I have basic LDAP Authentication working, but now I want to restrict the authentication to only users that are in a specific group (and subgroups therein). Do I need to enable LDAP Authorization to do that? I don't need to sync the LDAP groups to OG group or role per se, I just need to restrict authenticated users to a specific ou in my AD tree.

I have tested LDAP query with a filter and it does return the proper records that I would expect, so I am basically trying to get authentication to restrict the users to the same one returned by my query.

My query has a filter like this:

base dn: DC=com,DC=abc
filter: (&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Some Group,OU=Groups,OU=Global,DC=com,DC=abc))

Comments

meecect created an issue. See original summary.

grahl’s picture

grahl
he/him
Location Zürich
CreditAttribution: grahl as a volunteer commented
Status: Active » Fixed

Yes that is generally what ldap_authorization is for and in general it should work though I cannot speak for the fact that you want to also check sub-groups. Note that the regular expression support in ldap_authorization is limited.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.