Is your feature request related to a problem? Please describe.
Using TinyAuth connected to Windows Active Directory Domain as LDAP server does not work well, as the group information is not extracted correctly (AD seems to not support objectclass=groupOfUniqueNames).
Describe the solution you'd like
Make the LDAP interface work with Windows Active Directory. Ideally, the memberOf attribute of the LDAP user object can be used to check for a users group membership.
Describe alternatives you've considered
As the group LDAP query is hardcoded, there seems to be no workaround possible.
Additional context
I've checked #590 and #517, but the solution is not working for Windows Active Directory.
Thanks for the nice work and the efforts you put into this! Unfortunately the current solution does not work for me (and likely for anybody else using Active Directory as LDAP server). It seems like Windows Active Directory, does not return anything for the LDAP filter (&(objectclass=groupOfUniqueNames)(uniquemember=%s)) used in GetUserGroups (ldap_service.go). It seems like the groupOfUniqueNames is by default not available in the Active Directory LDAP schema (sorry, I don't have deep knowledge here, but if I run any query with objectclass=groupOfUniqueNames this returns no results, whereas objectclass=group returns the groups).
What I found however, is that the user object returend by the LDAP query has a memberOf property which has all the group memberships of a given user. If this attribute would be added (in addition to {"dn", "mail"}) to the LDAP query in GetUserInfo (ldap_service.go), then this could be used to filter for group memberships...
Another option would be to allow specifying an LDAP filter for each container/resource (through a label) seperately - as far as I understand, this is currently not possible for the search filter, only for the group match (tinyauth.apps.[app].ldap.groups).
Thanks and keep up the great work, TinyAuth is really a nice piece for software!
Is your feature request related to a problem? Please describe.
Using TinyAuth connected to Windows Active Directory Domain as LDAP server does not work well, as the group information is not extracted correctly (AD seems to not support objectclass=groupOfUniqueNames).
Describe the solution you'd like
Make the LDAP interface work with Windows Active Directory. Ideally, the memberOf attribute of the LDAP user object can be used to check for a users group membership.
Describe alternatives you've considered
As the group LDAP query is hardcoded, there seems to be no workaround possible.
Additional context
I've checked #590 and #517, but the solution is not working for Windows Active Directory.
Thanks for the nice work and the efforts you put into this! Unfortunately the current solution does not work for me (and likely for anybody else using Active Directory as LDAP server). It seems like Windows Active Directory, does not return anything for the LDAP filter
(&(objectclass=groupOfUniqueNames)(uniquemember=%s))used inGetUserGroups(ldap_service.go). It seems like thegroupOfUniqueNamesis by default not available in the Active Directory LDAP schema (sorry, I don't have deep knowledge here, but if I run any query withobjectclass=groupOfUniqueNamesthis returns no results, whereasobjectclass=groupreturns the groups).What I found however, is that the user object returend by the LDAP query has a
memberOfproperty which has all the group memberships of a given user. If this attribute would be added (in addition to{"dn", "mail"}) to the LDAP query inGetUserInfo(ldap_service.go), then this could be used to filter for group memberships...Another option would be to allow specifying an LDAP filter for each container/resource (through a label) seperately - as far as I understand, this is currently not possible for the search filter, only for the group match (
tinyauth.apps.[app].ldap.groups).Thanks and keep up the great work, TinyAuth is really a nice piece for software!