#416 LDAP Authentication Documentation ($ldap_filter)

open
nobody
LDAP (5)
1
2014-09-19
2013-11-18
Anonymous
No

A couple things about the LDAP authentication that I believe need documented somewhere. I understand that the documentation of how to write LDAP filters are outside the scope of this project, but I believe the first issue to be a security concern. And the second issue is a result of trying to fix the first.

First, if you follow the current documentation to authenticate against an Active Directory, disabled/suspended users will be able to log into MRBS. You need to modify the $ldap_filter configuration variable to include "(!(userAccountControl:1.2.840.113556.1.4.803:=2))" to correctly filter disabled users.

Second, typically an ldap filter will be opened and closed with parentheses. These parens apparently are already taken into account elsewhere in the MRBS code, as you should NOT include them in the $ldap_filter configuration variable and supplying them causes MRBS to fail to authenticate against the AD (and probably other LDAP installations as well).

So, combining these two points, an example of a proper $ldap_filter variable would be:
$ldap_filter = "&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberof=cn=whatever,ou=whatever,dc=example,dc=com)";
(no spaces or line breaks between the sets of parentheses)

Discussion

  • John Beranek

    John Beranek - 2013-11-18

    Surely you can't authenticate against AD if your account is disabled though...?

     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2014-05-07

    Can i get the Ad installation docs...

     


Anonymous

Cancel  Add attachments





Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks