3 Replies Latest reply on May 6, 2015 2:21 PM by abosch

    LDAP authentication against AD group

    geoffb

      Howdy, all.

       

      While the information in this post may be old news for some people, but I was unable to find any good information about this on Thwack or in the STM documentation.

       

      My desire was to have the LDAP authentication within STM verify that a user was a member of an AD group and not just a member of the domain.

       

      The LDAP Search Filter that is shown in the documentation is (sAMAccountName={0}).  This will allow any user of the domain to log into STM.  Granted, they don't have any permissions by default but I'd rather not rely on a very unconventional authentication scheme (allow everybody to log in and make the admin grant perms).

       

      I googled for ldap search filter group membership and was presented with this stackoverflow post as the top result.  From that page I used the following text for my LDAP search filter and was able to restrict access to only members of the domain:

       

      (&(objectClass=user)(sAMAccountName={0})(memberof=CN=SolarWinds Storage Manager users,OU=Groups,DC=domain,DC=local))

       

      You will want to replace the red text ("CN=SolarWinds Storage Manager users,OU=Groups,DC=domain,DC=local") with the distinguished name of the group you wish to use for restricting access.  Also, as the stackoverflow post says, it will only validate upon immediate group membership.  Specifically, if User A is a member of Group A which is a member of Group B they will not be able to log in if the LDAP is searching on Group B.

       

      I hope this information comes in handy in the event someone else is trying to authenticate based on group membership.

       

      Geoff