[LDAP] limit login based on addition condition

1

We have this LDAP "problem" in several customer setups:

  • LDAP is configured against a large user directory (e.g. a university)
  • Plone groups are mapped to groups in LDAP
    Nothing special, everything is fine...except: every user in LDAP can usually login into such a portal which is possibly not a security issue as long as you do not automatically assign a role like Member.
    A customer asks - for compliance reasons - to disallow logins from LDAP accounts that do not belong to a particular group. Any way to configure this in pas.plugins.ldap?
2

Why not limit the users/groups with a specific ldap query to only match those users/groups?

3

I don't think that you can not do this with a configuration in pas.plugins.ldap without hacking the code.

4

We have some complicated LDAP queries for Plone projects. Key is to get the correct query syntax. We tend to use a very comon base dn and then use subtree. Here is a example query excluding a specific group:

(&
    (objectclass=inetOrgPerson)
    (|
        (&
            (ou:dn:=users)
            (memberOf=cn=Group1,ou=groups,dc=example,dc=org)
        )
        (&
            (ou:dn:=users)
            (memberOf=cn=Group2,ou=groups,dc=example,dc=org)
        )
    )
    (!
        (&
            (ou:dn:=users)
            (memberOf=cn=ExcludedGroup,ou=groups,dc=example,dc=org)
        )
    )
)

Ping me when you need help with a concrete query.

2 Likes
5

Looks like pas.plugins.ldap should use a textarea for queries instead of a single line....

1 Like
6

If the LDAP uses memberOf (like in AD, but often seen also in OpenLDAP) you can use this in your query.

7

OT, but to test queries I can recommend http://directory.apache.org/studio/. Platform independent and free.

8

That's what I use too :slight_smile: - it just works (and SSH tunnels to get to the LDAP from my local machine which is possible in most cases if you can tunnel to the server running Plone).

9

Interesting...