Prevent authentication if user does not reference a valid group profile
263 views
Skip to first unread message
Shin Sterneck
Jun 12, 2016, 2:49:47 AM6/12/16
to Event-Driven Servers
Hello!
when using MAVIS/AD as user authentication backend all AD groups are returned properly however when no matching group profile in the configuration is found the authentication still seems to go through with just the user profile. Is there a way to prevent or reject the authentication if none of the MAVIS returned groups have a corresponding group profile configured? In other words is there a way to make group membership mandatory?
I was able to handle this using mavis out script actions to verify the $TACMEMBER variable against a static list of valid groups, but I am still wondering whether there is a better way.
Best Regards,
Shin
Marc Huber
Jun 12, 2016, 5:07:07 AM6/12/16
to event-driv...@googlegroups.com
Hi Shin,
On 12.06.16 00:26, Shin Sterneck wrote:
> I was able to handle this using mavis out script actions to verify the
> $TACMEMBER variable against a static list of valid groups, but I am
> still wondering whether there is a better way.
that's actually the correct way to solve this, and most likely the only
one (authentication doesn't really care about groups, authorization does).
Cheers,
Marc
On 12.06.16 00:26, Shin Sterneck wrote:
> I was able to handle this using mavis out script actions to verify the
> $TACMEMBER variable against a static list of valid groups, but I am
> still wondering whether there is a better way.
one (authentication doesn't really care about groups, authorization does).
Cheers,
Marc
Shin Sterneck
Jun 12, 2016, 1:26:31 PM6/12/16
to Event-Driven Servers
Hi Marc,
understood and thanks for your quick response!
Regards,
Shin
Jay
Jul 15, 2016, 12:57:36 PM7/15/16
to Event-Driven Servers
Hi Shin,
Can you share your configuration. I am facing same issue. I have defined the AD groups but still all users are able to login on NAS even though they are not the member of that group in AD.
Best Regards,
Jay
Shin Sterneck
Jul 27, 2016, 3:52:06 AM7/27/16
to Event-Driven Servers
Hi Jay,
I use a regular expression to limit the valid groups. it looks like this:
script out = {
if ( $TACMEMBER !~ /(^|,)("Group1")|("Group2")|("Group3")(,|$)/ ) set $RESULT = NAK
}
I should mentioned that this list is generated automatically through my own admin interface, but you can do this manually as well.
Best Regards,
Shin
Message has been deleted
Jay
Aug 10, 2016, 5:29:16 AM8/10/16
to Event-Driven Servers
Hi Shin,
Sorry for late reply. I was on vacation.
Thank you so much for sharing this code. I have checked it now and it works like charm.
Can you also tell me how do you auto generate the list.?
Best Regards,
Jay
Shin Sterneck
Aug 11, 2016, 4:59:14 AM8/11/16
to Event-Driven Servers
Hi Jay,
glad to hear that it worked for you.
The auto generation is done seperatly as part of a web admin interface I developed. let me know if you are interested in previewing it (will also opensource it soon).
Best Regards,
Shin
Reply all
Reply to author
Forward
0 new messages