I can’t map my groups to roles using openLDAP with my configuration. At least not the groups that I need to.
My ldap directory uses three different kinds of organizational units:
- objectClass=groupOfNames - for logical groups within the company (e.g. Management, Developers, Support, etc.)
- objectClass=posixGroup - for mapping user accounts to system groups when logging in to a physical machine
- objectClass=organizationalRole - for mapping behavioral roles that should not be reflected in logical groups (e.g. access to restricted systems, etc.)
With a default install of Zammad, I can only map the posixGroups to Zammad roles, the groupOfNames groups are not visible to Zammad.
Manually patching lib/ldap/group.rb to contain:
@filter ||= lookup_filter(['(objectClass=groupOfUniqueNames)', '(objectClass=groupOfNames)', '(objectClass=group)', '(objectClass=posixgroup)', '(objectClass=organization)'])
causes Zammad to allow me to map the groupOfNames groups to Zammad roles. (Note the addition of ‘groupOfNames’, we don’t use the ‘groupOfUniqueNames’ class.)
Having a UI to be able to edit the group filter would prevent me from having to patch the code. (As would updating the code to support groupOfNames, but having a UI to edit the group filter would be more flexible for others.)
FWIW, it would also be useful to be able to map both groupOfNames and organizationalRoles to Zammad roles at the same time. (e.g. the ‘Support’ groupOfNames’ would be agents, and the ‘admin’ organizationalRole would be admins). We have other applications such as Nextcloud that expose the groupOfNames groups and we don’t want to expose the admin role as a group to those applications, which is why we use organizationalRoles for those. Note that organizationalRoles use a different schema per https://tools.ietf.org/html/rfc4519#section-3.10