On 09/23/2014 08:22 PM, Bruce Cran wrote:
> Should it be possible to use a more complex filter in the Custom LDAP
> User Search Filter field? For example I'd like to restrict access to a
> single AD/LDAP group, so I tried something like:
> (&(accountusername=%s)(memberOf=CN=agroup,CN=Users,DC=corp,DC=domain,DC=com))
> However, I couldn't get it to work: reviewboard.log reported that it
> couldn't contact the LDAP server, which is odd because just changing
> the filter field fixed it.

I'm not sure why you got the contact error, but I should warn you that
the filter you're trying to use there won't really work (or at least,
not the way you think it will). Active Directory's "memberOf" attribute
only handles direct memberships, not indirect ones. So a user who is a
member of group A which is a member of group B will not have
memberOf(group B) in their attributes, even though the nested group
membership should have it.

For stuff like that, you need to start playing around with the
tokenGroups attribute, but I'm not even going to pretend to be willing
to try to explain that one. Check Microsoft documentation.

Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
Happy user? Let us know at http://www.reviewboard.org/users/
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to