I have LDAP working and I am able to login with any users that I put in the user section. Any user that is listed under a group can not login. Should a user be able to login as long as they are in a group?
for authenthication the user information (uid+password) is needed. It does not matter which members the groups have.
So do the users have to be listed in the user section? We were trying to control access by using groups.
Yes, every user which wants to login must be in the user section. You could use the LDAP search filter and add an LDAP property to every user which should be able to login.
So what is the purpose of the Groups section under “Users/Groups” then? If that does not controll the users why do I need to add a group for my LDAP?
- If you craft user search filter You can allow to login only members from some group(or OU).
- The purpose of the Groups section under “Users/Groups” is to show You the members for each group.
- The purpose of groups is to group similar users in named context, so you can easily navigate in roster. When LDAP integration is used you can benefit from single user management and replicate logical structure of your organization within roster. Lets imagine that you have 2 groups: 'Sales’ and ‘IT’ in your LDAP structure. You can tie them with roster, so anyone loged in will see 2 groups populated with members. Now imagine that You have 100 groups and 5000 users.