AD permissions
-
Hey there!
I got some serious problems with AD groups.
I have linked my AD and all connections seems to work.
So when I add the teacher group to authorized user groups.
Everyone gains access even the students can remote control the clients even if they aren't inte the group. Got the same problem with 4.1.2 and 4.0.8.
Have I missed something? -
Hello,
are you using the LDAP/AD integration feature? If so, can you run the "List all groups of a user" integration test for both a teacher and a student account. Does it enumerate the correct groups? Which user group backend are you using in the access control configuration page?
-
It's hard to check group membership when the alertbox is well tiny.
Posted the settings I use.
When I run the Test on restricting access it gives me an allowed on all users not only teachers and if I delete the group so I have no authorized groups I get not allowed on all users. So it's doing someting, just not the think I need. =(
-
Found a fix maybe!
Select Master in the configurator, then the behavior tab and check "Perform access control at program start" then they can't use the master client with out permissions.
That might help? -
Still isn't working, the logfiles seems like it gives success login before it even checks the groups.. Seems like I have to find a replacement then =(
-
Something seems to be wrong related to querying all groups of a user. According to your screenshot the user is member of 385 groups which is rather unlikely. I assume all AD groups get listed here (which is a bug in all versions including 4.1.3 which will return all groups instead of none in case of configuration problems- will be fixed in 4.1.4) which explains the behaviour regarding the non-working access control. This basically means some of your settings are not correct yet:
- Environment settings / User login attribute
- Environment settings / Group member attribute
- Advanced settings / Group member identification
If your AD stores group members with their DNs (groups have entries with
member: CN=foo,OU=Users,DC=example,DC=org) make sure to use member for Group member attribute and set Group member identification to Distinguished name. The first integration test should then return a much smaller number of groups. Afterwards you have to deploy the updated configuration to all computers.The option Perform access control at program start is not directly related to this issue and documented at https://docs.veyon.io/projects/admin-manual/en/latest/reference.html#behaviour
-
Is the error I get when putting member in the group enviroment setting.
Maybe I should wait for the 4.1.4 update ? -
Tested 4.1.4 still the same problem, when I click the test access button and type "asdf" so not a valid user I still get user has access to control master...