I am trying to integrate LDAP Active Directory with Keycloak. I have been able to synchronize LDAP users using Custom User LDAP Filter that filters by LDAP attributes - (theAttribute=theValue). Is there a way/syntax to filter by groups? For example, say I have Active Directory group "My Group" and I want to synchronize to Keycloak only users in that group. What would be the search Custom User LDAP Filter?
How about memberOf? For example:
(&(objectCategory=Person)(sAMAccountName=*)(theAttribute=theValue)(memberOf=cn=My Group,dc=example,dc=com))
Please refer to RFC2254 "The String Representation of LDAP Search Filters" more details:
Related
I'm using Flowable 6.7.2 OpenSource and I want to integrate it with AD using LDAP. I've changed several properties in flowable-default.propierties (flowable.idm.ldap.*) and I can login with the AD user to the flowable-ui module actually but he can't see any modules within it.
I have setup a group for Admin users in AD.
How can set admin role for a certain AD user or group
RE: https://jfrog.com/knowledge-base/when-do-the-groups-associated-with-an-ldap-user-get-updated-in-artifactory/
The Knowledge Base article above says:
"LDAP user authentication requests using Encrypted password or plain text password will update the LDAP group association changes from the LDAP server."
We've added a user to a group, but that user still can't see the artifacts governed by that group even after he has logged in. How can we cause Artifactory to update its group membership cache?
Please ask the user to logout and log back in after being added to the groups. Artifactory will try to reach to the LDAP server for validating the creds and then get the groups associated with the user which is returned from the LDAP server.
There is a chance that LDAP cache as mentioned in here https://www.jfrog.com/confluence/display/JFROG/LDAP#LDAP-Non-UIAuthenticationCache might take effect the groups to be associated if the user session is not hitting the LDAP server.
I currently try to configure Discourse to only allow users in a specific ldap group to log in. Discourse has a plugin called discourse-ldap auth ( https://github.com/jonmbake/discourse-ldap-auth ). This plugin uses the omniauth ldap module: https://github.com/omniauth/omniauth-ldap
My discourse plugin configuration (the configuration is actually used by the discourse plugin for the omniauth ldap module):
ldap enabled: true
ldap hostname: the hostname of my ldap server
ldap port: 389
ldap method: plain
ldap base: the base of my ldap server
ldap uid: userPrincipalName
ldap bind dn: Nothing
ldap password: Nothing
ldap filter: (&(userPrincipalName=%{username})(memberOf=cn=[the name of the required group],ou=....,[base]))
When using this configuration, nobody can log in to the forum. When I use the bind dn and password, everybody can log in.
I also tried this filter without success (copied from my ldap servers filter):
(&(&(&(userPrincipalName=%{username})(memberOf=[dn of the group]))))
What do I have to configure, to only allow users in that specific group to log in?
I didn't found any errors or indicators in the log. Please help!
Thanks fou your help and attention!
You do need the "ldap dn" and "ldap password". Those are the credentials used to authenticate to LDAP so you can lookup people's accounts. Usually, that is a service account only used by your application.
The filter should probably look something like this:
(&(sAMAccountName=%{username})(memberOf:1.2.840.113556.1.4.1941:=[dn of the group]))
Users will usually log in with the sAMAccountName, which is usually called just the "username". Whenever you see an account in the DOMAIN\username format, that username is the sAMAccountName.
The userPrincipalName is usually in the format of username#domain.com. It is sometimes the same as the email address, but it doesn't have to be.
The crazy number I put in that query tells Active Directory to search recursively through groups. So that would allow you to put groups into your authentication group, and members of that new group would be given access to your application too. Without that, only direct members of that group will have access.
I used liferay 5.2 and I can integrate ldap correctly with liferay and I activated ldap in login.
and I arrived to import only users from ldap wich exists in my groups using this configuration :
my problem now is when I try to login in liferay
it checks user if exist or not in all locations in ldap
I want in login state to check user if exist or not only in my specifics group which is exist in my configuration.
meaning in login state check user only in :
testGroup1 and testGroup2 and not in all locations in ldap
I am now trying to configure for the LDAP authentication in /admin/auth_config.php?auth=ldap.
I would like to know what the Bind settings does? Is it necessary to fill in the DN and Password under Bind settings for LDAP to work?
And I have encountered an error code auth_ldap_noconnect when trying to sync the users through LDAP from the cron script. What could be the causes for this error?
The Bind settings are necessary - without them Moodle can't connect to your LDAP server. They determine how Moodle will access the LDAP server.
CN = your Common Name
OU = your Organizational Unit
DC = your Domain Component
Those are all part of the LDAP data Interchange Format (LDIF) and they determine how the LDAP tree is filtered. See http://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format.
So in Moodle you probably need a Distinguished name like:
cn=YourServiceAccountName,ou=YourSchool,ou=Service Accounts,DC=yourdc,DC=co,DC=uk
And you'll probably also have to list the Contexts where your students are found:
ou=yourschool,DC=yourdc,DC=co,DC=uk;
User attribute might = samaccountname (for MS Active Directory)