search

raspberrypi / piserver

Raspberry Pi Server wizard to serve Raspbian to network booting Pis
318 stars 60 forks source link

Filter LDAP Server logins by group memberships #73

Closed jonwitts closed 5 years ago

jonwitts commented 5 years ago

Hi there,

Still testing the LDAP / Active Directory linking with PiServer and I have a request!

It would be great if there were a way in the setup GUI to add a group that users should members of if we want them to log in. I can't think of many school setups where all domain users would need to log in to the PiServer network...

I have done some testing on our setup and if you adjust this line in /etc/nslcd.conf: filter passwd (&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))) to this (changing it to your CN for your group you want to check against of course!): filter passwd (&(objectCategory=person)(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=PiServer Users,OU=Groups,DC=school,DC=domain,DC=com)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

then it will only allow users who are members of the group to log in (both direct and nested members work with this filter). I haven't checked this against the pi client yet due to Issue #72 but should think it will work fine once I can get that part working!

This would be a really nice addition to the setup... :-D

maxnet commented 5 years ago

Problem is that there is more than one way users can be grouped in LDAP. E.g. some organizations like to only group users in containers ("CN=user,OU=Some group,DC=domain,DC=com"), in which case you would not specify a filter, but just provide a more exact baseDN value.

May be a bit of a challenge to add an option in the GUI to handle all that, without scaring away the less technical users.

jonwitts commented 5 years ago

How about the ability to edit the default filter with a caveat of "make sure you know what you are doing!"?

That way at install more technical users could adjust the filter how they needed and have it automatically copied to all future OS they import etc...

maxnet commented 5 years ago

Added a simple box to select group during initial installation.

jonwitts commented 5 years ago

That's great! I am on leave for a week now but I will test this and issue #72 when I get back from holiday at the end of the month.

Thanks again :-)

jonwitts commented 5 years ago

This is great - the list of available CNs and groups was a little long to search through but better than having a user enter an non-existent group or CN for those settings!

Thanks again :-D