How to filter (syntax) the LDAP groups?

JeRoen shared this question 7 months ago
Answered

Hello,

We are evaluating YF and try to link to our LDAP server. In the LDAP configuration there is a "LDAP Group Filtering Criteria" option. I tried defining a LDAP path there like "ou=groups,dc=company,dc=com" but when I am listing the LDAP groups I still see (many) groups outside this LDAP path.

I can not set my BASE DN to this value as my users are in a seperate ou=people folder. That is why I have to set my BASE DN to dc=company,dc=com but that gets a lot of folders in LDAP.

Can somebody explain to me how the syntax should be? Thanks in advance.

Jeroen

Comments (10)

photo
1

Hi Jeroen,

Thanks for reaching out with the issue you're facing. I'd like to start by addressing the functionality of the 'LDAP Group Filtering Criteria' field. This does not tell Yellowfin which users or groups can use Yellowfin, but rather tells Yellowfin which LDAP Groups to display when searching groups within the application.

The actual parameter you need to analyze for Yellowfin membership is the 'LDAP Group' Parameter. I suggest verifying this has not been set to a generalized group.

Can you confirm the value there?

The following is a working example found in the 'LDAP Group' parameter:

cn=user,ou=User Groups,ou=uidGroups,ou=groups,o=Example University,c=en
Hopefully this helps! Please let me know if you have any further questions.

Regards,

Mike

photo
1

Hello Mike,

Thank you for your response. I do understand the different use-cases for the "LDAP group" and LDAP Group Filtering Criteria". In our case the "LDAP Group" is pointing to a group containing all the users we want to give access to YF. The value of that field is "cn=YFusers,ou=Reporting Groups,dc=xxxxx,dc=com".

I would like to use the "LDAP Groups Filtering Criteria" because in our "LDAP BASE DN" we have like 7 folders containing groups for different applications. The above mentioned "ou=Reporting Groups" is only one of them, but that is the one containing all the groups we want to use in YF. When I am using the search value in YF for LDAP groups I would like yellowfin to only search in the "Reporting Groups" folder and not the 6 other folders. We do not want to use the groups in the other folders.

The reason why I can't set my "LDAP BASE DN" to the "Reporting Groups" value is that my "People" groups is one of the 7 folders in the LDAP BASE DN. So if I point my LDAP BASE DN to "Reporting Groups" the users can't be validated.

I tried setting the "LDAP Groups Filtering Criteria " to "ou=Reporting Groups,dc=xxx,dc=com" but then no groups are found at all. And in the tutorial discussing configuring LDAP this option is ommited.

So I hope you understand now why I need the filtering of groups and would like to understand how this field need to be configured.

Kind regards,

Jeroen

photo
1

Hi Jeroen,

Thanks for your reply and additional information. I'm not remarkably fluent with Active Directory, however, I can say based on what you've specified you've input into the LDAP Groups Filtering Criteria box that this would not be correct as it does not seem to follow AD Search Filter Syntax.

Please reference the following Knowledge Base article for more details: https://community.yellowfinbi.com/knowledge-base/article/how-do-i-filter-the-list-of-groups-returned-from-ldap-groups-within-yellowfin

In this article, there's an example of something you could put in the LDAP Groups Filtering Criteria box: '(!(name=*Group*))' ), which means any group with the name Group will NOT be displayed in the list. There's also a link to a Microsoft article on Search Filter Syntax in Active Directory, which gives more syntax examples. The query will have to contain logical operators, which your example does not.

This article may also prove helpful: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

Please look through these and Microsoft's articles for some query examples and let me know if you have any further questions.

Regards,

Mike

photo
1

Hi Jeroen,

I just wanted to check in and see how things are going with this.

Regards,

Mike

photo
1

Hello,


Just an update. We had a (web) meeting with Brett and he found out that the LDAP is not storing the usernames in YF correctly if no FirstName attribute is configured. As we only store emailadress we did not configured that option. After adding the FirstName attribute in the LDAP configuration I could login as other users.

The issue with the group filtering is not solved yet. Defining a filter for a certain path in LDAP with all (dynamic) folders below is apparently not so simple.

