Passing a hostname in LDAPS connection

[guidance]

I have a user that has the userWorkstations workstations LDAP attribute set that only allows people to log in from specific computers. This causes an issue with PWM because it doesn't appear to send a hostname to the LDAPS server, and therefore the LDAP authentication request is denied. Is there some way I can define a hostname to pass along to the LDAPS server? Thanks!

[Jason Rivard]

Some googling on my part suggests you are referring to an Active Directory feature that uses an AD attribute "userWorkstations" to restrict authentication to certain hosts.  This is an AD specific feature and not part of the standard LDAP protocol.  It looks like it uses the source of the LDAP tcp connection to enforce LDAP bind attempts.  Since PWM is authenticating on the user's behalf, this won't work.  There is not a standard or - more importantly - secure way to pass this information to PWM during PWM's ldap authentication using user credentials using LDAP.

If I've interpreted this wrong or you can find some info on how this is implemented in LDAP I'd be curious to see it.

[Joel]

Yes, you are correct about it being an AD attribute. I was not precise in my wording when I said it was an LDAP attribute.

I also did some further googling on this and found that the userWorkstations attribute is deprecated in favor of the “Deny Log on locally” Group Policy setting (https://learn.microsoft.com/en-us/windows/win32/adschema/a-userworkstations) I have shifted gears and am trying to use the GP setting instead. That would allow me to limit what computers these users can log onto while also allowing PWM to work. Thanks for your help!