Not logged in. · Lost password · Register
Forum: General Help and Support Plugins RSS
authad filter users by groups (memberOf or sth.)
Avatar
rnck #1
Member since Jun 2015 · 1 post
Group memberships: Members
Show profile · Link to this post
Subject: authad filter users by groups (memberOf or sth.)
Hi,

I have a fresh DokuWiki farm installed with farmer plugin and everything works just fine. Now I want to use authad in an animal, which generally works, too. Here's my config

$conf['superuser']                               = '@sec-gr-wiki-farm-admin';

$conf['plugin']['authad']['account_suffix']      = '@domain.dir';
$conf['plugin']['authad']['debug']               = 1;
$conf['plugin']['authad']['recursive_groups']    = 1;
$conf['plugin']['authad']['real_primarygroup']   = 1;
$conf['plugin']['authad']['base_dn']             = 'OU=User,OU=Company,DC=domain,DC=dir';
$conf['plugin']['authad']['domain_controllers']  = 'domain.dir';
$conf['plugin']['authad']['admin_username']      = 'ad-admin';
$conf['plugin']['authad']['admin_password']      = 'ad-pass';
$conf['plugin']['authad']['additional']          = 'mail';
$conf['plugin']['authad']['use_ssl']             = 0;
$conf['plugin']['authad']['use_tls']             = 0;
$conf['plugin']['authad']['expirywarn']          = 0;
$conf['plugin']['authad']['update_name']         = 0;
$conf['plugin']['authad']['update_mail']         = 0;

Users should be managed through security groups within AD (for some reasons). So I want to limit the AD query to somthing like

$conf['plugin']['authad']['base_dn'] = '(&(memberof=CN=sec-gr-wiki-admin,OU=Security-Groups,OU=Groups,OU=Company,DC=domain,DC=dir)(OU=User,OU=Company,DC=domain,DC=dir))';

Right now, the animal admin user is able to see all AD user entries in the usermanager, which is a data privacy issue in my company.

I already searched at adLDAP documentation and other ressources, but couldnt find a solution.

I think there should be a $config parameter like $conf['plugin']['authldap']['userfilter'] from the authldap plugin.

Does anybody had the same issue and can provide a solution?

A workaround could be to just disable the usermanager, since we don't need it with AD authentication, anyway?!
Avatar
Darkentik #2
Member since Nov 2015 · 1 post
Group memberships: Members
Show profile · Link to this post
Hey,
i´m using dokuWiki too and i´m searching aorund the same problem.
Are there some updates about filtering the LDAP Query to search in the AD on the Domaincontroller oly for a specific group?
I want to use one Group called "Intranet" for all Users who are allowed to access the Wiki.

best regards,
Darkentik
Avatar
AlexGil #3
Member for 3 months · 1 post
Group memberships: Members
Show profile · Link to this post
I had the same problem, I wanted to filter only by the enabled users and couldn`t filter it anyway.

I tried the authldap plugin but couldn`t manage to retrieve the groups so was unuseful.

Finally I returned to authad and modified the code to insert the filter I needed.

I edited the file dokuwiki/lib/plugins/authad/adLDAP/classes/adLDAPUsers.php to insert my filter (!(userAccountControl:1.2.840.113556.1.4.803:=2))

In line 555:
$filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(cn=" . $search . "))";

I added:
$filter = "(&(objectClass=user)(samaccounttype=" . adLDAP::ADLDAP_NORMAL_ACCOUNT .")(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(cn=" . $search . "))";


It`s a little bit tricky but it works and I can`t waste more time with this...
This post was edited on 2019-07-17, 15:24 by AlexGil.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-10-14, 20:55:27 (UTC +02:00)