diff --git a/docs/content/en/reference/guides/ldap.md b/docs/content/en/reference/guides/ldap.md index 3873b41c6..97d9281f6 100644 --- a/docs/content/en/reference/guides/ldap.md +++ b/docs/content/en/reference/guides/ldap.md @@ -94,17 +94,18 @@ accounts. The active directory example has two attribute filters that accomplish be appreciated). The userAccountControl filter checks that the account is not disabled and the pwdLastSet makes sure that value is not 0 which means the password requires changing at the next login. -| Implementation | Users Filter | Groups Filter | -|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:------------------------------------------:| -| custom | N/A | N/A | -| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(sAMAccountType=268435456)) | +| Implementation | Users Filter | Groups Filter | +|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------:| +| custom | N/A | N/A | +| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912))) | ##### Microsoft Active Directory sAMAccountType -| Account Type Value | Description | Equivalent Filter | -|:------------------:|:--------------------------:|:----------------------------------------------:| -| 268435456 | Normal Group Objects | N/A | -| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` | +| Account Type Value | Description | Equivalent Filter | +|:------------------:|:---------------------------------------:|:----------------------------------------------:| +| 268435456 | Global/Universal Security Group Objects | N/A | +| 536870912 | Domain Local Security Group Objects | N/A | +| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` | *__References:__* - Account Type Values: [Microsoft Learn](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe). diff --git a/internal/configuration/schema/authentication.go b/internal/configuration/schema/authentication.go index 9d118c091..5eeba76b0 100644 --- a/internal/configuration/schema/authentication.go +++ b/internal/configuration/schema/authentication.go @@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory = UsernameAttribute: "sAMAccountName", MailAttribute: "mail", DisplayNameAttribute: "displayName", - GroupsFilter: "(&(member={dn})(sAMAccountType=268435456))", + GroupsFilter: "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))", GroupNameAttribute: "cn", Timeout: time.Second * 5, TLS: &TLSConfig{