0 0 Share PDF

Using nested groups for LDAP - UCP integration

Problem

Currently UCP and LDAP integrate through the Authentication & Authorization section of UCP GUI. In some cases, nested groups within AD is the desired configuration for easier manageability.

Example Setup of AD Tree

Group Member Attribute: "member" 

- DockerTestGroup 
--- ADTeamGroup 

- ADTeamGroup 
--- user1 
--- user2 
--- user3

Solution

To successfully implement the above configuration, the following values can be used in the Add LDAP User Search Configuration option under the Authentication & Authorization section of the UCP GUI Admin Settings.

Base DN = <base DN of active directory>
Username Attribute = sAMAccountName
Full Name Attribute = cn
Filter = &(objectClass=user)(objectClass=person)(memberof:1.2.840.113556.1.4.1941:=CN=<>,CN=<>,DC=<>,DC=<>,DC=<>,DC=<>)(!(objectClass=computer)))
  • For the above Filter value, please enter your specific DN configuration in replace of <>.

  • In short, the values above for Filter are unicode strings to enable stronger and more efficient LDAP searches. You can learn more about these by researching "Active Directory Search Filter Syntax".

Lastly, enable Search subtree instead of just one level on the same configuration page.

Users should now be able to authenticate successfully using nested groups!