Mapping Active Directory User to Active Directory Group is not working

[Maik-Bakowski]

Hello Community,

we are...or we want to use the DEX Connector to validate Active Directory User on a LINUX System. We have internal (local) Security Groups on the LINUX System (like for example a local admin group) <-- it is only possible, to add AD-Groups to this local LINUX Groups.

So to demonstrate the example:

local admin group on the LINUX system <-- Member AD Group LINUX_Admins
User is Member of the AD Group LINUX_Admins

The Login is working, but there is no mapping to the respective AD User group and the user do not get the respective rights at the LINUX System.

The logs from DEX are as followed:

time="2024-01-11T09:37:45Z" level=info msg="login successful: connector "my_ldap", username="", preferred_username="", email="**@.com", groups=[]"

Config File DEX Connector:

userSearch:
  baseDN: ou=*******,dc=*********,dc=*******,dc=****
  filter: "(&(objectClass=user)(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"
  username: sAMAccountName
  idAttr: DN
  emailAttr: mail # userPrincipalName
  nameAttr: cn
  preferredUsernameAttr: sAMAccountName
  preferredUsernameAttr: name

groupSearch:
baseDN: ou=**********,dc=,dc=,dc=***
filter: "(&(objectClass=group))"
userMatchers:

• userAttr: DN
  groupAttr: member
  nameAttr: cn

We have installed ldapsearch and there are all groups and users available with a query and the groups contain also all members

Only the connector is not mapping the respective groups. Did we have some misconfiguration in the config file? For me it looks like the mapping between group and member did not working.

Regards
Maik

[Maik-Bakowski]

No ideas?

[Maik-Bakowski]

No one is using the Connector to map User or Groups? Or have ideas what we make wrong? :)

[Maik-Bakowski]

Hm, ok, if nobody has any ideas, another question....

Are there log files or the possibility to extend the logging so that I can see the answers to the LDAP requests of the connector?

With ldapsearch I can see the users and also the groups with the corresponding users on the server. I would like to see what the connector gets back with its request.

Is it possible to set the logging to debug so that I can see the complete communication during authentication in the log?

[Maik-Bakowski]

Doesn't make sense to me that nobody here has an idea...but I'll persevere :)

[FLAK-ZOSO]

Did you eventually manage to fix it? I found only this in the documentation.

      # Following list contains field pairs that are used to match a user to a group. It adds an additional
      # requirement to the filter that an attribute in the group must match the user's
      # attribute value.
      userMatchers:
      - userAttr: uid
        groupAttr: member

[Maik-Bakowski]

Huhu, No, sorry, we gave up back then and used Keycloack as a quick fix, but we have now permanently switched to RCDEVs. Perhaps the configuration would work, but we simply didn't have the time to look into it more closely at the time. Regards Maik From: Mattia Marchese ***@***.***> Sent: Tuesday, 2 September 2025 16:22 To: dexidp/dex ***@***.***> Cc: Maik Bakowski ***@***.***>; Author ***@***.***> Subject: Re: [dexidp/dex] Mapping Active Directory User to Active Directory Group is not working (Discussion #3281) Caution - This Email is from an external Source. Be careful with Links, Attachments or sensitive Data. Did you eventually manage to fix it? I found only this in the documentation<https://ddec1-0-en-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fdexidp.io%2fdocs%2fconnectors%2fldap%2f&umid=17ce6039-2c1c-41cc-92c6-75c03057eb3a&rct=1756822939&auth=1802852971a6a2b32f2c6ef9450eca74a3c5d6ba-a6c9a30dd5d8bd6b8c602ac0b99a277cc52637e2>. # Following list contains field pairs that are used to match a user to a group. It adds an additional # requirement to the filter that an attribute in the group must match the user's # attribute value. userMatchers: - userAttr: uid groupAttr: member — Reply to this email directly, view it on GitHub<#3281 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BFNLCZB2P6EJKGGF3DXK2L33QWRZVAVCNFSM6AAAAACFNO2ZB6VHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMRYGYZTMOA>. You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>