It would be nice if different BASE_DN could be configured for the People folder and the groups folder as I think our configuration is not very 'exotic'.

I will let it know here when I get a way to get the filter right.


Kind regards,

Jeroen

photo
1

Hi JeRoen,

Thanks for your reply. I created a working LDAP configuration example and subsequent group filter based off the parameters found in our LDAP Authentication Configuration article.

I'm not exactly sure how my setup contrasts with yours, but I'll detail mine.

If I head into Active Directory, this is my setup:

/mDpoFDQAAAABJRU5ErkJggg==

As expected, using the parameters listed in the article above and leaving "LDAP Group Filtering Criteria" blank, when I search for members, I see every group:

/ATqCwAFn3nMFAAAAAElFTkSuQmCC

When I enter the following filter query into the "LDAP Group Filtering Criteria" however, I get just three groups as my options:

(&(objectClass=*)(|(|(|(cn=YFgroup))(cn=YFAdminGroup))(cn=DeleteGroup)))
/eXZvlJeT1XrPUl9+EWbesLyyMoQAEKUIACXS3AQNvV4jwfBShAAQr0KAEG2h5V3SwsBShAAQp0tQADbVeL83wUoAAFKNCjBBhoe1R1s7AUoAAFKNDVAv8f4j5SaJt0gVAAAAAASUVORK5CYII=

Is this the aspect you're unable to get working thus far, or is that the case that you're unable to see groups from your other BASE_DN?

Regards,

Mike

photo
1

Hello Mike,

Thank you for your effort. This is indeed the issue I am facing. I do not want to see all groups but only groups from a certain folder ("Yellowfin folder" in your example). But in my "YellowFin folder" there are multiple sub-folders with in total about 350 groups. I would like to see only those 350 groups in the "Yellowfin folder". Adding them all to the search option is not an option I would prefer (might also have a limit to the text it can contain I imagine).

I contacted our LDAP expert (external) about how to do this and he gave me some options. I will keep trying to get this right but communication with him is a bit slow because of busy calendars.

I will keep working on it on my side and will let you know when I have a solution.

Kind regards,

Jeroen

photo
1

Hi JeRoen,

Thanks for your response. I understand your query now. Based on all available information I can find indicates that you can not use the target OU as part of the filter. This is a limitation of Active Directory itself, so in order to accomplish what you're after, this will require some sort of workaround. Here's one example from Microsoft of several credentialed and highly upvoted users discussing this: ldap_query all users in one OU.

Considering that this is a limitation of AD itself, I think this will take some sort of creative workaround I think. One possibility would be adding an OU-specific dummy user to each group and filtering based on that. In my example, I could do something like Yellowfin_Folder_OU_user, and add that to each group in my OU, then filter by that instead. So now, if I had another OU, say 'Non-Yellowfin Folder', I could now exclude 'Non-Yellowfin Folder' groups, since the user I filtered by (Yellowfin_Folder_OU_user) is now only a part groups in the 'Yellowfin Folder' OU. Hopefully this makes sense.

Either way, this will have to require some sort of solution along these lines as this functionality seems to just not be possible in Active Directory itself. Please let me know what you come up with here.

Regards,

Mike

photo
1

Hello Mike,

Thank you for your message. It got me thinking and as I do have administrator access to the LDAP server I tried adding a description attribute to the groups I do want to see in YellowFin. I filled the description attribute with the value YF and simple added the filter (description=YF) to the YellowFin LDAP configuration and all works as I expected.

I am not sure way I did not think about this sooner. Maybe because I was trying to hard to make it work using the current configuration in LDAP without changing anything.

For this I will need to add this attribute to all groups I do want to see in YellowFin (350+) but as this is a one-time action it is not a problem to do that. We only need to remember to add the description attribute to new usergroups when they are added in LDAP in the specific folder or below.

Thanks again for all your effort.

Kind regards,

Jeroen

photo
1

Hi Jeroen,

Excellent. Glad you've found a workable solution here! As such, I'll go ahead and mark this as Answered, but if you wind up having any further questions or concerns regarding this, or anything else, please don't hesitate to reach back out and I'll be happy to assist further.

Regards,

Mike