How to limit login to specific group membership in LDAP search
This document describes how to limit the login to one or more specific groups in the LDAP directory, so only accounts that are members of this/these group(s) get pass
The reader of this document should have some basic knowledge about PhenixID Server.
System requirements
- PhenixID Server installed.
- Group(s) in LDAP directory
Overview
The examples below will show how the LDAP search can be configured to only allow access to those accounts that are members of one or more specific groups in LDAP.
We will make changes to the configuration file phenix-store.json, so please make sure to have a backup of this file.
Example of LDAP search configuration
Login to the configuration portal and locate the scenario that you want to modify.
Now go to "Execution Flow" and find the LDAPSearchValve.
Should look similar to this, when using default values:
Now we add the group membership part to the search, like this example for one group:
(&(sAMAccountName={{request.User-Name}})(memberOf=CN=Group1,OU=Training,DC=company,DC=local))
Example of search for two groups:
(&(sAMAccountName={{request.User-Name}})(|(memberOf=CN=Group1,OU=Training,DC=company,DC=local)(memberOf=CN=Group2,OU=Training,DC=company,DC=local)))
In the example above login will be accepted if user logging in, is member of either group.
Configuration should now look similar to this:
Example with one group, nested search (ie, the user is member of a group, group1, that is member of group2):
(&(samaccountname={{request.User-Name}}
)(memberOf:1.2.840.113556.1.4.1941:=cn=CN=Group2,OU=Training,DC=company,DC=local
))