Skip to content

sources/ldap: implement nested group parentship sync #19069

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
krejcar25 wants to merge 11 commits into
base: main
Choose a base branch
from
Draft

sources/ldap: implement nested group parentship sync #19069

krejcar25 wants to merge 11 commits into from

Conversation

@krejcar25
Copy link
Contributor

@krejcar25 krejcar25 commented Dec 26, 2025
edited
Loading

Details

Release 2025.12 brought many-to-many group inheritance. This PR builds on that, and adds true nested group synchronisation from LDAP. LDAPSource model fields were renamed to reflect this, and membership sync now runs through both user and group objects in LDAP reflects directory inheritance structure in Authentik.

If accepted, this PR resolves #9460.

Checklist

  • Local tests pass (ak test authentik/)
  • The code has been formatted (make lint-fix)

If an API change has been made

  • The API schema has been updated (make gen-build)

If changes to the frontend have been made

  • The code has been formatted (make web)

If applicable

  • The documentation has been updated
  • The documentation has been formatted (make docs)

To review / suggest

  • breaking change note about renaming model fields, as users' expression policies could depend on this and break when merged, namely:
    • group_membership_field --> membership_field
    • user_membership_attribute --> membership_reference
    • sync_parent_group --> additional_parent_group
    • lookup_groups_from_user --> lookup_groups_from_member

@krejcar25 krejcar25 requested review from a team as code owners December 26, 2025 23:31
@krejcar25 krejcar25 marked this pull request as draft December 26, 2025 23:32
@krejcar25 krejcar25 changed the title WIP: sources/ldap: implement nested group parentship sync sources/ldap: implement nested group parentship sync Dec 26, 2025
@netlify
Copy link

netlify bot commented Dec 26, 2025
edited
Loading

Deploy Preview for authentik-storybook ready!

Name Link
🔨 Latest commit 8fe972b
🔍 Latest deploy log https://app.netlify.com/projects/authentik-storybook/deploys/69613d9f8327660008cb6154
😎 Deploy Preview https://deploy-preview-19069--authentik-storybook.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@netlify
Copy link

netlify bot commented Dec 26, 2025
edited
Loading

Deploy Preview for authentik-docs ready!

Name Link
🔨 Latest commit 8fe972b
🔍 Latest deploy log https://app.netlify.com/projects/authentik-docs/deploys/69613d9f6e254c00082f3bc1
😎 Deploy Preview https://deploy-preview-19069--authentik-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@krejcar25 krejcar25 mentioned this pull request Dec 26, 2025
Open
@codecov
Copy link

codecov bot commented Dec 26, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.11%. Comparing base (caa4826) to head (8fe972b).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #19069      +/-   ##
==========================================
- Coverage   93.12%   93.11%   -0.02%     
==========================================
  Files         949      949              
  Lines       52419    52470      +51     
==========================================
+ Hits        48813    48855      +42     
- Misses       3606     3615       +9
Flag Coverage Δ
conformance 38.74% <6.84%> (-0.04%) ⬇️
e2e 43.62% <17.80%> (+0.23%) ⬆️
integration 23.35% <6.84%> (-0.08%) ⬇️
unit 91.59% <100.00%> (+0.02%) ⬆️
unit-migrate 91.64% <100.00%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@netlify
Copy link

netlify bot commented Dec 27, 2025
edited
Loading

Deploy Preview for authentik-integrations ready!

Name Link
🔨 Latest commit 8fe972b
🔍 Latest deploy log https://app.netlify.com/projects/authentik-integrations/deploys/69613d9f590b6400086feb23
😎 Deploy Preview https://deploy-preview-19069--authentik-integrations.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@krejcar25 krejcar25 marked this pull request as ready for review December 27, 2025 18:01
@krejcar25 krejcar25 requested a review from a team as a code owner December 27, 2025 18:01
@dominic-r dominic-r added area:frontend Features or issues related to the browser, TypeScript, Node.js, etc area:backend labels Dec 30, 2025
@rissson
Copy link
Member

rissson commented Jan 5, 2026

Before we do any of that, I want us to actually use the UserLDAPSourceConnection and GroupLDAPSourceConnection objects to find existing objects in authentik, instead of relying on attributes on those objects.

Also, cc. @gergosimonyi

@krejcar25
Copy link
Contributor Author

krejcar25 commented Jan 6, 2026

I want us to actually use the UserLDAPSourceConnection and GroupLDAPSourceConnection objects

Do you want me to change how I handle it then @risson? I read the definitions in main so far and it seems pretty straight-forward to me.

Unless someone is working on it already (iykyk @dominic-r), I might be able to update the entire sync process, in a separate MR.

@rissson
Copy link
Member

rissson commented Jan 7, 2026

Do you want me to change how I handle it then @rissson? I read the definitions in main so far and it seems pretty straight-forward to me.

I think it makes sense to do that part in a separate PR first, and then build on top of that for this PR.

Unless someone is working on it already (iykyk @dominic-r), I might be able to update the entire sync process, in a separate MR.

I don't think anyone is currently working on this specific part.

@krejcar25 krejcar25 force-pushed the sync-group-parents-from-ldap branch from f648505 to 8fe972b Compare January 9, 2026 17:40
@krejcar25 krejcar25 marked this pull request as draft January 9, 2026 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dominic-r dominic-r dominic-r left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area:backend area:frontend Features or issues related to the browser, TypeScript, Node.js, etc

Projects

authentik Core
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sync groups as members of other groups from LDAP source (Active Directory) / Nested Groups sync.

3 participants

@krejcar25 @rissson @dominic-r