You can now restrict what LDAP users can login based on LDAP membership groups (#4415)

2025-11-07 12:52:54 -05:00 · 2022-08-21 14:05:51 -07:00
parent 8d1eab20e5
commit daa4c60b77
4 changed files with 42 additions and 9 deletions
--- a/meshcentral-config-schema.json
+++ b/meshcentral-config-schema.json
@@ -549,6 +549,8 @@
          "ldapUserPhoneNumber": { "type": "string", "default": "telephoneNumber", "description": "The LDAP value to use for the user's phone number." },
          "ldapUserImage": { "type": "string", "default": "thumbnailPhoto", "description": "The LDAP value to use for the user's image." },
          "ldapSaveUserToFile": { "type": "string", "default": null, "description": "When set to a filename, for example c:\\temp\\ldapusers.txt, MeshCentral will save the LDAP user object to this file each time a user logs in. This is used for debugging LDAP issues." },
+          "ldapUserGroups": { "type": "string", "default": "memberOf", "description": "The LDAP value to use for the user's group memberships." },
+          "ldapUserRequiredGroupMembership": { "type": [ "string", "array" ], "default": null, "description": "A list of LDAP groups. Users must be part of at least one of these groups to allow login. If null, all users are allowed to login." },
          "ldapOptions": { "type": "object", "description": "LDAP options passed to ldapauth-fork" },
          "agentInviteCodes": { "type": "boolean", "default": false, "description": "Enabled a feature where you can set one or more invitation codes in a device group. You can then give a invitation link to users who can use it to download the agent." },
          "agentNoProxy": { "type": "boolean", "default": false, "description": "When enabled, all newly installed MeshAgents will be instructed to no use a HTTP/HTTPS proxy even if one is configured on the remote system" },