restricting Active Directory Users and Groups

[Nick Stephens]

Hi all,

I have gotten my ratticdb installation to authenticate against active directory properly, but I am having some difficulty in limiting the users which are allowed to authenticate.  I have created a security group in AD entitled "ratticdb", and then added the users which should be allowed to auth against ratticdb, however this is not working (in that it allows any user with verifiable credentials in).

my local.cfg is as follows (edited for privacy):

[ldap]

# LDAP server details

uri = ldaps://adserver.example.com

binddn = ld...@example.local

bindpw = password

userbase = CN=ratticdb,DC=example,DC=local  ## limit login to users within ratticdb security group

userfilter = (sAMAccountName=%(user)s)

groupbase = OU=rattic,DC=example,DC=local  ## only display groups from within the rattic OU

groupfilter = (objectClass=group)

grouptype = ActiveDirectoryGroupType

staff = CN=Domain Admins,CN=Users,DC=example,DC=local ## give domain admins staff privileges 

requirecert = True

In this scenario, my test user which is NOT a member of 'ratticdb' can login successfully to rattic.  Should I be able to limit logins in this fashion (as I typically can with other LDAP based auth), or am I approaching it incorrectly?

Secondarily, when a user logs in the Groups listing shows every group that the user is a member of.  Instead of taking that approach (which can include a LOT of random groups/email lists), I had hoped to create a new OU entitled "rattic", and then create a few security groups under there such as "rattic-dev", "rattic-sysadmin", etc.  Hopefully you can glean what I am trying to do based on my local.cfg above, but again, it is not working as I had thought it might.

Any insight would be helpful!

Thanks,

Nick

[Daniel Hall]

Hi Nick,

 

RatticDB will allow any user it can find access to authenticate and access password in the groups they are in. To hide users from RatticDB you need to change the users so that only the ones you want can be found under userbase, or configure the userfilter to only match the users you want.

 

The way I would approach this (and I should mention I'm not an AD expert) is to keep all your users under the same hierarchy they already are, but to limit logins to a particular group. This userfilter for example limits the search to users who are a member of your group. Note that RatticDB requires this to all be on one line, but to make it easier to understand I split it here.

 

(&
    (objectCategory=user)
    (memberOf=cn=MyCustomGroup,ou=ouOfGroup,dc=subdomain,dc=domain,dc=com)
)

 

You are right about setting the base to limit the groups, so I'm not sure what is happening there, unless you forgot to restart Apache to apply the config). Maybe AD isn't presenting groups under the other groups in a proper LDAP tree but instead treating them like subgroups (members containing members). However if you are naming all the rattic relevant groups in a standard way you could use that in the filter too. For example to match the ones you listed I would do the following.

 

(&
    (objectClass=group)
    (cn=rattic-*)
)

 

To test these you can use the ldapsearch tool on Linux described in the link below:

http://www.commandlinefu.com/commands/view/2402/ldap-search-to-query-an-activedirectory-server

 

Also here you'll find two very good guides to LDAP search filters, one by Microsoft and another by the CentOS project:

http://technet.microsoft.com/en-us/library/aa996205%28v=EXCHG.65%29.aspx

https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-LDAP_Search_Filters.html

 

Hopefully that helps. I'm happy to answer any further questions you have.

 

--

Daniel Hall

dan...@danielhall.me

 

[Nick Stephens]

Thanks Daniel, that was a big help.  I was able to get the group filtering to work as suggested with virtually no problems; now I have a nice, short list of applicable groups!  However, I am struggling a bit in the userfiltering aspect.

I am trying different variations on the user filter string, but so far I have not found the one that works.  Interestingly, all error messages that normally appear in the apache vhost error log stop when I fail to use a string it likes.

I will report back once I have figured it out or run out of options.

Nick

[Nick Stephens]

Well, I've done a lot of googling myself and tried many different variations with no luck on limiting user logins to a specified security group.  What's particularly odd is that when I begin applying the userfilter with a memberOf argument, the application refuses me in the browser but does not create an error log in apache.  However, if I do something bold like adjust the userbase, then it will begin reporting problems again.

I have verified the syntax of the memberOf filtering repeatedly to ensure I am doing it as suggested, and even cross referenced it with other guides online to no avail.  I have even utilized ADSI on the server to verify my naming.  Unfortunately I just can't seem to get that, and when I try the logging stops.

Finally, if I just leave the userfilter to the normal sAMAccountName=%(user)s then it does allow me (and everyone else) to login properly.

[Daniel Hall]

Hey Nick,

 

Try adding 'loglevel=INFO' or 'loglevel=DEBUG' in the LDAP section of the config file. That should give you tonnes of logs.

 

--

Daniel Hall

dan...@danielhall.me

 

[Ugandhar Nrs]

hi,

we have configured the below mentioned details to RatticDB config file, but LDAP not working, please help on this.

# LDAP Settings

uri = ldap://ip:389

binddn = 

bindpw = 

userbase = ou=Users,dc=Domain,dc=com

userfilter = (&(sAMAccountName=%(user)s)(memberOf:1.2.840.113556.1.4.1941:=cn=Staff,ou=Groups,dc=domain,dc=com))

groupbase = ou=Users,dc=domain,dc=com

groupfilter = (objectClass=groupOfNames)

grouptype = ActiveDirectoryGroupType

staff = cn=Staff,ou=Users,dc=domain,dc=com

requirecert = False

loglevel=DEBUG

In AD we configured as Domain.com->users(OU)->Staff(group).

Regards,

Ugandhar