Customizing the Search Filter for LDAP Authentication

Prerequisites

Helm version 3 is installed on your system.
The Kubernetes command line tool kubectl is configured and has access to the target installation.
You know the name and namespace of your Connectware installation. See Obtaining the name, namespace, and version of your Connectware installation.
The values.yaml file is available.
LDAP authentication configured.

Customizing the Search Filter for LDAP Authentication

There are scenarios where it is useful to extend the default search filter of Connectware. For example:

your users are not uniquely identifiable by their username, for example when there are users with the same RDN within the search base of your LDAP configuration.
You have to give a search base that is very huge as your accounts a spread within the DIT but by filtering the search may be more efficient

The filter that will be used by Connectware is (=) whereas userRdn is defined as environment variable in your values.yml and username is the name the user enters during login.

Any extension will result in a filter of the current format:

(&(<userRdn>=<username>)(<your extension>)

Info: You could test the filter by performing request with ldapsearch on your terminal (may require additional packages to be installed)

Example

ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=User 1)(objectclass=iNetOrgPerson))"

Example

In the following example, we have two entries with an RDN cn=a.smith.

dc=example,dc=org
├ cn=customers
│  └ cn=a.smith
└ cn=employees
└ cn=a.smith

Both users are named a.smith, but they are different entries. In a case like this you will use cn=employees,dc=ecample,dc=org as search base and will not not a problem. But lets use dc=example,dc=org in order to create a simple example case for the filter extension.

We want to modify the filter in order to search only for entries that have cn=employees in their DN.

The search command to test on the terminal will for the employee a.smith will look like this:

ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=a.smith)(cn:dn:=employee))"

To modify Connectware, we only add the extension itself (cn:dn:=employee) to the configuration:

global:
  authentication:
    ldap:
      enabled: true
      existingBindSecret: my-ldap-user
      searchBase: CN=Users,DC=company,DC=tld
      searchFilter: cn:dn:=employees
      userRdn: cn
      url: ldap://my-dc.company.tld:389

Important: Be aware the no surrounding brackets are used for the additional expression. Brackets within your expression could be used, e.g. &(objectClass=iNetOrgPerson)(cn:dn:=employees).

Last updated 7 months ago

Was this helpful?