From 28cd927f8890e6c13c67bfc393795f9348b76aa4 Mon Sep 17 00:00:00 2001 From: James Elliott Date: Wed, 14 Dec 2022 14:57:32 +1100 Subject: [PATCH] fix(authentication): msad dlsg excluded from default filter (#4569) The groups filter narrowing for Active Directory to purposefully exclude distribution groups (which are not designed to act as security groups) unintentionally removed DLSG's from the filter results. This effectively reverts that allowing both DLSG's and GUSG's to be returned by default. Fixes #4551, Fixes #4528 --- docs/content/en/reference/guides/ldap.md | 17 +++++++++-------- internal/configuration/schema/authentication.go | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/content/en/reference/guides/ldap.md b/docs/content/en/reference/guides/ldap.md index 3873b41c6..97d9281f6 100644 --- a/docs/content/en/reference/guides/ldap.md +++ b/docs/content/en/reference/guides/ldap.md @@ -94,17 +94,18 @@ accounts. The active directory example has two attribute filters that accomplish be appreciated). The userAccountControl filter checks that the account is not disabled and the pwdLastSet makes sure that value is not 0 which means the password requires changing at the next login. -| Implementation | Users Filter | Groups Filter | -|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:------------------------------------------:| -| custom | N/A | N/A | -| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(sAMAccountType=268435456)) | +| Implementation | Users Filter | Groups Filter | +|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------:| +| custom | N/A | N/A | +| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912))) | ##### Microsoft Active Directory sAMAccountType -| Account Type Value | Description | Equivalent Filter | -|:------------------:|:--------------------------:|:----------------------------------------------:| -| 268435456 | Normal Group Objects | N/A | -| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` | +| Account Type Value | Description | Equivalent Filter | +|:------------------:|:---------------------------------------:|:----------------------------------------------:| +| 268435456 | Global/Universal Security Group Objects | N/A | +| 536870912 | Domain Local Security Group Objects | N/A | +| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` | *__References:__* - Account Type Values: [Microsoft Learn](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/e742be45-665d-4576-b872-0bc99d1e1fbe). diff --git a/internal/configuration/schema/authentication.go b/internal/configuration/schema/authentication.go index 9d118c091..5eeba76b0 100644 --- a/internal/configuration/schema/authentication.go +++ b/internal/configuration/schema/authentication.go @@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory = UsernameAttribute: "sAMAccountName", MailAttribute: "mail", DisplayNameAttribute: "displayName", - GroupsFilter: "(&(member={dn})(sAMAccountType=268435456))", + GroupsFilter: "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))", GroupNameAttribute: "cn", Timeout: time.Second * 5, TLS: &TLSConfig{