[32812] Enable LDAP group synchronization through attributes of the group#23317
Merged
cbliard merged 5 commits intoMay 26, 2026
Conversation
https://community.openproject.org/wp/32812 OpenProject previously only supported reverse member lookup: finding group members by searching for users with a (memberOf=<group_dn>) filter. This requires the memberOf attribute to be maintained on user entries, which is not available on all LDAP servers (e.g. servers using groupOfUniqueNames without a memberof overlay). This change adds an optional "Group member attribute" field on synchronized LDAP filters. When set, OpenProject switches to forward lookup: it reads the list of member DNs directly from the group entry using the configured attribute (e.g. uniqueMember, member), then resolves each DN individually to retrieve user attributes. When left empty, the existing memberOf reverse lookup is used unchanged, ensuring full backward compatibility. This resolves the inability to synchronize groups on LDAP servers that store membership on group entries rather than on user entries, such as directories using the groupOfUniqueNames object class (RFC 2256).
https://community.openproject.org/wp/32812 Adds log messages at each step of the forward lookup to make it easier to diagnose synchronization issues: - Which lookup mode is used (forward/reverse) and for which group - How many member DNs were found on the group entry - Each member DN being resolved individually - When a member DN cannot be resolved (not found or permission issue) - Which login attribute is missing and what attributes are available on the entry, to help identify misconfigured attr_login - Final count of successfully resolved users per group
- Remove the memberOf-only restriction from docs, UI help text, and FAQ; both reverse lookup (memberOf) and forward lookup (Group member attribute) are now supported - Document the new "Group member attribute" filter field, including when to use forward vs reverse lookup - Clarify that forward lookup is only available via synchronized filters, not manually-created synchronized groups - Rename "Synchronize" button to "Discover LDAP groups" to make clear it only runs group discovery (phase 1), not member synchronization - Document that the Discover LDAP groups button does not sync members; point to the rake task for a full manual sync - Expand troubleshooting: login attribute mismatch, missing/empty required attributes - Replace packaged-installation-specific rake command with installation-agnostic form; link to console setup docs - Clarify Enterprise cloud availability and recommend SAML/SCIM as more secure alternatives when LDAP exposure to the internet is undesirable - Fix grammar, double spaces, and stale phrasing throughout
cbliard
force-pushed
the
feature/32812-group-synchronization-through-attributes-of-the-group-not-member-memberof
branch
from
7ad85b0 to
4352424
Compare
This is a legitimate use of binding.irb to let the dev ldap server open.
Member
Author
|
The 2 failing specs, |
cbliard
deleted the
feature/32812-group-synchronization-through-attributes-of-the-group-not-member-memberof
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ticket
https://community.openproject.org/wp/32812
What are you trying to accomplish?
LDAP servers following the RFC 2256 standard (e.g. using
groupOfUniqueNameswithuniqueMember) store group membership on the group entry rather than on user entries, and therefore do not expose amemberOfattribute on users. OpenProject previously only supported reverse lookup viamemberOf, making these servers unable to synchronize group members.This adds configurable forward lookup support: when a Group member attribute is set on a synchronized filter (e.g.
uniqueMember,member), OpenProject reads the member DNs from the group entry itself and resolves each one individually, instead of searching for users bymemberOf.Screenshots
What approach did you choose and why?
Added a nullable
member_lookup_attributestring column toldap_groups_synchronized_filters. When blank (default), the existing reverse lookup (memberOf) is used unchanged. When set, the sync service switches to forward lookup: it fetches member DNs from the group entry using the configured attribute, then resolves each DN with ascope=baseLDAP search.This keeps the change fully backward-compatible — existing setups are unaffected — and gives administrators explicit control over the lookup strategy, which is more reliable than attempting to auto-detect the LDAP schema.
Tradeoff: Forward lookup requires one LDAP search per member DN (vs. a single search for reverse lookup). This is acceptable given that synchronization runs hourly as a background job.
Note: Forward lookup is only available for groups discovered through a synchronized filter. Manually-created synchronized groups continue to use reverse lookup.
Merge checklist