RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(authentication): msad dlsg excluded from default filter (#4569) 

The groups filter narrowing for Active Directory to purposefully exclude distribution groups (which are not designed to act as security groups) unintentionally removed DLSG's from the filter results. This effectively reverts that allowing both DLSG's and GUSG's to be returned by default.

Fixes #4551, Fixes #4528
pull/4572/head
James Elliott 2022-12-14 14:57:32 +11:00 committed by GitHub
parent a0134271af
commit 28cd927f88
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs/content/en/reference/guides/ldap.md
View File

@ -95,15 +95,16 @@ be appreciated). The userAccountControl filter checks that the account is not di
value is not 0 which means the password requires changing at the next login. value is not 0 which means the password requires changing at the next login.
| Implementation | Users Filter | Groups Filter | | Implementation | Users Filter | Groups Filter |
|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:------------------------------------------:| |:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------:|
| custom | N/A | N/A | | custom | N/A | N/A |
| activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(sAMAccountType=268435456)) | | activedirectory | (&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912))) |
##### Microsoft Active Directory sAMAccountType ##### Microsoft Active Directory sAMAccountType
| Account Type Value | Description | Equivalent Filter | | Account Type Value | Description | Equivalent Filter |
|:------------------:|:--------------------------:|:----------------------------------------------:| |:------------------:|:---------------------------------------:|:----------------------------------------------:|
| 268435456 | Normal Group Objects | N/A | | 268435456 | Global/Universal Security Group Objects | N/A |
| 536870912 | Domain Local Security Group Objects | N/A |
| 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` | | 805306368 | Normal User Accounts | `(&(objectCategory=person)(objectClass=user))` |
*__References:__* *__References:__*

2
internal/configuration/schema/authentication.go
View File

@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory =
UsernameAttribute: "sAMAccountName", UsernameAttribute: "sAMAccountName",
MailAttribute: "mail", MailAttribute: "mail",
DisplayNameAttribute: "displayName", DisplayNameAttribute: "displayName",
GroupsFilter: "(&(member={dn})(sAMAccountType=268435456))", GroupsFilter: "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))",
GroupNameAttribute: "cn", GroupNameAttribute: "cn",
Timeout: time.Second * 5, Timeout: time.Second * 5,
TLS: &TLSConfig{ TLS: &TLSConfig{