Prevent Access to Google Mini via AD Group Membership

9 views
Skip to first unread message

Matt Hanson

unread,
Jan 13, 2012, 3:59:30 PM1/13/12
to Google-Search-...@googlegroups.com
We have had our Google Mini setup and running now for some time without too much issue. At the moment, all of our domain users are able to use and access the Google Mini, but a need has come up lately to restrict access to a specific Active Directory group (e.g. "NoGoogleMiniAccess"). I'd like to disallow members of this group by modifying the LDAP settings, although I'm stumped and can't seem to figure out what the filters should be set to.
 
Currently our LDAP filters are as follows:
 
User Search Filter: (&(objectClass=user)(objectClass=person)(sAMAccountName=%s))
Group Search Filter: (member=%s)
 
Any help woud be greatly appreciated.

Dave Watts

unread,
Jan 13, 2012, 7:24:53 PM1/13/12
to google-search-...@googlegroups.com

My first recommendation would be to install a free LDAP query tool
like JXplorer to help you test queries.

My guess for your user search filter would be this:

(&(objectClass=user)(objectClass=person)(sAMAccountName=%s)(!memberof=CN=NoGoogleMiniAccess,OU=WhateverOUContainsThatGroup,DC=YourDomain,DC=com))

Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
http://training.figleaf.com/

Fig Leaf Software is a Veteran-Owned Small Business (VOSB) on
GSA Schedule, and provides the highest caliber vendor-authorized
instruction at our training centers, online, or onsite.

Matt Hanson

unread,
Feb 8, 2012, 6:38:21 PM2/8/12
to Google Search Appliance/Google Mini - Google Search Appliance/Google Mini
Thanks for the reply Dave. The query that you presented is indeed what
I was trying, but not luck (all users then seems to fail
authentication when I try the LDAP Authentication Test). I feel like
I'm just spinning my tires here.

On Jan 13, 4:24 pm, Dave Watts <dwa...@figleaf.com> wrote:
> > We have had our Google Mini setup and running now for some time without too
> > much issue. At the moment, all of our domain users are able to use and
> > access the Google Mini, but a need has come up lately torestrictaccess to
> > a specific Active Directorygroup(e.g. "NoGoogleMiniAccess"). I'd like to
> > disallow members of thisgroupby modifying the LDAP settings, although I'm
> > stumped and can't seem to figure out what the filters should be set to.
>
> > Currently our LDAP filters are as follows:
>
> > User Search Filter:
> > (&(objectClass=user)(objectClass=person)(sAMAccountName=%s))
> >GroupSearch Filter: (member=%s)
>
> My first recommendation would be to install a free LDAP query tool
> like JXplorer to help you test queries.
>
> My guess for your user search filter would be this:
>
>  (&(objectClass=user)(objectClass=person)(sAMAccountName=%s)(!memberof=CN=No­GoogleMiniAccess,OU=WhateverOUContainsThatGroup,DC=YourDomain,DC=com))
>
> Dave Watts, CTO, Fig Leaf Softwarehttp://www.figleaf.com/http://training.figleaf.com/

Matt Hanson

unread,
Feb 9, 2012, 11:38:51 AM2/9/12
to Google Search Appliance/Google Mini - Google Search Appliance/Google Mini
This here seems to work! (Soooo very close to what Dave had written):

(&(objectClass=user)(objectClass=person)(sAMAccountName=%s)(!
(memberOf=CN=No­
GoogleMiniAccess,OU=WhateverOUContainsThatGroup,DC=YourDomain,DC=com)))

On Jan 13, 4:24 pm, Dave Watts <dwa...@figleaf.com> wrote:
> > We have had our Google Mini setup and running now for some time without too
> > much issue. At the moment, all of our domain users are able to use and
> > access the Google Mini, but a need has come up lately torestrictaccess to
> > a specific Active Directorygroup(e.g. "NoGoogleMiniAccess"). I'd like to
> > disallow members of thisgroupby modifying the LDAP settings, although I'm
> > stumped and can't seem to figure out what the filters should be set to.
>
> > Currently our LDAP filters are as follows:
>
> > User Search Filter:
> > (&(objectClass=user)(objectClass=person)(sAMAccountName=%s))
> >GroupSearch Filter: (member=%s)
>
> My first recommendation would be to install a free LDAP query tool
> like JXplorer to help you test queries.
>
> My guess for your user search filter would be this:
>
>  (&(objectClass=user)(objectClass=person)(sAMAccountName=%s)(!memberof=CN=No­GoogleMiniAccess,OU=WhateverOUContainsThatGroup,DC=YourDomain,DC=com))
>
> Dave Watts, CTO, Fig Leaf Softwarehttp://www.figleaf.com/http://training.figleaf.com/

Dave Watts

unread,
Feb 9, 2012, 11:51:09 AM2/9/12
to google-search-...@googlegroups.com
> This here seems to work! (Soooo very close to what Dave had written):
>
> (&(objectClass=user)(objectClass=person)(sAMAccountName=%s)(!
> (memberOf=CN=No­
> GoogleMiniAccess,OU=WhateverOUContainsThatGroup,DC=YourDomain,DC=com)))

Just one set of parentheses can make all the difference! I'm glad you
figured it out.

Reply all
Reply to author
Forward
0 new messages