LDAP App : Allow only members of group X to login

I’m using OpenLDAP / NC 12
Am I forced to use the memberof overlay to allow only members of a specific group to login ?

1 Like

might help:

Thanks but that’s not what I’m asking.
It seems NC can’t check if the user is a member of specific group before granting login ? I mean based on an groupofnames objectclass entry.
It would imply NC to perform TWO requests:

  • First one to look if the %uid is member of the group (groupofnames entry)
  • If yes then auth, retrieve needed data from related inetorgperson entry and grant login.

You might want to use something like
(&(|(objectclass=posixAccount))(|(memberof=cn=oc,ou=functional groups,dc=Yourserver,dc=de)))
in the User tab.
True, the memberOf overlay helps you.

Thanks @joergschulz, but as you noticed it’s not my use case and I believe (I hope) I’m not alone : I don’t use any overlay on my openldap installation. And I don’t want to be forced to :wink: You could say, “you’re free to implement it if you like”, of course ! I don’t have much time right know, but I believe that a checkbox “Only members of the selected groups are allowed to login” would do the trick, from the ldap wizard.
I’ll see if I manage to open a feature request for this.

Hi mhow2!
I’m in the same situation: I’m currently unable to use the memberOf overlay with my LDAP setup.
Did you manage to get your setup up and running?
Thanks and best regards

I don’t understand the issue… the memberOf overlay is simply a convinience where the account’s member groups are available as an account attribute. AD does provide this, but OpenLDAP don’t, at least not in the standard configuration.

You can always achieve the same by crafting the appropriate LDAP search string and use that in the User tab section of the LDAP confuguration. Admittedly, this is more cumbersome, but it does work nontheless.

The onyl thing this doesn’t give you would be, that a user account would be created on your NC instance, but the created user would not be granted access, due to some group it isn’t member of, which doesn’t make much sense to me. I’d rather don’t have any accounts created, which arent allowed to login in the first place and have that group be an explicit requirement for NC to synchronize an account.