Get user groups about go-ad-auth HOT 6 CLOSED

Can you post the code you're using? There shouldn't be any issues in getting groups from AD. Have you tried something like?:

entry, err := conn.GetAttributes("userPrincipalName", upn, []string{"memberOf"})

How are you passing the group? By CN or DN?

Are you sure the Group is somewhere under the BaseDN you're setting in your config?

from go-ad-auth.

Hi,

Here are the relevant code snippets. I have an OU called Test-Groups. The Test-Users group is under the Test-Groups OU and test.user is in the Test-Users group. I'm expecting to get the Test-Users group back from the AuthenticateExtended call.

	ok, err := LDAPAuthUser("xx.xx.xx.xx",
		389,
		"OU=Test-Groups,DC=test,DC=loc",
		"test.user",
		"password",
		"Test-Users")

	if err != nil {
		t.Error("ERROR: " + err.Error())
	}

func LDAPAuthUser(server string, port int, baseDN string, username string, password string, group string) (bool, error) {

  config := &auth.Config{
    Server:   server,
    Port:     port,
    BaseDN:   baseDN,
    //Security: auth.SecurityStartTLS,
  }

 //status, err := auth.Authenticate(config, username, password)
  status, entry, groups, err := auth.AuthenticateExtended(config,
   username,
   password,
   []string{"memberOf"},
   []string{group})

  if err != nil {
    //handle err
    println("Auth error")
    return false, err
  }

Thanks,
-G

from go-ad-auth.

Here's a minimal example. Replace the consts with your parameters and see what you get.

package main

import (
	"fmt"

	auth "gopkg.in/korylprince/go-ad-auth.v2"
)

const server = "win-ad1.example.com"
const port = 389
const baseDN = "OU=Test-Groups,DC=example,DC=com"
const username = "auth.test"
const password = "MyPass123!"
const group = "Test-Users"

func main() {
	config := &auth.Config{
		Server:   server,
		Port:     port,
		BaseDN:   baseDN,
		Security: auth.SecurityStartTLS,
	}

	status, entry, groups, err := auth.AuthenticateExtended(
		config,
		username,
		password,
		[]string{"memberOf"},
		[]string{group},
	)
	fmt.Println(status, entry, groups, err)
}

// Outputs: true &{CN=Test,OU=Test-Groups,DC=example,DC=com [0xc00009ee00]} [Test-Users] <nil>

Note that both the user and the group are in OU=Test-Groups,DC=example,DC=com. Can you verify that's the case in your setup? Have you tried doing a baseDN of just DC=test,DC=loc to see if that works?

from go-ad-auth.

Hi,

I think I tried pretty much every permutation I could think of, but I did try what you recommended again. I also tried not specifying any group and without specifying the "memberOf" attr. Still no luck.

I was incorrect in my description of the user and groups above though.

test.user is in the OU Test-Users and the Test-Users group is under the OU Test-Groups.

Thanks,
-G

from go-ad-auth.

Hi,

I think my case, having the users and groups in different OUs, is probably outside of the use case for the AuthenticateExtended function. I have managed to get authentication and group membership verification working with the go ldap package. I really appreciate you taking the time to look at this. However, if you wanted to make AuthenticateExtended work in this scenario, I would be happy to continue to work on it with you.

Thanks,
-G

from go-ad-auth.

Both the user and the group need to be underneath (either directly or nested in other OUs) the BaseDN OU.

A simple example would be:

example.com:
  - Accounts:
    - Users:
      - Test-User
    - Groups:
      - Test-Group

A BaseDN of OU=Accounts,DC=example,DC=com would be necessary so that the library can see both the user and group in its searches. That's all there is to it. If you want AuthenticateExtended to work properly, all users and groups you intend to use need to be help within the BaseDN.

from go-ad-auth.