Open christian-korneck opened 8 years ago
You can use that in a SearchFilter, something like:
<Authorization>
BaseDN DC=mydomain,DC=local
SearchFilter (&(objectCategory=user)(sAMAccountName=%u)(memberof:1.2.840.113556.1.4.1941:=CN=testgroup,OU=GROUPS,DC=mydomain,DC=local))
RequireGroup false
</Authorization>
I believe you want RequireGroup false
in this case since the searchfilter is already mandating membership in your target group.
@benley Many thanks for the info. I will try and give feedback.
unless other LDAP servers, Active Directory supports nested groups and a way to query them using regular LDAP clients by entering special "OID" strings in the LDAP filter. I.e. an
ldapsearch
query like this against an Active Directory would return a list of users that are either directly members of the grouptestgroup
or are member of a group that is nested intotestgroup
(directly or indirectly):ldapsearch -h mydomaincontroller.mydomain.local -x -b "DC=mydomain,DC=local" -D "CN=myauthuser,OU=USERS,DC=mydomain,DC=local" -w mypassword "(&(objectCategory=user)(memberof:1.2.840.113556.1.4.1941:=CN=testgroup,OU=GROUPS,DC=mydomain,DC=local))"
Is it possible to somehow use such an LDAP filter in
auth-ldap.cnf
? I'm confused how the combination ofRequireGroup
,Group -> BaseDN
,Group -> Search Filter
andGroup -> MemberAttribute
lead to the actual LDAP query. Is there any setting where I could enter thememberof:1.2.840.113556.1.4.1941:=<groupname>
string?See here for the AD search syntax specs: https://msdn.microsoft.com/en-us/library/windows/desktop/aa746475(v=vs.85).aspx
Many thanks in advance.