fix(authentication): msad dlsg excluded from default filter (#4569)

The groups filter narrowing for Active Directory to purposefully exclude distribution groups (which are not designed to act as security groups) unintentionally removed DLSG's from the filter results. This effectively reverts that allowing both DLSG's and GUSG's to be returned by default. Fixes #4551, Fixes #4528
2022-12-14 14:57:32 +11:00 · 2022-12-14 14:57:32 +11:00 · 28cd927f88
parent a0134271af
commit 28cd927f88
2 changed files with 10 additions and 9 deletions
--- a/docs/content/en/reference/guides/ldap.md
+++ b/docs/content/en/reference/guides/ldap.md
@ -95,15 +95,16 @@ be appreciated). The userAccountControl filter checks that the account is not di
 value is not 0 which means the password requires changing at the next login.

 | Implementation  |                                                                          Users Filter                                                                           |                                Groups Filter                                 |
-|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:------------------------------------------:|
+|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------:|
 |     custom      |                                                                               N/A                                                                               |                                     N/A                                      |
-| activedirectory | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(sAMAccountType=268435456)) |
+| activedirectory | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(&#124;(sAMAccountType=268435456)(sAMAccountType=536870912))) |

 ##### Microsoft Active Directory sAMAccountType

 | Account Type Value |               Description               |               Equivalent Filter                |
-|:------------------:|:--------------------------:|:----------------------------------------------:|
-|     268435456      |    Normal Group Objects    |                      N/A                       |
+|:------------------:|:---------------------------------------:|:----------------------------------------------:|
+|     268435456      | Global/Universal Security Group Objects |                      N/A                       |
+|     536870912      |   Domain Local Security Group Objects   |                      N/A                       |
 |     805306368      |          Normal User Accounts           | `(&(objectCategory=person)(objectClass=user))` |

 *__References:__*
--- a/internal/configuration/schema/authentication.go
+++ b/internal/configuration/schema/authentication.go
@ -191,7 +191,7 @@ var DefaultLDAPAuthenticationBackendConfigurationImplementationActiveDirectory =
 	UsernameAttribute:    "sAMAccountName",
 	MailAttribute:        "mail",
 	DisplayNameAttribute: "displayName",
-	GroupsFilter:         "(&(member={dn})(sAMAccountType=268435456))",
+	GroupsFilter:         "(&(member={dn})(|(sAMAccountType=268435456)(sAMAccountType=536870912)))",
 	GroupNameAttribute:   "cn",
 	Timeout:              time.Second * 5,
 	TLS: &TLSConfig{