Customizing the Search Filter for LDAP Authentication

Prerequisites

• Helm version 3 is installed on your system.

• The Kubernetes command line tool kubectl is configured and has access to the target installation.

• You know the name and namespace of your Connectware installation. See Obtaining the name, namespace, and version of your Connectware installation.

• The values.yaml file is available.

• LDAP authentication configured.

Customizing the Search Filter for LDAP Authentication

There are scenarios where it is useful to extend the default search filter of Connectware. For example:

• your users are not uniquely identifiable by their username, for example when there are users with the same RDN within the search base of your LDAP configuration.

• You have to give a search base that is very huge as your accounts a spread within the DIT but by filtering the search may be more efficient

The filter that will be used by Connectware is (=) whereas userRdn is defined as environment variable in your values.yml and username is the name the user enters during login.

Any extension will result in a filter of the current format:

(&(<userRdn>=<username>)(<your extension>)

Info: You could test the filter by performing request with ldapsearch on your terminal (may require additional packages to be installed)

Example

ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=User 1)(objectclass=iNetOrgPerson))"

Example

In the following example, we have two entries with an RDN cn=a.smith.

dc=example,dc=org
├ cn=customers
│  └ cn=a.smith
└ cn=employees
└ cn=a.smith

Both users are named a.smith, but they are different entries. In a case like this you will use cn=employees,dc=ecample,dc=org as search base and actually won’t have a problem. But lets use dc=example,dc=org in order to create a simple example case for the filter extension.

We want to modify the filter in order to search only for entries that have cn=employees in their DN.

The search command to test on the terminal will for the employee a.smith will look like this:

ldapsearch -L -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -w admin_pass "(&(cn=a.smith)(cn:dn:=employee))"

To modify Connectware, we only add the extension itself (cn:dn:=employee) to the configuration:

global:
    authentication:
        ldap:
            enabled: true
            existingBindSecret: my-ldap-user
            searchBase: CN=Users,DC=company,DC=tld
            searchFilter: cn:dn:=employees
            userRdn: cn
            url: ldap://my-dc.company.tld:389

Important: Be aware the no surrounding brackets are used for the additional expression. Brackets within your expression could be used, e.g. &(objectClass=iNetOrgPerson)(cn:dn:=employees).

Related Links

• Single Sign-On with LDAP.

• Configuring Connectware to use LDAP authentication