Open for Voting

Ability for AD users to be members of multiple groups

We would like for our AD (ldap) users to be able to log on and see just the folders that they have permissions to. For example: We may have project1, project2, project3, and project4. With mixed permissions by individual users.

User1: access to project1 and project2

User2: access to poject1, project2, and project3

User3: access to project 2 and project4

etc...

If I have 10 folders/projects.  It would require a different AD security group to meet every possible combination of folder/project access. It would be 2 to the 10th power, which is 1024. So I would need 1024 different AD/ldap security groups to just support the 10 folder/projects. There must be a better way to accomplish this.

  • Theoretically yes, you should be able to have multiple LDAP groups with access rights and virtual paths added to an account that is a member of those groups.  All the documentation states that if a account is a member of multiple groups it 'should' work"

    See the LDAP Group membership section of this doc. SolarWinds Online Help

         "For example, if the Group Membership field is configured to be grp and an LDAP user record has both grp=Green and grp=Red attributes, Serv-U will associate that LDAP User with both the "Red" and "Green" LDAP Groups."

    So far I've not been able to get that working correctly.  For example, i have a test account setup that is a member of 3 different LDAP defined groups. Two of these groups define virtual paths that should show up for the user when they login.  Since no virtual paths are defined on the one LDAP group it's logging as finding the user in, none of them get mapped. It seems to only find and apply the settings for one group, regardless of how many the account is a member of.  I'd really appreciate any ideas on how to get this working correctly.

  • With an LDAP setup and using AD security groups, you should be able to just have 10 project groups and assign users to them.

    We have found that security group permissions are additive. Being a member of the default LDAP group + a member of OU group + a member of different security groups can give a user rights to multiple folders and settings.

  • Unfortunatly, this does not work well if your FTP server is in a DMZ network and not part of intenal security domains.

  • Use windows authentication instead of ldap, this way you can use native NTFS acls.