LDAP Connector: Group membership from user attribute

[g1franc]

Hello,

We have a corporate LDAP (OpenLDAP) where we are required to retrieve the group membership from the user attribute (partOf) instead of making a query to search for members of groups.
There are restrictions preventing us to performs consuming group search queries and moreover, groups are dynamic groups (objectClass groupOfURLs with an attribute memberURL to get the members)

Sample of LDAP Structure:
User:

dn:  uid=userid1,ou=pPeople,dc=dcNAME
cn: Firstname Lastname
sn: FirstName
uid: userid1
uid: yawboateng
objectclass: person
email: user@test.com
partOf: group1    (cn of the group)
partOf: cn=group2
partOf: cn=group3
partOf: cn=group4
partOf: cn=group5

Group:

dn:  cm=group1,ou=Groups,dc=dcNAME
cn: group1
objectclass: groupOfURLs
objectClass=corporateGroup
memberURL: ldap:///ou=People,dc=dcNAME??sub?(..............

We managed to authenticate successfully but we cannot manage to have the list of groups for that user.
We tried to pull the attribute partOf with a groupSearch (see dex snippet below but only the first group is retrieved and not all groups)

 groupSearch:
      baseDN: ou=people,o=dcNAME
      filter: (objectClass=person)
      groupAttr: uid
      nameAttr: partOf
      userAttr: uid

Dex log output:

time="2023-01-31T10:42:11Z" level=info msg="performing ldap search ou=people,o=dcNAME sub (&(corporateGroup=*)(uid=userid1))"
time="2023-01-31T10:42:11Z" level=info msg="login successful: connector \"ldap\", username=\"Firstname LastName\", preferred_username=\"\", email=\"user@test.co\", groups=[\"group1\"]"

We tried to use the "usual" configuration but due to the our corporate restriction, it seems to timeout

baseDN: "ou=groups,o=dcNAME"
filter: "(objectClass=corporateGroup)"
userAttr: DN
groupAttr: member
nameAttr: cn

Dex log output:

# "performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(member=uid=userid1,ou=People,o=dcNAME))

Could you please advise ?

Regards.

[g1franc]

After numerous attempt, I managed to have a working configuration where Dex will get the list of group correctly using configuration:

groupSearch:
      baseDN: ou=groups,o=dcNAME
      filter: (objectClass=corporateGroup)
      groupAttr: cn
      nameAttr: cn
      userAttr: partOf

Here the clever part is to lead Dex to test each group the user is part of and have a 1..1 mapping as it result in a LDAP search group query leading to only checking for group existence.

It will then result in N ldap search group query (which are fast as querying group by primary identifier) where N is the number of group the user is a member.

Log output is then

time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=people,o=dcNAME sub (&(objectClass=person)(uid=userid1))"
time="2023-02-02T08:55:32Z" level=info msg="username \"userid1\" mapped to entry uid=userid1,ou=People,o=dcNAME"
time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(cn=group1))"
time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(cn=group2))"
time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(cn=group3))"
time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(cn=group4))"
time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(cn=group5))"
time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(cn=group6))"
time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(cn=group7))"
time="2023-02-02T08:55:32Z" level=info msg="performing ldap search ou=groups,o=dcNAME sub (&(objectClass=corporateGroup)(cn=group8))"
time="2023-02-02T08:55:33Z" level=info msg="login successful: connector \"ldap\", username=\"Firstname Lastname\", preferred_username=\"\", email=\"user@test.com\", groups=[\"group1\" \"group2\" \"group3\" \"group4\" \"group5\" \"group6\" \"group7\" \"group8\"]

Hope this helps