LDAP Auth, 2 filters 1 server

Answered

Hello,

I'm integrating LDAP authentification with our Hub install.

It is configured like so :
server url: ldap://host:389/dc=company,dc=com
filter: (&(memberOf=cn=dev,ou=groups,ou=mybusiness,dc=company,dc=com)(sAMAccountName=%u))
Auto-join groups: dev

It's working as intended. However I want to allow people from the support cn to also be able to authenticate and auto join the support group.
But since they have the same DN, I can't add a new LDAP auth module with the same server url but a different filter.

Is there a solution I overlooked for this ?

Could LDAP auth module with the same url and different filters be added ? This may be hard since a user could match both filters.
Could we map LDAP memberOf attributes to Hub groups instead ?

Cheers.

3 comments
Comment actions Permalink
Official comment

Hi Grecko, so the idea is to write a filter that will unite two CN of your organisation by logical OR. It can be obtained by ExtensibleMatch only, but unfortunately Active Directory does not support it. You are right  - it is not possible to create two Auth modules with different URLs. It seems that these two CN users should be filtered by some other attribute that is common only to this two CNs, but it probably requires some changes in your directory, and we're not sure that this is acceptable for you.

Unfortunately this is all we can help you with at the moment.

Please ask if you have any further questions. Thank you.

Comment actions Permalink

Hi Liubov,

I don't think 1 filter is what we want.
I don't want all of the users to auto-join the same group.

What I think we need is to be able to map a filter to an autojoin group.

A configuration could look like this : 

server url: ldap://host:389/dc=company,dc=com
filter: some global filter
Filter to group mappings :
(&(memberOf=cn=dev,        ou=groups, ...)(sAMAccountName=%u)) -> Auto-join groups: dev
(&(memberOf=cn=support, ou=groups, ...)(sAMAccountName=%u)) -> Auto-join groups: support

0
Comment actions Permalink

Actually we’ve tried a filter that works for filtering two diferent CN, it is

(&(|(memberOf=cn=dev,ou=groups,ou=mybusiness,dc=company,dc=com)(memberOf=cn=support,ou=groups,ou=mybusiness,dc=company,dc=com))(sAMAccountName=%u))

but unfortunately this won’t solve the question of placing to different groups depending on CN. We have a feature request regarding LDAP synchronization, we encourage you to vote it in our tracker: https://youtrack.jetbrains.com/issue/JPS-228

0

Please sign in to leave a comment.