Page 1 of 1

LDAP query to authenticate a user in a child/nested group

Posted: Tue Mar 14, 2017 7:26 pm
by ronlevit

I have a problem configuring my server to authenticate users that are members of a nested AD group. I have a 'group1' that includes 'group2' with the user account I'm trying to authenticate.
When configured as on the example below users that are members of 'group1' are authenticated successfully but members of a nested AD group 'group2' are not.

Code: Select all

        # Base DN
        BaseDN          "OU=Users,DC=example,DC=com"

        # User Search Filter
        SearchFilter    "(sAMAccountName=%u)"

        # Require Group Membership
        RequireGroup    true

                BaseDN          "OU=Security Groups,DC=example,DC=com"
                SearchFilter    "(cn=group1)"
                MemberAttribute Member

Based on this ... s.85).aspx article SearchFilter can be configured to perform recursive query that 'walks the chain of ancestry in objects' until it finds the user. However, when I configure the SearchFilter like that authentication fails completely and the server logs "TLS Auth Error: Auth Username/Password verification failed for peer" event.

Code: Select all

SearchFilter    (&(objectClass=*)(objectCategory=person)(memberof:1.2.840.113556.1.4.1941:=CN=group1,OU=Security Groups,DC=example,DC=com))
What am I doing wrong? Does anyone have an example of working config that does what I need? Any help will be much appreciated.