Last modified: 2013-05-01 09:22:36 UTC
The nested groups support in LdapAuthentication is not feature complete, nor optimzed. 1) Active Directory (and probably others) support nested group directive in the filter directly. Example: (memberOf:1.2.840.113556.1.4.1941:=CN=group,OU=Groups,DC=domain,DC=com) where the magic numbers means recursive lookup at the server side. 2) Group lookup should support paged ldap search when available (PHP 5.4+), else you'd run the risk of missing groups when member of 1000+ groups. 3) For pure authorization, not all ldap groups needs to be resolved recursively if you get a hit on the first search (performance) 4) Group CN converted to all lowercase, thus not finding any groups containing upppercase character in Active Directory 5) Debug log not accurate; - Username listed with first char as uppercase, even though input is all lowercase (search string, and user filter) - "basedn is not set for this type of entry, trying to get the default basedn." -> Should contain expected configuration option, and what the default basedn gets set to Another limitation currently is SSL certificate issues, which gets masked as "bind failed". I'd suggest supporting `ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);` with output to debug log, when debug enabled
