I have basic LDAP Authentication working, but now I want to restrict the authentication to only users that are in a specific group (and subgroups therein). Do I need to enable LDAP Authorization to do that? I don't need to sync the LDAP groups to OG group or role per se, I just need to restrict authenticated users to a specific ou in my AD tree.
I have tested LDAP query with a filter and it does return the proper records that I would expect, so I am basically trying to get authentication to restrict the users to the same one returned by my query.
My query has a filter like this:
base dn: DC=com,DC=abc
filter: (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Some Group,OU=Groups,OU=Global,DC=com,DC=abc))
Comments
Comment #2
grahlYes that is generally what ldap_authorization is for and in general it should work though I cannot speak for the fact that you want to also check sub-groups. Note that the regular expression support in ldap_authorization is limited.