crackerjack icon indicating copy to clipboard operation
crackerjack copied to clipboard
verified publisher icon ctxis

LDAP: Add filter based on memberOf

Open tigre-bleu opened this issue 2 years ago • 2 comments

LDAP authentication is great. In our use case, it would be useful to have a filter based on the AD groups the user is member of. Only member of the "Crackerjack" security group in AD should be able to log in.

In the same way, another group could be used to configure if the user shall be admin or not in Crackerjack.

tigre-bleu avatar Jul 17 '23 09:07 tigre-bleu

This is a good recommendation, can you try specifying the OU in the settings to be the one for the CrackerJack users?

As for the admin one, it'd also be a good addition, but originally I've kept it separate to avoid being locked out if the LDAP server was down - by forcing to use local accounts.

sadreck avatar Jul 17 '23 10:07 sadreck

Depending on the layout of the AD, in the same OU some accounts shall be allowed to login and other not hence the filter on group membership rather than OU.

Regarding admin accounts, you could still try to authenticate locally and LDAP, whichever succeeds.

tigre-bleu avatar Jul 17 '23 11:07 tigre-bleu