LDAP Authentication with Nested Groups
Good afternoon-
I have my K1000 configured to authenticate users through my Active Directory domain. However, it seems as though adding a group that the user is a member of to the linked AD group does not work - the user receives an log on error. If I add the user's account directly to the group that is linked to my K1000, the user is able to log in.
First, is this the expected behavior and second, can I build my LDAP query in such a way to allow me to add groups in the manner described above?
Here are the specifics of my configuration:
Search Base DN: DC=kace,DC=com Search Filter: (&(sAMAccountName=KBOX_USER)(memberOf=CN=APP_KACE.Servers_Admin,OU=KACE,OU=App_Groups,OU=KACE_Groups,DC=kace,DC=com))
Thank you!
Answers (1)
You cannot use nested group membership to allow authentication in the K1000.
i.e. - User1 is a member of nest 2, nest 2 is a member of nest 1, and nest 1 is the group we allow access to the K1000. User1 will not be allowed access to the K1000 because they are not a member of nest 1.
It is possible to build LDAP queries that target multiple groups using the '&' (AND operator) or the '|' (OR operator) like you have in your example above. If you have a lot of nested groups, that can get pretty tedious though.
Another thing to think about when designing how you want to setup your LDAP queries is how many different roles you are going to have setup in your K1000 and how many individuals will be in each role. If the answer is only a few admins and a few users with another elevated role with the rest being users, it might be easier to setup a query as a catch all (ex. (samaccountname=KBOX_USER) and manually change their role as they login.
Comments:
-
This makes sense and was the answer that I was expecting. Thanks for the response, Erik. - brupnick 11 years ago
-
Hello,
Were you able to do this in the kbox? I use LDAP device labels pointed to security groups. I have 5 security groups with multiple people under each one. I know this won't work in kbox to nest these 5 groups in another security group. I want to use one ldap query to search these 5 groups at once. Does Erik's explanation address this? If so what would the syntax exactly look like?
For example here's my current ldap query which searches the "gitusers-pse" security group. How would it look to add the 4 other gitusers- security groups to this query?
(&(sAMAccountName=KBOX_USERNAME)(memberOf=CN=gitusers-pse,OU=Security,OU=Groups,OU=domain,DC=domain,DC=com))
Thanks!
Ben - bens401 8 years ago-
I solved this by adding the full line and adding additional security groups. It will be a long string but it works.
(&(sAMAccountName=KBOX_USERNAME)(|(memberOf=CN=gitusers-it,OU=Security,OU=Groups,OU=domain,DC=domain,DC=com)(memberOf=CN=gitusers-ps,OU=Security,OU=Groups,OU=domain,DC=domain,DC=com))) - bens401 8 years ago