Authenticate LDAP user if he's a part of a specific group

Question

In my node application, I have an use case in which I need to authenticate the LDAP users belonging to a specific group only. If the user does not belong to the mentioned group, authentication should fail.

I am using the library ldapauth-fork for LDAP authentication.

I tried various approaches for the filters, but none of them are working as expected. Below are the attempts that I tried:

let ldapConnector = new LdapAuth (
    {
        url              : config.ldap.url,
        bindDN           : config.ldap.bindDN,
        adminPassword    : config.ldap.adminPassword,
        searchBase       : config.ldap.searchBase,
        searchFilter     : "(&(sAMAccountName=testUser)(memberOf=testGroup))",
        cache            : true,
        includeRaw       : true,
        log              : logger
    }
);

For this configuration, I always get no such user: "testuser" even if the user is member of the testGroup group.

let ldapConnector = new LdapAuth (
    {
        url               : config.ldap.url,
        bindDN            : config.ldap.bindDN,
        adminPassword     : config.ldap.adminPassword,
        searchBase        : config.ldap.searchBase,
        searchFilter      : "(sAMAccountName=testuser)", 
        groupSearchFilter : "(member=testGroup)"
        cache             : true,
        includeRaw        : true,
        log               : logger
    }
);

For this configuration, the authentication is always successful, even if the group name is a random string.

So, what should be the correct filter string to make the authentication work?

Answer 1

I see that you want an LDAP search filter match on "username = x and group = y". To do this, you need to provide a fully distinguished name for the value of the memberOf attribute.

This should work:

(&(sAMAccountName=testuser)(memberOf=cn=testGroup,cn=Users,DC=yourdomain,DC=yourdomainsuffix))

The above example assumes testGroup resides in the default location of CN=Users in your Active Directory domain. If it is in some other place, modify the LDAP path as appropriate. For example, this works in my isolated test domain, because I haven't moved GroupA group out of the Users container:

(&(sAMAccountName=Todd)(memberOf=cn=GroupA,cn=Users,DC=dev,DC=local))

EDIT (4/20/2018): In the second scenario, per mvreijn's comment, the groupSearchFilter only serves to request the list of groups that a valid user is a member of. It does not play a role during authentication.