Hi,
We have the following configuration for our Active Directory backend:
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- adserver1:636
- adserver2:636
bind_dn: "CN=useraccount,OU=Service,OU=Resource Accounts,OU=Users,OU=cmopanyname,DC=company,DC=com"
password: "password"
userbase: "OU=Sites,OU=company,DC=company,DC=company"
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: sAMAccountName
This currently works but we need to restrict this to only certain users in specific security groups. We’ve tried setting the userbase to the security group in question like this:
userbase: “CN=testgroup,OU=Sites,OU=company,DC=company,DC=company”
But then opendistro cannot find the users anymore and wont work. How can we restrict authentication to only certain users in a security group using the Active Directory backend? I’ve scoured the internet for answers regarding this but i have not been able to find anything