Customizing the Search Filter for LDAP Authentication

Prerequisites

Customizing the Search Filter for LDAP Authentication

There are scenarios where it is usefull to extend the default search filter of Connectware. For example:

  • your users are not uniquely identifiable by their username, for example when there are users with the same RDN within the search base of your LDAP configuration.
  • You have to give a search base that is very huge as your accounts a spreaded within the DIT but by filtering the search may be more efficient

The filter that will be used by Connectware is (<userRdn>=<username>) wheras userRdn is defined as environment variable in your values.yml and username is the name the user enters during login.

Any extension will result in a filter of the current format:

(&(<userRdn>=<username>)(<your extension>)
Code-Sprache: YAML (yaml)

Info: You could test the filter by performing request with ldapsearch on your terminal (may require additional packages to be installed)

Example:

ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=User 1)(objectclass=iNetOrgPerson))"
Code-Sprache: YAML (yaml)

Example

In the following example, we have two entries with an RDN cn=a.smith.

dc=example,dc=org
 cn=customers
   cn=a.smith
 cn=employees
    cn=a.smith
Code-Sprache: YAML (yaml)

Both users are named a.smith, but they are different entries. In a case like this you will use cn=employees,dc=ecample,dc=org as search base and actually won’t have a problem. But lets use dc=example,dc=org in order to create a simple example case for the filter extention.

We want to modify the filter in order to search only for entries that have cn=employees in their DN.

The search command to test on the terminal will for the employee a.smith will look like this:

ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=a.smith)(cn:dn:=employee))"
Code-Sprache: YAML (yaml)

To modify Connectware, we only add the extension itself (cn:dn:=employee) to the configuration:

global:
  authentication:
    ldap:
      enabled: true
      existingBindSecret: my-ldap-user
      searchBase: CN=Users,DC=company,DC=tld
      searchFilter: cn:dn:=employees
      userRdn: cn
      url: ldap://my-dc.company.tld:389
Code-Sprache: YAML (yaml)

Important: Be aware the no surrounding brackets are used for the additional expression. Brackets within your expression could be used, e.g. &(objectClass=iNetOrgPerson)(cn:dn:=employees)

Was this article helpful?
YesNo
Need more help?

Can’t find the answer you’re looking for?
Don’t worry, we’re here to help.

Share this article
  • Previous

    Manual Kubernetes Secret for LDAP Authentication Bind User

  • Customizing the User RDN for LDAP Authentication

Ihr Browser unterstützt diese Webseite nicht.

Liebe Besucher:innen, Sie versuchen unsere Website über den Internet Explorer zu besuchen. Der Support für diesen Browser wurde durch den Hersteller eingestellt, weshalb er moderne Webseiten nicht mehr richtig darstellen kann.
Um die Inhalte dieser Website korrekt anzeigen zu können, benötigen Sie einen modernen Browser.

Unter folgenden Links finden Sie Browser, für die unsere Webseite optimiert wurde:

Google Chrome Browser herunterladen Mozilla Firefox Browser herunterladen

Sie können diese Website trotzdem anzeigen lassen, müssen aber mit erheblichen Einschränkungen rechnen.

Diese Website trotzdem anzeigen.