Skip to main content

Something useful that you can use in either Testing or when upgrading customers with Kerberos:

 

Our LDAP settings have an option to use an ldap filter so that you don't import all users from a customer's Active Directory. Some customers may not want this and it's understandable.

 

This is why, before you do a sync in Keycloak, you can add an ldap filter like the one below:

(&(objectCategory=Person)(sAMAccountName=*)(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=KryonAWS,DC=com))

 

This filter will import all AD users that are within our Domain Admins container. If you would like to import only localadmin, you need to change it to:

(&(objectCategory=Person)(sAMAccountName=localadmin)(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=KryonAWS,DC=com))

 

Wildcards also apply here, if for example, the customer's users share a common structure ( @Dora Mihaleva like the ones in our upgrade did) you can use a wildcard condition:

(&(objectCategory=Person)(sAMAccountName=rpa.user.*)(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=KryonAWS,DC=com))

 

Note that "CN=Domain Admins,CN=Users,DC=KryonAWS,DC=com" are parameters for the specific Domain controller and respective container. These specifically are for our DC and you can use them for testing.

 

You can also use the "Use Active Directory Groups to Authenticate" option in the installer to achive this, or at least generate a template filter string, which later can be modified.

 

More info on the topic:

https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

Be the first to reply!

Reply