Restrict AD Logins and User Lookup

Restriction AD user and group lookup using an LDAP filter.

The objective is to restrict PAM logins to a specific security group and on an object’s Grant Access (permissions) dialog only the authorized users should be shown up in the lookup.

The LDAP query is located in the file $PAM_HOME/web/conf/catalina.properties and the property is ldap.authn.searchFilter which is an AD / LDAP query to limit users for login (for basic authentication) and user lookups.

This property uses {0} as a placeholder for an account.

If you use the Federated Sign-In module, then the property to restrict login is cas.authn.ldap[1].userFilter with the account placeholder {user}.

The default value for ldap.authn.searchFilter is sAMAccountName={0}.

To switch to UPN authentication you can use UserPrincipalName={0}. Below is the example of more complex filter to limit user base to an AD group:

Copy

1
(&(UserPrincipalName={0})(memberOf=CN=Group,OU=Users,DC=company,DC=com))

Another popular way is to keep the search property as is, but instead to modify the branch entry into the AD forest using these parameters below.

This method is a quick way to limit the user base to some OU.

Both methods could be used together.

Copy

1
2
3
4
ldap.rootDn
ldap.baseDn
ldap.roleBase
cas.authn.ldap[1].baseDn