Sitemap

AD Filter for Group Membership

For large AD/LDAP directories, we recommend setting up your Directory Connection based on Security Group membership. Password Server users and roles will be filtered and synchronized automatically based existing AD/LDAP group membership.

To successfully manage Directory users and roles, it is helpful to assign users to a Security Group, ensuring that all Password Server users must be members (directly or indirectly) of this Security Group before they are permitted to log in.

These filters can be defined in the Directory connection settings, or for a one-time import of Users or Roles.

Filters can be found in these locations:

  • Directory Settings: Advanced User / Role Filters
  • Import Pages: Search Filters

Related Topic:

Filtering by Security Group Membership

Step 1: Add Users to a Security Group

Add all the AD/LDAP user accounts who will have access to Password Server to this Security Group.

  1. Create a Security Group
    • or use an existing one, for example, "PasswordServerUsers"
  2. Copy the "Distinguished Name" of the group
    • This value is visible in the Attribute tab.To see this tab, you may need to enable: View menu > Advanced.
    • You will copy this value into your Directory settings (in step 2)
  3. Add Password Server user accounts directly or indirectly. (See an explanation in the "Example" section, bottom of page):
    • User accounts can be added one-by-one underneath, or,
    • As many User Groups - subgroups nested under this Security Group
  4. (Optionally) Add Groups to this Security Group
    • If you are importing Groups into Password Server, you can filter them with this method too.
    • Any groups added to this Security Group could be imported into Password Server.

Step 2: Add an Advanced User Filter

  • Open the Directory connection settings (or an Import pages for Users or Roles)
    • Navigate to the Advanced Settings link > Search Filters > Additional User Filters section.
    • Enter the filter values here, into these empty input boxes:
    • Ad search filter clause
  • Examples
    • memberOf       is        CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com
      • This will filter all member users

    • memberOf:1.2.840.113556.1.4.1941:    is   CN=PasswordServerUsers,OU=Users,DC=Domain,DC=com
      AD filter nested member of staff group
      • This would filter all the member users in the group, as well as all users in the subgroups

  • For further explanation see the "Example" section, at the bottom of the page.

Step 3: (Optional) Add an Advanced Group Filter

You will want to use and Advanced Group Filter if:

  • If you plan to import groups into password server,
  • Your groups are found in different locations in the Directory

Otherwise, you can filter groups by using the Group Relative DN.

To setup an Advanced Group Filter, repeat the same process as for users. Ensure all groups you want to import into Password Server are in this Security Group:

  • Advanced Settings > Search Filters > Additional Group Filters

Example

If you have multiple existing Security Groups, we can filter on the group hierarchy:

  • all users/roles of a group, and
  • all users/roles of the member subgroups

For example, if a user Bob is a member of Marketing, and Marketing is a member of the group Staff:

  • memberOf includes only Marketing
    • will filter on this group (direct membership only)

  • memberOf:1.2.840.113556.1.4.1941: includes both Marketing and Staff
    • will filter on all group itself and all subgroup members (indirect membership)

     

References: