Retrieve nested group membership

[shackit]

At the moment kube-ldap reads the direct group membership from the ldap user account. For example when binding to Microsoft Active Directory we retrieve the memberOf attribute. However, those groups could be members of other groups.

We have a situation where we could have multiple k8 clusters and we would like a default RBAC rule bound to a particular group. Within that group we would have other groups, Ops/InfoSec etc. Instead of having to manage multiple RoleBindings/ClusterRoleBindings for each cluster, we would like to leverage the one parent group.

[shackit]

I have attempted a patch for this issue on my fork, https://github.com/shackit/kube-ldap/tree/nested-ad-groups. I doubt this is a viable solution for all LDAP directories as it uses LDAP_MATCHING_RULE_IN_CHAIN "(member:1.2.840.113556.1.4.1941:=" + ldapObject.dn +")" This works pretty well for MS AD.

[juckerf]

hm.. I like the idea of supporting nested group memberships.
however, in my opinion the most generic way would be to follow the memberOf (or whatever attribute is configured) values recursively. but this can probably be very costly and would introduce some new challenges (like detecting cycles etc.).

[juckerf]

I removed this feature from the 2.0.0 milestone since I haven't found any generic and nice way to support nested group memberships.
Probably I will implement a method do support nested group memberships for Microsoft AD which can be activated via a config parameter.

[antoineozenne]

Have you find a solution ? I like this because it's very easy to use but I really need support of nested groups. :/