AD Filter for Group Membership

Table of contents
You are currently comparing two old versions - only when you are comparing against the latest version can you revert. Return to version archive.

Combined revision comparison

We recommend setting up Directory Connection based on Security Group membershipWhen integrated LDAP / Active Directory with Pleasant Password Server, it is helpful to add a filter that checks for membership in a Security Group.

Use the steps from the relevant sections below to filter on one or more, to setup a filter either on one Security Group or for multiple Security Groups.

Related Topic:

Filtering by Security Group Membership

To successfully manage the directory users and roles you wish to use in Passwordfilter on a Security Group, we can filter on an AD attribute called memberOfServer, it is helpful to assign all of these to,which reports all users who are belong to a Security Group. We can either checkdirect directmembersmembership in one group or in multiple groupsina group.

We can filter on directory users and roles from these locations:(To filter on multiple Security Groups, see the section below).

  • Directory Settings: Advanced User / Role Filters
  • Import Pages: Search Filters

Step 1: Add users & roles to a Security Group

All password server users and roles would need to be added to this group.

  • Create or use an existing security group
  • Add users directly to this group In the future, all password server users and roles as members ofthis groupwill be added to this group.

Step 2: Enter Search FiltersChange your Directory Settings
  • In the Directory settings or on the Import pages (for Users and for Roles), navigate to the Search Filters your Directory settings under Search Filters > Advanced User Filter (or on the Import Users page): section. We will enter values in these empty input boxes: Enter a MemberOf filter here for your new Password Server users

    AD-Search-Filter-clause-pic.png

    • Multiple Groups membershipSecurity Group (group and its subgroups):
      • memberOf:1.2.840.113556.1.4.1941:    is    CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com,AdFilterNestedMemberOfStaffGroup.PNG
    • Direct Group membershipfor example:
      • memberOf       is        CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com

  •  

    Repeat the process for Filtering by Multiple Security Groupssetting up Roles.

Example

If you have multiple existing Security Groups, we can filter on the group hierarchy:a AD attribute that reports all users in a group hierarchy (

  • all users/roles of a group, and
  • all users/roles of the member uses of the groups that are members of that group). memberOf:1.2.840.113556.1.4.1941:subgroups

Example

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • His memberOf attribute includes only Marketing
    • just filters on 1 group (direct membership only)His
  • memberOf:1.2.840.113556.1.4.1941: attribute rule includes both Marketing and Staff      Step 1: Add users to a Security Group
    • Create or use an existing group will filter on allAdd users directly to this group itself and allIn the future, all password server users will be added to this group. subgroup membersStep 2: Make groups members of this Security Group Step 3: Change your Directory Settings On your Directory settings under Advanced User Filter (or on Import Users page): Click Directory -> Click Advanced Settings -> Search Filters, Additional User Filters
    • Enter a new filter row here for your new Password Server users Security Group: For example: memberOf:1.2.840.113556.1.4.1941:       is        CN=PasswordServerUsers,ou=Users,dc=Domain,dc=com

        

References:

Other changes:

  1. /body/ul[4]/li[2]/p/@style: "margin-left: 40px;" ⇒ nothing

Version from 22:43, 17 Jan 2019

This revision modified by CalebMathison (Ban)

When integrated LDAP / Active Directory with Pleasant Password Server, it is helpful to add a filter that checks for membership in a Security Group.

Use the steps from the relevant sections below, to setup a filter either on one Security Group or for multiple Security Groups.

Related Topic:

Filtering by Security Group Membership

To filter on a Security Group, we can filter on an AD attribute called memberOf, which reports all users who are direct members in a group. (To filter on multiple Security Groups, see the section below).

Step 1: Add users to a Security Group
  • Create or use an existing group
  • Add users directly to this group

In the future, all password server users will be added to this group.

Step 2: Change your Directory Settings

In your Directory settings under Search Filters > Advanced User Filter (or on the Import Users page):

Enter a MemberOf filter here for your new Password Server users Security Group, for example:

  • memberOf       is        CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com

 

AD-Search-Filter-clause-pic.png

Filtering by Multiple Security Groups

If you have multiple existing Security Groups, we can filter on a AD attribute that reports all users in a group hierarchy (all users of a group, and all uses of the groups that are members of that group).

  • memberOf:1.2.840.113556.1.4.1941:

Example

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • His memberOf attribute includes only Marketing
  • His memberOf:1.2.840.113556.1.4.1941: attribute rule includes both Marketing and Staff

     AdFilterNestedMemberOfStaffGroup.PNG

Step 1: Add users to a Security Group
  • Create or use an existing group
  • Add users directly to this group

In the future, all password server users will be added to this group.

Step 2: Make groups members of this Security Group
Step 3: Change your Directory Settings

On your Directory settings under Advanced User Filter (or on Import Users page):

  • Click Directory -> Click Advanced Settings -> Search Filters, Additional User Filters

Enter a new filter row here for your new Password Server users Security Group:

AD-Search-Filter-clause-pic.png

For example:

  • memberOf:1.2.840.113556.1.4.1941:       is        CN=PasswordServerUsers,ou=Users,dc=Domain,dc=com

 

 

References:

Version as of 02:49, 19 Jan 2019

This revision modified by CalebMathison (Ban)

We recommend setting up Directory Connection based on Security Group membership.

Use the steps from the relevant sections below to filter on one or more Security Groups.

Related Topic:

Filtering by Security Group Membership

To successfully manage the directory users and roles you wish to use in Password Server, it is helpful to assign all of these to belong to a Security Group. We can either checkdirect membership in one group or in multiple groups.

We can filter on directory users and roles from these locations:

  • Directory Settings: Advanced User / Role Filters
  • Import Pages: Search Filters

Step 1: Add users & roles to a Security Group

All password server users and roles would need to be added to this group.

  • Create or use an existing security group
  • Add all password server users and roles as members ofthis group

Step 2: Enter Search Filters
  • In the Directory settings or on the Import pages (for Users and for Roles), navigate to the Search Filters section. We will enter values in these empty input boxes:

    AD-Search-Filter-clause-pic.png

    • Multiple Groups membership (group and its subgroups):
      • memberOf:1.2.840.113556.1.4.1941:    is    CN=PasswordServerUsers,OU=Users,DC=Domain,DC=comAdFilterNestedMemberOfStaffGroup.PNG
    • Direct Group membership:
      • memberOf       is        CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com

  • Repeat the process for setting up Roles.

Example

If you have multiple existing Security Groups, we can filter on the group hierarchy:

  • all users/roles of a group, and
  • all users/roles of the member subgroups

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • memberOf includes only Marketing
    • just filters on 1 group (direct membership only)
  • memberOf:1.2.840.113556.1.4.1941: includes both Marketing and Staff
    • will filter on all group itself and all subgroup members

     

References: