ctxis / crackerjack

CrackerJack / Hashcat Web Interface / Context Information Security
https://www.contextis.com/en/resources/tools/crackerjack
MIT License
357 stars 86 forks source link

LDAP: Add filter based on memberOf #31

Open tigre-bleu opened 1 year ago

tigre-bleu commented 1 year ago

LDAP authentication is great. In our use case, it would be useful to have a filter based on the AD groups the user is member of. Only member of the "Crackerjack" security group in AD should be able to log in.

In the same way, another group could be used to configure if the user shall be admin or not in Crackerjack.

sadreck commented 1 year ago

This is a good recommendation, can you try specifying the OU in the settings to be the one for the CrackerJack users?

As for the admin one, it'd also be a good addition, but originally I've kept it separate to avoid being locked out if the LDAP server was down - by forcing to use local accounts.

tigre-bleu commented 1 year ago

Depending on the layout of the AD, in the same OU some accounts shall be allowed to login and other not hence the filter on group membership rather than OU.

Regarding admin accounts, you could still try to authenticate locally and LDAP, whichever succeeds.