LDAP Group filter
384 views
Skip to first unread message
OE_RKU
Oct 11, 2013, 6:27:07 AM10/11/13
to simple...@googlegroups.com
Hey,
I set up filesender which comes with simplesamlphp. For authentication I use LDAP (Active Directory) which also works fine as long as I only "filter" (search.base) for OUs.
However, I would like to put all users, who are eligible for the use of filesender, in a group in my AD and let only them access to filesender.
I found ldap:AttributeAddUsersGroups which seems to help me solve my problem. As far as I understood, it puts all groups which the user is a member of into a variable. This variable can be used by authorize:Authorize to filter for one exact group (actually the DN of the group). Did I get this right?
So I went to config/config.php (do I have to put it even in there or in authsources.php?) and put in this code:
'authproc.idp' => array(
10 => array(
'class' => 'ldap:AttributeAddUsersGroups',
'authsource' => 'default-sp',
'attribute.groups' => 'groups',
'ldap.basedn' => 'ou=_groups,dc=AD,dc=cool,dc=my',
'ldap.debug' => TRUE,
'ldap.enable_tls' => TRUE,
'ldap.product' => 'ActiveDirectory',
'ldap.timeout' => 30,
'attribute.dn' => 'distinguishedName',
'attribute.groups' => 'groups', // Also noted above
'attribute.member' => 'member',
'attribute.memberof' => 'memberOf',
'attribute.groupname' => 'name',
'attribute.type' => 'objectClass',
'attribute.username' => 'sAMAccountName',
'type.group' => 'group',
'type.user' => 'user',
),
20 => array(
'class' => 'authorize:Authorize',
'regex' => FALSE,
'memberof' => array(
'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu',
'CN=All Teachers,OU=Staff,DC=example,DC=edu',
),
),
);
(I changed to DN for posting here)
Also tried it with authproc.sp
When I log in now, it still works but it also still works with a user, who isn't in this group.
I enabled each of them individually but no change:
'enable.saml20-idp' => true,
'enable.shib13-idp' => false,
'enable.adfs-idp' => false,
'enable.wsfed-sp' => false,
'enable.authmemcookie' => false,
I am pretty new to this as you can see and probably don't get the point. I don't know, where to put this configuration and where to enable it.
Could you please push me in the right direction?
Thank you
Ryan
I set up filesender which comes with simplesamlphp. For authentication I use LDAP (Active Directory) which also works fine as long as I only "filter" (search.base) for OUs.
However, I would like to put all users, who are eligible for the use of filesender, in a group in my AD and let only them access to filesender.
I found ldap:AttributeAddUsersGroups which seems to help me solve my problem. As far as I understood, it puts all groups which the user is a member of into a variable. This variable can be used by authorize:Authorize to filter for one exact group (actually the DN of the group). Did I get this right?
So I went to config/config.php (do I have to put it even in there or in authsources.php?) and put in this code:
'authproc.idp' => array(
10 => array(
'class' => 'ldap:AttributeAddUsersGroups',
'authsource' => 'default-sp',
'attribute.groups' => 'groups',
'ldap.basedn' => 'ou=_groups,dc=AD,dc=cool,dc=my',
'ldap.debug' => TRUE,
'ldap.enable_tls' => TRUE,
'ldap.product' => 'ActiveDirectory',
'ldap.timeout' => 30,
'attribute.dn' => 'distinguishedName',
'attribute.groups' => 'groups', // Also noted above
'attribute.member' => 'member',
'attribute.memberof' => 'memberOf',
'attribute.groupname' => 'name',
'attribute.type' => 'objectClass',
'attribute.username' => 'sAMAccountName',
'type.group' => 'group',
'type.user' => 'user',
),
20 => array(
'class' => 'authorize:Authorize',
'regex' => FALSE,
'memberof' => array(
'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu',
'CN=All Teachers,OU=Staff,DC=example,DC=edu',
),
),
);
(I changed to DN for posting here)
Also tried it with authproc.sp
When I log in now, it still works but it also still works with a user, who isn't in this group.
I enabled each of them individually but no change:
'enable.saml20-idp' => true,
'enable.shib13-idp' => false,
'enable.adfs-idp' => false,
'enable.wsfed-sp' => false,
'enable.authmemcookie' => false,
I am pretty new to this as you can see and probably don't get the point. I don't know, where to put this configuration and where to enable it.
Could you please push me in the right direction?
Thank you
Ryan
Reply all
Reply to author
Forward
0 new messages