mirror of
https://github.com/opf/openproject.git
synced 2026-06-14 03:30:14 +00:00
Christophe Bliard
f007a56433
https://community.openproject.org/wp/32812 OpenProject previously only supported reverse member lookup: finding group members by searching for users with a (memberOf=<group_dn>) filter. This requires the memberOf attribute to be maintained on user entries, which is not available on all LDAP servers (e.g. servers using groupOfUniqueNames without a memberof overlay). This change adds an optional "Group member attribute" field on synchronized LDAP filters. When set, OpenProject switches to forward lookup: it reads the list of member DNs directly from the group entry using the configured attribute (e.g. uniqueMember, member), then resolves each DN individually to retrieve user attributes. When left empty, the existing memberOf reverse lookup is used unchanged, ensuring full backward compatibility. This resolves the inability to synchronize groups on LDAP servers that store membership on group entries rather than on user entries, such as directories using the groupOfUniqueNames object class (RFC 2256).