• Type: Feature Request
• Resolution: Unresolved
• Priority: Undefined
• Fix Version/s: None
• Affects Version/s: None
• Component/s: Quay
• Labels:

  • 3.13-candidate
  • quay-enterprise
  • roadmap
  • triaged

[RFE-4349] Allow nested LDAP groups in directory team sync

Collapse comment: Caleb Denney (Inactive) added a comment - 2024/07/24 4:33 PM

Caleb Denney (Inactive) added a comment - 2024/07/24 4:33 PM

As a Quay Enterprise customer, I would like to request an update on this.

 

A possible solution would be to allow users to provide a more detailed LDAP search string instead of strictly a relative DN path. For e.g. 

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=Quay_Users,OU=Groups,DC=contoso,DC=com)) 

 would support nested groups, (the numbers provide the magic in the memberOf LDAP search) and return only user objects.

 

Expand comment: Caleb Denney (Inactive) added a comment - 2024/07/24 4:33 PM

Caleb Denney (Inactive) added a comment - 2024/07/24 4:33 PM As a Quay Enterprise customer, I would like to request an update on this.   A possible solution would be to allow users to provide a more detailed LDAP search string instead of strictly a relative DN path. For e.g.  (&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=Quay_Users,OU=Groups,DC=contoso,DC=com))  would support nested groups, (the numbers provide the magic in the memberOf LDAP search) and return only user objects.  

Collapse comment: Dave O'Connor added a comment - 2023/05/02 1:52 PM

Dave O'Connor added a comment - 2023/05/02 1:52 PM

rhn-support-cpippin The workaround is manual, it sounds like that's what rh-ee-dcoronel's customer is doing. I added our 3.10 candidate tag to this, we'll discuss where it lands in priority later this week.

Expand comment: Dave O'Connor added a comment - 2023/05/02 1:52 PM

Dave O'Connor added a comment - 2023/05/02 1:52 PM rhn-support-cpippin The workaround is manual, it sounds like that's what rh-ee-dcoronel 's customer is doing. I added our 3.10 candidate tag to this, we'll discuss where it lands in priority later this week.

Collapse comment: David Coronel added a comment - 2023/03/10 3:17 PM

David Coronel added a comment - 2023/03/10 3:17 PM

This comes from one of my customers needing to use a workaround because of the lack of nested LDAP groups support in Quay:

---

Currently when creating teams under Quay Organizations, sometime users wants to use their existing ‘Active Directory’ Groups to populate team memberships. Some of these existing groups are nested.

Since Quay doesn’t support nested LDAP groups, we are unable to use ‘directory synchronization’ feature, which is available in Quay to allow teams user membership to be synced with a group in LDAP.

To work around this, we have to manually maintain Quay team membership (without using ‘directory synchronization’ feature), and have to regularly sync. Quay team with LDAP group members using cronjobs.

Expand comment: David Coronel added a comment - 2023/03/10 3:17 PM

David Coronel added a comment - 2023/03/10 3:17 PM This comes from one of my customers needing to use a workaround because of the lack of nested LDAP groups support in Quay: Currently when creating teams under Quay Organizations, sometime users wants to use their existing ‘Active Directory’ Groups to populate team memberships. Some of these existing groups are nested. Since Quay doesn’t support nested LDAP groups, we are unable to use ‘directory synchronization’ feature, which is available in Quay to allow teams user membership to be synced with a group in LDAP. To work around this, we have to manually maintain Quay team membership (without using ‘directory synchronization’ feature), and have to regularly sync. Quay team with LDAP group members using cronjobs.