Lock down user search pattern - LDAP query


#1

I am trying to lock down access, by only allowing 2 AD groups authentication. If the user account is NOT in either, then they will be denied access. The 2 groups basically allow either Admin or Read, but I don’t want just anyone being able to log in as a Reader either.

I found this for a custom search pattern that seemed to work for the user:

(&(objectClass=user)(sAMAccountName={0})(|(memberof=CN=Graylog-Reader,OU=Groups,DC=yourdomain,DC=yourdomain)(memberof=CN=Graylog-Admin,OU=Groups,DC=yourdomain,DC=yourdomain)))

But I can’t seem to get it to test out properly at the end.

Has anyone attempted to have it check for “group membership” to lock it down?

Thanks


(Robert Smith) #2

So if I understand your query, you only want users that are members of either Reader or Admin? If a user is a member of only Reader, do not allow login, but if they are a member of Admin only, that is allowed?

What is the result when you use that query? Is it pulling in no users or too many?


#3

Basically the initial query pulls the SamAccountName and allows login to the site if they are part of either group. EVERYONE else gets denied.

The I have the LDAP group permissions added so that IF they are part of GraylogReaders they are automatically added to just Readers permissions. IF they are members of GraylogAdmins, they get automatically added to Admin permissions.

Right now I have it working with one group, the Admins. And by default everyone is a Reader anyways, so I just change it to Admin if I need too.

I was just trying to completely get rid of anything manual.

Just seems like my syntax is incorrect when adding a 2nd group to check against.