AD Filter for Group Membership

Table of contents
You are currently comparing two old versions - only when you are comparing against the latest version can you revert. Return to version archive.

Combined revision comparison

When integrated LDAP / Active Directory with Pleasant Password Server, it is helpful to add a filter that checks for membership in a Security Group.

Use the steps from the relevant sections below, to setup a filter either on one Security Group or for multiple Security Groups.

Related Topic:

Filtering by Security Group Membership

To filter on a Security Group, we can filter on an AD attribute called memberOf, which reports all users who are direct members in a group. (To filter on multiple Security Groups, see the section below).

Step 1: Add users to a Security Group
  • Create or use an existing group
  • Add users directly to this group

In the future, all password server users will be added to this group.

Step 2: Change your Directory Settings

InOn your Directory settings under Search Filters > Advanced User Filter (or on the Import Users page):

Click Directory -> Click Advanced Settings -> Search Filters, Additional User Filters Enter a MemberOf filter here for your new Password Server users Security Group: , forFor example:

  • memberOf       is        CN=PasswordServerUsers,ou=Users,dc=Domain,dc=com

 

AD-Search-Filter-clause-pic.png

Filtering by Multiple Security Groups

If you have multiple existing Security Groups, we can filter on a AD attribute that reports all users in a group hierarchy (all users of a group, and all uses of the groups that are members of that group).

  • memberOf:1.2.840.113556.1.4.1941:

Example

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • His memberOf attribute includes only Marketing
  • His memberOf:1.2.840.113556.1.4.1941: attribute rule includes both Marketing and Staff

     AdFilterNestedMemberOfStaffGroup.PNG

Step 1: Add users to a Security Group
  • Create or use an existing group
  • Add users directly to this group

In the future, all password server users will be added to this group.

Step 2: Make groups members of this Security Group
Step 3: Change your Directory Settings

On your Directory settings under Advanced User Filter (or on Import Users page):

  • Click Directory -> Click Advanced Settings -> Search Filters, Additional User Filters

Enter a new filter row here for your new Password Server users Security Group:

AD-Search-Filter-clause-pic.png

For example:

  • memberOf:1.2.840.113556.1.4.1941:       is        CN=PasswordServerUsers,ou=Users,dc=Domain,dc=com

 

 

References:

Version from 18:11, 20 Jun 2018

This revision modified by CalebMathison (Ban)

When integrated LDAP / Active Directory with Pleasant Password Server, it is helpful to add a filter that checks for membership in a Security Group.

Use the steps from the relevant sections below, to setup a filter either on one Security Group or for multiple Security Groups.

Related Topic:

Filtering by Security Group Membership

To filter on a Security Group, we can filter on an AD attribute called memberOf, which reports all users who are direct members in a group. (To filter on multiple Security Groups, see the section below).

Step 1: Add users to a Security Group
  • Create or use an existing group
  • Add users directly to this group

In the future, all password server users will be added to this group.

Step 2: Change your Directory Settings

On your Directory settings under Advanced User Filter (or on Import Users page):

  • Click Directory -> Click Advanced Settings -> Search Filters, Additional User Filters

Enter a MemberOf filter here for your new Password Server users Security Group:

AD-Search-Filter-clause-pic.png

For example:

  • memberOf       is        CN=PasswordServerUsers,ou=Users,dc=Domain,dc=com

Filtering by Multiple Security Groups

If you have multiple existing Security Groups, we can filter on a AD attribute that reports all users in a group hierarchy (all users of a group, and all uses of the groups that are members of that group).

  • memberOf:1.2.840.113556.1.4.1941:

Example

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • His memberOf attribute includes only Marketing
  • His memberOf:1.2.840.113556.1.4.1941: attribute rule includes both Marketing and Staff

     AdFilterNestedMemberOfStaffGroup.PNG

Step 1: Add users to a Security Group
  • Create or use an existing group
  • Add users directly to this group

In the future, all password server users will be added to this group.

Step 2: Make groups members of this Security Group
Step 3: Change your Directory Settings

On your Directory settings under Advanced User Filter (or on Import Users page):

  • Click Directory -> Click Advanced Settings -> Search Filters, Additional User Filters

Enter a new filter row here for your new Password Server users Security Group:

AD-Search-Filter-clause-pic.png

For example:

  • memberOf:1.2.840.113556.1.4.1941:       is        CN=PasswordServerUsers,ou=Users,dc=Domain,dc=com

 

 

References:

Version as of 22:41, 17 Jan 2019

This revision modified by CalebMathison (Ban)

When integrated LDAP / Active Directory with Pleasant Password Server, it is helpful to add a filter that checks for membership in a Security Group.

Use the steps from the relevant sections below, to setup a filter either on one Security Group or for multiple Security Groups.

Related Topic:

Filtering by Security Group Membership

To filter on a Security Group, we can filter on an AD attribute called memberOf, which reports all users who are direct members in a group. (To filter on multiple Security Groups, see the section below).

Step 1: Add users to a Security Group
  • Create or use an existing group
  • Add users directly to this group

In the future, all password server users will be added to this group.

Step 2: Change your Directory Settings

In your Directory settings under Search Filters > Advanced User Filter (or on the Import Users page):

Enter a MemberOf filter here for your new Password Server users Security Group, for example:

  • memberOf       is        CN=PasswordServerUsers,ou=Users,dc=Domain,dc=com

 

AD-Search-Filter-clause-pic.png

Filtering by Multiple Security Groups

If you have multiple existing Security Groups, we can filter on a AD attribute that reports all users in a group hierarchy (all users of a group, and all uses of the groups that are members of that group).

  • memberOf:1.2.840.113556.1.4.1941:

Example

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • His memberOf attribute includes only Marketing
  • His memberOf:1.2.840.113556.1.4.1941: attribute rule includes both Marketing and Staff

     AdFilterNestedMemberOfStaffGroup.PNG

Step 1: Add users to a Security Group
  • Create or use an existing group
  • Add users directly to this group

In the future, all password server users will be added to this group.

Step 2: Make groups members of this Security Group
Step 3: Change your Directory Settings

On your Directory settings under Advanced User Filter (or on Import Users page):

  • Click Directory -> Click Advanced Settings -> Search Filters, Additional User Filters

Enter a new filter row here for your new Password Server users Security Group:

AD-Search-Filter-clause-pic.png

For example:

  • memberOf:1.2.840.113556.1.4.1941:       is        CN=PasswordServerUsers,ou=Users,dc=Domain,dc=com

 

 

References: