Configuring the LDAPSearchValve
In this example we will have the following AD structure. Two groups “group1” and group2 where group2 is a member of group1. User Stev is member of group2. And we want to limit the login to users who only belongs to group1. The normal way of doing this witout nested groups would be to have the following LDAP Filter:
(&(samAccountName=)(memberof=cn=group1,CN=users,DC=bestdomain,DC=ever))
But the problem is that this will only look at member in group1 where Stev is not a member. So this will fail. On order to search recursively we need to have the following LDAP Filter:
(&(samAccountName=)(memberof:1.2.840.113556.1.4.1941:=cn=group1,CN=users,DC=bestdomain,DC=ever))
Where 1.2.840.113556.1.4.1941 is the OID for LDAP_MATCHING_RULE_IN_CHAIN and LDAP_MATCHING_RULE_TRANSITIVE_EVAL
Another Scenario could be that you want to limit login to two groups that are a member of another group but there is also a third group that you don’t want to give access. So for example Stev is member of group1, Bob is member group2, badguy is member of group3 and group1, group2 and group3 is member of group4. We don’t want group3 to gain access. Here we can do the search on group4 since there are groups we don’t want to allow access. Here is how you solve that:
| (&(sAMAccountName=)( | (memberOf=CN=group1,CN=users,DC=bestdomain,DC=ever)(memberOf=CN=group2,CN=users,DC=bestdomain,DC=ever))) |
Related articles
4 May, 2021 easyaccess incenter syslog
11 Apr, 2023 ldap core authentication radius
30 Mar, 2021 linux easyaccess
21 Jan, 2021 easyaccess radius
24 Feb, 2021 easyaccess radius
24 Feb, 2021 easyaccess radius saml sso onetouch
28 Feb, 2024 changeme easyaccess phenixid pas
18 May, 2021 easyaccess myapps
14 Dec, 2021 easyaccess log4j
18 Jan, 2021 easyaccess hotp
21 Nov, 2022 radius ldap authentication core