Authorization using LDAP groups
You use bind methods to configure user authentication, but you don’t want to give everyone in your organization the ability to log in to your Helix Server, especially if everyone is in the same directory. Rather, you should create a group object in the directory that contains only authorized users. The LDAP integration provides support for checking group membership.
LDAP groups work just like the search bind method, where an LDAP search
query determines whether a user is a member of an allowed group and
whether a search base and scope are also provided. For example, if there
is a group in the LDAP directory named perforce
, whose users
are allowed to access
a Helix Server, you might have a configuration like this:
GroupBaseDN: ou=groups, dc=example, dc=com GroupSearchFilter: (&(objectClass=posixGroup) (cn=perforce) (memberUid=%user%)) GroupSearchScope: subtree
Group objects in Active Directory are slightly different from those in
OpenLDAP: rather than containing a list of member’s user names, they
contain a list of the member’s full DNs. These are not typically easy to
match. However, back references are added to the member’s User objects,
which can be matched. Therefore, when using group authorization against
Active Directory, you will probably need to search for the user’s User
object and check that it contains a memberOf
reference to
the group. For example:
GroupBaseDN: ou=users, dc=example, dc=com SearchFilter: (&(objectClass=user) (sAMAccountName=%user%) (memberOf=cn=perforce,ou=groups,dc=example,dc=com)) SearchScope: subtree
LDAP queries for a user are performed as that user. Therefore, a user must be a member of a group before that user can see that group.