Reputation: 391
OpenLDAP search filter to get groups of a user in Ping Federate
I am able to get group of a user to which the user belong to. I can get this only if the user is assigned to one group. I am using the following search filter to get groups:
&(objectClass=groupOfNames)(member=cn=${username},ou=Users,dc=example,dc=com)
This filter works perfectly in openLDAP ldapsearch. But in Ping federate, it gives me null when I try to get more than 1 group for a user.
Please let me know if there is any other approach to achieve.
Thanks, Aswini J
Upvotes: 1
Views: 1142
Answers (1)
Reputation: 4255
Unfortunately this not possible using OpenLDAP because your filter is returning more than 1 object (multiple groups each with a unique DN). If you look at your OpenLDAP logs, it is most likely returning a "sizelimit exceed" message to PingFederate because PF is explicitly instructing the LDAP server to only return 1 object. This is a common issue when using PingFederate with Directories other than Active Directory and returning lists of groups. You can see more info here on this type of error -
https://ping.force.com/Support/PingIdentityArticle?id=kA340000000GsD6CAK
If OpenLDAP has the ability to manage Groups and Group Memberships in a similar fashion to AD, you should be able to return a list of Groups to PingFederate as you are trying to do.
Upvotes: 2
Related Questions
- How to search for users of a group in ldapsearch?
- Nested Group LDAP Search Filter
- LDAP - search filter with multiple groups
- LDAP filter syntax not working using when using groups search filter
- LDAP search filter for selecting the groups with a particular member
- LDAP and group filter
- ldap search filter query to extract user group information
- ldapsearch filter memberOf group returning no results
- OpenLDAP Dynamic Groups not searching by member
- LDAP filter - retrieve all users in a given group