starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 16:25:55 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #643] [FEATURE REQUEST]: Create groups from LDAP (for Terraform) #235

New issue
Closed
opened 2026-02-27 08:16:04 +03:00 by kerem · 7 comments
kerem commented 2026-02-27 08:16:04 +03:00
Owner
Copy link

Originally created by @imyller on GitHub (Aug 9, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/643

Adding groups with LDAP protocol from Terraform LDAP provider fails:

 LDAP Result Code 34 "Invalid DN Syntax": Unexpected DN format. Got "uid=id,ou=groups,dc=db,dc=<redacted>", expected: "uid=id,ou=people,dc=db,dc=<redacted>"

Error implies that LLDAP forces new object in ou=people DN while request clearly sends DN ou=groups

Originally created by @imyller on GitHub (Aug 9, 2023). Original GitHub issue: https://github.com/lldap/lldap/issues/643 Adding groups with LDAP protocol from Terraform LDAP provider fails: ``` LDAP Result Code 34 "Invalid DN Syntax": Unexpected DN format. Got "uid=id,ou=groups,dc=db,dc=<redacted>", expected: "uid=id,ou=people,dc=db,dc=<redacted>" ``` Error implies that LLDAP forces new object in `ou=people` DN while request clearly sends DN `ou=groups`
kerem commented 2026-02-27 08:16:04 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Aug 9, 2023):

Creating groups via LDAP is not yet supported.

<!-- gh-comment-id:1670986871 --> @nitnelave commented on GitHub (Aug 9, 2023): Creating groups via LDAP is not yet supported.
kerem commented 2026-02-27 08:16:04 +03:00
Author
Owner
Copy link

@ddiawara commented on GitHub (Aug 10, 2023):

others way to do it ?

<!-- gh-comment-id:1673805566 --> @ddiawara commented on GitHub (Aug 10, 2023): others way to do it ?
kerem commented 2026-02-27 08:16:04 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Aug 10, 2023):

No automatic way, you would have to create the groups manually on the web interface (or script it via the graphql API)

<!-- gh-comment-id:1673963051 --> @nitnelave commented on GitHub (Aug 10, 2023): No automatic way, you would have to create the groups manually on the web interface (or script it via the graphql API)
kerem commented 2026-02-27 08:16:04 +03:00
Author
Owner
Copy link

@ibizaman commented on GitHub (Sep 2, 2023):

@nitnelave is this planned or wanted? I don't have any idea when but it's something I'd be comfortable tackling. I'd also be happy to discuss any architectural considerations before implementing something like this. Btw, I'd like to be able to declare groups declaratively through the configuration file.

<!-- gh-comment-id:1703951295 --> @ibizaman commented on GitHub (Sep 2, 2023): @nitnelave is this planned or wanted? I don't have any idea _when_ but it's something I'd be comfortable tackling. I'd also be happy to discuss any architectural considerations before implementing something like this. Btw, I'd like to be able to declare groups declaratively through the configuration file.
kerem commented 2026-02-27 08:16:04 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Sep 2, 2023):

Hey @ibizaman ! This issue is not in my roadmap for now, and anyway I have precious little time these days (I don't spend as much time on LLDAP as I'd like!)
If you were to tackle it, it should be a nice task for a new contributor. The infrastructure is already in place, the only thing to do is to map the LDAP message to the internal group creation. And we already have something in place for users, so there's a template you can follow.

Regarding declaring the groups in a config file, I'm not convinced:

  • is it only for first time setup?
  • is it a complete list of groups, or just a minimum? What if one of the groups gets deleted?
  • in case of a HA setup, which node does the initialization?

There are several answers to these questions, and not everyone will agree on them.

This sounds like extra logic that doesn't really belong in the LLDAP project. With the API (either the existing graphql or through LLDAP if you add it) it's easy to write a script implementing that logic. It could be part of the entry point.

That said, I'd be willing to provide in the repo a script that loads users/groups from a config file if you want to write that. The best would probably be to write it in rust, to have the same language throughout the repo, be able to share code and minimize the dependencies.

<!-- gh-comment-id:1703958973 --> @nitnelave commented on GitHub (Sep 2, 2023): Hey @ibizaman ! This issue is not in my roadmap for now, and anyway I have precious little time these days (I don't spend as much time on LLDAP as I'd like!) If you were to tackle it, it should be a nice task for a new contributor. The infrastructure is already in place, the only thing to do is to map the LDAP message to the internal group creation. And we already have something in place for users, so there's a template you can follow. Regarding declaring the groups in a config file, I'm not convinced: - is it only for first time setup? - is it a complete list of groups, or just a minimum? What if one of the groups gets deleted? - in case of a HA setup, which node does the initialization? There are several answers to these questions, and not everyone will agree on them. This sounds like extra logic that doesn't really belong in the LLDAP project. With the API (either the existing graphql or through LLDAP if you add it) it's easy to write a script implementing that logic. It could be part of the entry point. That said, I'd be willing to provide in the repo a script that loads users/groups from a config file if you want to write that. The best would probably be to write it in rust, to have the same language throughout the repo, be able to share code and minimize the dependencies.
kerem commented 2026-02-27 08:16:04 +03:00
Author
Owner
Copy link

@ibizaman commented on GitHub (Sep 7, 2023):

About loading from a config file, I was thinking about deploying code with NixOS which as you may know is declarative and have a list of groups defined in NixOS. But having a second binary talking to the API works too.

Thanks for the explanation of how to implement this. It makes sense indeed.

<!-- gh-comment-id:1709588434 --> @ibizaman commented on GitHub (Sep 7, 2023): About loading from a config file, I was thinking about deploying code with NixOS which as you may know is declarative and have a list of groups defined in NixOS. But having a second binary talking to the API works too. Thanks for the explanation of how to implement this. It makes sense indeed.
kerem commented 2026-02-27 08:16:05 +03:00
Author
Owner
Copy link

@fsdrw08 commented on GitHub (Mar 20, 2024):

maybe we can try to use terraform graphql provider to do that

<!-- gh-comment-id:2009073108 --> @fsdrw08 commented on GitHub (Mar 20, 2024): maybe we can try to use terraform graphql provider to do that
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#235
No description provided.