mirror of
https://github.com/lldap/lldap.git
synced 2026-04-25 08:15:52 +03:00
[GH-ISSUE #13] Group inheritance and Indirect group membership #8
Labels
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/lldap-lldap#8
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @nitnelave on GitHub (Jun 28, 2021).
Original GitHub issue: https://github.com/lldap/lldap/issues/13
More of a nice-to-have, I don't expect many users to have a very complex group membership structure that requires that.
We can make a group inherit from another one, or be a subgroup of another one: if group A has subgroup B, then users in B are indirectly part of group A.
To avoid making too many requests for reading (common case), we can keep a "resloved" membership table that contains both direct and indirect memberships. This can be updated when adding a user to a group, and can be reset when deleting a user or a group.
Another way to do it is to have just the resolved group inheritance, not the full user one; then a user is part of group A if:
That's achievable with a single query, with a join.
This would only require updates/rebuilding when adding/deleting groups/group inheritance.
@nitnelave commented on GitHub (Jul 15, 2022):
https://ldapwiki.com/wiki/LDAP_MATCHING_RULE_IN_CHAIN
@nitnelave commented on GitHub (Jul 31, 2022):
Design for the feature, feel free to comment on it: https://docs.google.com/document/d/1xkUFGdjfbTI5rC_sh1QIRET6njsK3Ci2ueGAWO-FJY4/edit?usp=drivesdk
@lordratner commented on GitHub (May 8, 2023):
1000% want this feature. It's really the only thing I think is truly "missing" from LLDAP.
@jacobw commented on GitHub (Oct 12, 2023):
Link has changed:
https://ldapwiki.com/wiki/Wiki.jsp?page=LDAP_MATCHING_RULE_IN_CHAIN
@lordratner commented on GitHub (Dec 11, 2023):
Is this on the radar still? Just wondering for planning purposes.
@nitnelave commented on GitHub (Dec 11, 2023):
Yes, it is. However, expect development to be slow in the next few months (like it has been in the past few months) due to personal circumstances.
@lordratner commented on GitHub (Dec 11, 2023):
No worries. LLDAP is the best game in town, thank you for what you've done already.
@lordratner commented on GitHub (Nov 12, 2024):
Ew, I looked this up and had no idea it has already been a year! Are we getting old?
Loving the changes in 0.6. LLDAP is still the best game in town. Wondering if nested groups are planned for the next release.
Cheers!
@nitnelave commented on GitHub (Nov 12, 2024):
I don't have that much dev time, but they're on my to-do list once I do (when the kid grows up a bit more, you can't rush these things!)
@jsmith212 commented on GitHub (Jan 6, 2025):
Looking forward to it, and thanks for the hard work on LLDAP! This is the only feature I feel like I miss right now.
@jsmith212 commented on GitHub (Aug 11, 2025):
Just looking to follow up on this one. Any updates? Is this still planned? This makes managing a lot of services really simple when adding new members since I would be able to just assign them a catch-all role (Reader, Developer, SRE, Admin) and then manage fine-grained group memberships under the coarse organizational roles.
@nitnelave commented on GitHub (Aug 11, 2025):
This is still planned, but it is a complex change and we're starved for dev time.