Jump to content


LDAP restrict users to group

ldap group restrictions

  • Please log in to reply
5 replies to this topic

#1 hackeld

hackeld

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 17 February 2015 - 06:06 PM

Hello,

Is it possible to restrict the login of users to only a select Active Directory group?

Specifically I only want a user to be able to login if they belong to the "perforce.users" AD group I created.

I have the following set in the ldap configuration file:

Name:    ldap-configuration
Host:    org.edu
Port:    636
Encryption:    ssl
BindMethod:    sasl
SearchScope:    subtree
SaslRealm:    ORG.EDU
GroupBaseDN:    CN=perforce.users,DC=ORG,DC=edu
GroupSearchScope:    subtree

I see there is a GroupSearchFilter: to use but there is no description or examples of what to set for this (if this would even help restrict?).  Everything works as far as I can create a new user and have them login.  However if they don't belong to the perforce.users group they are still able to login.

#2 P4Nick

P4Nick

    Advanced Member

  • Staff
  • 50 posts
  • LocationReading, UK

Posted 20 February 2015 - 07:34 AM

Hi

The GroupSearchFilter needs to be set to a LDAP search query that can identify the user as belonging to an LDAP group.

Different LDAP server implementations handle groups differently, and in the case of AD, we'll need to search for the user record and ensure it has a memberOf attribute that points to the group.

For example:
GroupBaseDN:    DC=ORG,DC=edu
GroupSearchFilter: (&(objectClass=user)(sAMAccountName=%user%)(memberOf=CN=perforce.users,DC=ORG,DC=edu))
GroupSearchScope:    subtree

Please let us know how you get on.

#3 hackeld

hackeld

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 23 February 2015 - 08:52 PM

Thank you P4Nick!  Works as far as being able to use "p4 ldap -t testuser ldap-configuration" command on the server.  I can get a Authentication successful when the user is in the AD group and a "No results were returned by the LDAP group search..." when the user isn't part of the group.

My next hurdle is I'm not able to login to P4V client using the test user account - when prompted for the user's password, I enter in the password and get reprompted every time.  I've tried precreating the user account and giving it permission along with trying to just create a new user account.  Same issue - repeated password prompt.

#4 hackeld

hackeld

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 23 February 2015 - 10:56 PM

In the logs it is showing 'user-user -o' --- failed authentication check  when i try to login via the P4V client.  But like i mentioned above if I do "p4 ldap -t testuser ldap-configuration" I get "Authentication successful."

#5 hackeld

hackeld

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 24 February 2015 - 02:17 PM

doing a little more testing and I get the following:

p4 ldap -t testuser ldap-configuration = Authentication Successful

p4 ldaps -t testuser = Testing authentication against LDAP configuration ldap-configuration.  No results were returned by the LDAP group search


Running "p4 ldaps" it is showing the following:
ldap-configuration dc.org.edu:636 sasl (enabled)
ldap-configuration dc.org.edu:636 sasl (enabled)

Is it supposed to show duplicate entries?

#6 hackeld

hackeld

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 24 February 2015 - 03:56 PM

Figured it out - removed the 2nd ldap-configuration file (had the same configuration name inside the file "Name:  ldad-configuration") under perforce/server/ldap, restarted service (p4 admin restart).  Now everything is working as expected.

Thanks again P4Nick





Also tagged with one or more of these keywords: ldap, group, restrictions

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users