Security

Reply
New Contributor
Posts: 2
Registered: ‎04-02-2014

LDAP Lookup for Sponsor Restriction.

[ Edited ]

Hi,

 

I have CPPM setup where I am trying to accomplish following for Sponsor Restriction.

 

1- User will manually type in the sponsor email address in the Text field. I am using Sponsor Email Field for the same.

2- That email ID should be looked up in AD Database to verify if it is part of a specific group or not.

3- If, Yes it should allow the email ID to be an Sponsor, else it should deny that email to be a valid sponsor.

 

Here is my current configuration:

 

Sponsor Email:

I have configured Sponsor_Email Field with a email validation using the below query:

 

array (
'allow' =>
array (
0 => 'shire.com',
),
'deny' =>
array (
0 => '*',
),
)

 

Server LDAP Filter:

I have configured customer LDAP Filter under the Server Configuration as below:

(&
(objectClass=user)
(objectCategory=person)
(|
# Match users in this group
(memberOf=CN=GL-CPPM_SPONSORS,OU=Security-Groups,OU=Domain-Groups,DC=corp,DC=shire,DC=com)
)
(|
# Match users by any of these criteria
(sAMAccountName=*@SEARCH@*)
(displayName=*@SEARCH@*)
(cn=*@SEARCH@*)
(mail=*@SEARCH@*)
)
)

 

DO_LDAP_Lookup:

I have enabled the Do Ldap Lookup as hidden field to perform the lookup and give the results.

 

With this configuration, it is doing the lookup for all valid emails but not restriting to the Sponsors part of the specified group. Any help will be greatly appreciated.

 

Regards

Nalin

Regular Contributor II
Posts: 226
Registered: ‎03-03-2011

Re: LDAP Lookup for Sponsor Restriction.

You could do this slightly differently by using the sponsor_lookup field with a select2 interface.

This still allows the group restriction and does an interactive lookup on the fields specified in the Operator Login server configuration.

If you wanted to force the user to type the majority of the email address before the lookup occurred you could force x amount of characters being entered before the lookup is done.

David
ACDX #98 | ACMP | ACCP
Aruba Employee
Posts: 101
Registered: ‎03-15-2011

Re: LDAP Lookup for Sponsor Restriction.

It may be a little confusing, but the custom Filter Expression is only used for the on-the-fly display results of a field (sponsor_lookup) with the 'Enable searching and advanced UI' flag set.  Our default search is a wildcard search on a few common fields but other LDAP/AD systems may use different fields, or the size may be so large a starts-with search is needed over a contains.  Either way, on save a second check is made on the field itself and the entire dataset is returned from that call and used for the attribute matching section.  That call uses the normal Server URL lookup.  That URL supports a filter within the RFC2255 syntax.  It is all best described on https://afp.arubanetworks.com/afp/index.php/How-to:_Sponsored_Self-Registration#LDAP_Sponsor_Lookups.  A couple good links on the LDAP URL syntax are given too.

New Contributor
Posts: 2
Registered: ‎04-02-2014

Re: LDAP Lookup for Sponsor Restriction.

Hi All,

 

Thanks a lot for your suggestions and inputs. I got this issue resolved with following solution.

 

All configuration remains same except, in the Guest Manager => Server Config => Server URL is changed to:

 

"ldap://<AD Server Name>/DC=corp,DC=shire,DC=com???memberOf=CN=GL-CPPM_SPONSORS,OU=Security-Groups,OU=Domain-Groups,DC=corp,DC=shire,DC=com

 

And it worked perfectly as expected.

Search Airheads
Showing results for 
Search instead for 
Did you mean: