Subsonic Forum

[tycoonbob]

I just want to preface that I absolutely over this mod. I have been using SS since 4.6b1, and MadSonic sinice 4.6 was stable.

I would love to see LDAP authentication, which may be something only I want. I know you are working on FB integration which is cool, but being able to manage groups and users in AD would be awesome for me! I'm thinking LDAP authentication existed in version 4.6, but I can't remember. Think this is something you could do?

Thanks!

[hairlesshobo]

Madsonic still has LDAP authentication. It's under Settings > Advanced > LDAP authentication down at the bottom. Is this not what you're looking for?

[tycoonbob]

Wow, can't believe I missed that.

So I have a question then. I can set this up where the LDAP URL points to my users, and everything works fine. I can either manually create users in SubSonic then enable LDAP Authentication, or I can allow SubSonic to create any user in that AD OU, when they log in. I would like to set it up so that I point the LDAP URL at a AD Security Group, and only members of that group can log in.

I currently have the LDAP URL pointing at my group:

Code: Select all

ldap://DC01.Domain.com:389/cn=SubSonic_Users,ou=Security Groups,ou=Accounts,dc=Domain,dc=com

and the LDAP search filter is set to the default:
(sAMAccountName={0})

(I also have a LDAP Manager DN specified with a password)

To be able to search for members of the specified group, do I need to use a different search filter? I can play around with it and hopefully figure it out, but I am hoping someone will know the quick answer.

[hairlesshobo]

I am not familiar with AD in particular, but when I had my subsonic server synced with OpenLDAP back in the day, I had my filter setup to only allow people who had been given explicit access to subsonic and it worked wonders. Shouldn't be too hard to figure out how to filter by group in AD. I'd Google it.

Good luck!

-Steve

[hairlesshobo]

You might try pointing your url to the cn containing your users, and add this to your filter :

(&(memberOf=cn=crowd-users,cn=Users,dc=domain, dc=com))

Obviously change it to your domain and group name

[tycoonbob]

You might try pointing your url to the cn containing your users, and add this to your filter :

(&(memberOf=cn=crowd-users,cn=Users,dc=domain, dc=com))

Obviously change it to your domain and group name

That is an excellent idea. I will give it a try and report back.

I previously had it set up to do a class= user search on a security group, but it seemed hit or miss whether it worked.

[tycoonbob]

So I got it working, after 15 minutes and some work in ADSI edit.

LDAP URL:
ldap://DC01.Domain.com:389/DC=Domain,DC=com

LDAP Search Filter:
(&(sAMAccountName={0})(&(objectCategory=user)(memberof=CN=SubSonic_Users,OU=Security_Groups,OU=Accounts,DC=Domain,DC=com)))

LDAP Manager DN:
CN=SubSonic Service Account,OU=Service Accounts,OU=Accounts,DC=Domain,DC=com

Password:
(Set to the password of the LDAP Manager account--only permissions on that account is Domain User)

This is all in a Server 2012 Active Directory environment (2012 Forest AND Domain levels). Basically what is happening is the filter is searching for any user object that is a member of the SubSonic_Users Security Group, from anywhere in the domain...and allows them to authenticate!

Hope this helps someone.

[hairlesshobo]

Glad to hear you got it working! And thanks for posting the outcome for others, most people tend to skip that once they have fixed something.

Have fun!

-Steve