Home / Q&A / Import Roles from LDAP: Does it allow for nested groups?
You can translate the question and the replies:

Import Roles from LDAP: Does it allow for nested groups?

Hi, I have imported a role from my LDAP server to use within Denodo. However, the LDAP group I imported has another group in it. Does Denodo allow for nested LDAP groups to be used within Denodo? Or do I have to also import the sub-group, too? Thank you~!
user
13-11-2015 11:38:46 -0500

4 Answers

Hi! To import a role from an LDAP server you have to specify two parameters among others: the role base and the role search pattern. - The role base defines the node of the LDAP hierarchy that is used as scope for the search, limiting the nodes that will be searched. You can add more than one role base. - The role search pattern will be used to generate the queries to the LDAP server. This query will be sent to the LDAP server and the groups returned by the query will be the ones imported as roles into VDP. So, you could define a role search pattern that not only returns the "top level" groups but also the sub-groups. After that yo do need to also import the sub-groups as roles and assign the privileges to those roles. Hope this helps!
Denodo Team
27-11-2015 08:10:04 -0500
Okay, so it seems that when I import a single LDAP group, it does not automatically include the nested sub-groups and thus I have to import those as well. Thank you.
user
27-11-2015 11:07:23 -0500
Hi, has there been any change since the statement from 2015? Are the nested groups still not considered and need to be imported additionally? Is there any enhancement request to change this to resolve members of nested groups automatically without importing them? Thank you.
user
20-06-2022 06:02:41 -0400
Hello, Denodo can work with hierarchical elements in LDAP ,as described [here](https://community.denodo.com/kb/en/view/document/How%20to%20configure%20a%20VDP%20database%20with%20LDAP%20authentication#h.2yola0tgf3vh), whereby if the user is part of a group which in turn is part of another parent group, it can retrieve all the user parent groups(this comes with a caveat that the underlying AD supports LDAP_MATCHING_RULE_IN_CHAIN). But the recursive retrieval of all nested user groups, i.e if the user is part of any group which has subsequent child groups, is not available. If you have a valid support user, then you can create a request in the Denodo support portal for this enhancement. Hope this helps.
Denodo Team
22-06-2022 08:44:02 -0400
You must sign in to add an answer. If you do not have an account, you can register here