Authorization using LDAP groups

You use bind methods to configure user authentication, but you don’t want to give everyone in your organization the ability to log in to your Helix Server, especially if everyone is in the same directory. Rather, you should create a group object in the directory that contains only authorized users. The LDAP integration provides support for checking group membership.

LDAP groups work just like the search bind method, where an LDAP search query determines whether a user is a member of an allowed group and whether a search base and scope are also provided. For example, if there is a group in the LDAP directory named perforce, whose users are allowed to access a Helix Server, you might have a configuration like this:

GroupBaseDN:    ou=groups, dc=example, dc=com
GroupSearchFilter:   (&(objectClass=posixGroup) (cn=perforce) (memberUid=%user%))
GroupSearchScope:    subtree

Group objects in Active Directory are slightly different from those in OpenLDAP: rather than containing a list of member’s user names, they contain a list of the member’s full DNs. These are not typically easy to match. However, back references are added to the member’s User objects, which can be matched. Therefore, when using group authorization against Active Directory, you will probably need to search for the user’s User object and check that it contains a memberOf reference to the group. For example:

GroupBaseDN:    ou=users, dc=example, dc=com
SearchFilter:   (&(objectClass=user) (sAMAccountName=%user%) (memberOf=cn=perforce,ou=groups,dc=example,dc=com))
SearchScope:    subtree
Important

LDAP queries for a user are performed as that user. Therefore, a user must be a member of a group before that user can see that group.