  5. DRayX

    That would work as well. It was a minor inconvenience, but for those that don't know about the change, they would probably never get the enhancement. It seems like this issue could be generally handled by detecting the upgrade and reapplying all the non-displayed options for your current configuration, but changing a users settings (even if they are hidden) without alerting them to the changes could break their configuration.

  6. Sebastian Sdorra repo owner

    I've changed the behaviour. The "nested ad group" feature is disabled by default and the checkbox is only visible in the ActiveDirectory or in the Custom profile. I think that is the best solution, because the behaviour after an update is untouched.

    Could you please test the new version of the plugin. You have to uninstall and reinstall the plugin to get the new version.

  7. Log in to comment