Authenticate LDAP user if he's a part of a specific group

Question

In my node application, I have an use case in which I need to authenticate the LDAP users belonging to a specific group only. If the user does not belong to the mentioned group, authentication should fail.

I am using the library ldapauth-fork for LDAP authentication.

I tried various approaches for the filters, but none of them are working as expected. Below are the attempts that I tried:

let ldapConnector = new LdapAuth (
    {
        url              : config.ldap.url,
        bindDN           : config.ldap.bindDN,
        adminPassword    : config.ldap.adminPassword,
        searchBase       : config.ldap.searchBase,
        searchFilter     : "(&(sAMAccountName=testUser)(memberOf=testGroup))",
        cache            : true,
        includeRaw       : true,
        log              : logger
    }
);

For this configuration, I always get no such user: "testuser" even if the user is member of the testGroup group.

let ldapConnector = new LdapAuth (
    {
        url               : config.ldap.url,
        bindDN            : config.ldap.bindDN,
        adminPassword     : config.ldap.adminPassword,
        searchBase        : config.ldap.searchBase,
        searchFilter      : "(sAMAccountName=testuser)", 
        groupSearchFilter : "(member=testGroup)"`
        cache             : true,
        includeRaw        : true,
        log               : logger
    }
);

For this configuration, the authentication is always successful, even if the group name is a random string.

So, what should be the correct filter string to make the authentication work?

Are you using Microsoft Active Directory, OpenLDAP, or something else? — T-Heron, Apr 19 '18 at 16:56

T-Heron · Accepted Answer · 2018-04-20T20:27:36.510

4

I see that you want an LDAP search filter match on "username = x and group = y". To do this, you need to provide a fully distinguished name for the value of the memberOf attribute.

This should work:

(&(sAMAccountName=testuser)(memberOf=cn=testGroup,cn=Users,DC=yourdomain,DC=yourdomainsuffix))

The above example assumes testGroup resides in the default location of CN=Users in your Active Directory domain. If it is in some other place, modify the LDAP path as appropriate. For example, this works in my isolated test domain, because I haven't moved GroupA group out of the Users container:

(&(sAMAccountName=Todd)(memberOf=cn=GroupA,cn=Users,DC=dev,DC=local))

EDIT (4/20/2018): In the second scenario, per mvreijn's comment, the groupSearchFilter only serves to request the list of groups that a valid user is a member of. It does not play a role during authentication.

edited Apr 20 '18 at 20:27

answered Apr 19 '18 at 18:13

T-Heron

5,385
7
26
52

2

the `groupSearchFilter` only serves to request the list of groups that a valid user is a member of. It does not play a role during authentication. – mvreijn Apr 19 '18 at 20:25
@mvreijn - +1 to you! Nice. – T-Heron Apr 19 '18 at 20:51
I was missing the complete path for my group. Thank you @T-Heron :) – Prerak Sola Apr 23 '18 at 08:41

Authenticate LDAP user if he's a part of a specific group

1 Answers1