The groupfinder() routine looks for groups which have the user's dn as a member, but if the authorization is performed by adding an entire group to the target group - members of that group are not authorized.
This can be solved by doing a recursive lookup returning all group dn-s for a user, including those who satisfy the group query for each group.
Cyclic group membership could happen in real life, and should be detected and avioded.
The
groupfinder()routine looks for groups which have the user's dn as a member, but if the authorization is performed by adding an entire group to the target group - members of that group are not authorized.This can be solved by doing a recursive lookup returning all group dn-s for a user, including those who satisfy the group query for each group.
Cyclic group membership could happen in real life, and should be detected and avioded.