Reputation: 6215
ColdFusion 9 LDAP
In our intranet application, if a user is not authenticated, I use the CFNTAuthenticate tag.
But, normally the user is already authenticated and I'm able to retrieve his username with mid(cgi.REMOTE_USER, 8, 13). How can I retrieve his group memberships (or at least if he is member of a specific group) without having him to type his password (as he is already authenticated, single sign-on)?
I hope I was able to provide all required information for a simple answer from your side (in the hope there is a simple answer).
Upvotes: 2
Views: 412
Answers (2)
Reputation: 338326
Checking a direct group membership is simple. Use this as the LDAP query (<cfldap>):
(&(samAccountName=#userAccount#)(memberOf=#distinguishedNameOfGroup#))
If turns up empty the user is not member of that group.
Important: The values of userAccount and distinguishedNameOfGroup must be escaped before you can use them in a filter. See the Special Characters chart on the MSDN page that explains the search filter syntax.
Checking a nested group membership (i.e., user is in a subgroup of the group you want to check) is comparatively complicated.
Upvotes: 0
Reputation: 1149
You can use any Active Directory account to retrieve group memberships for other users. I have a ColdFusion-specific domain account for looking up group information. That account doesn't need any special permissions in Active Directory.
Upvotes: 1
Related Questions
- How can I successfully bind with CFLDAP?
- ColdFusion - Connect to LDAP Server
- ColdFusion 10 Active Directory Authentication
- Creating a login system using Coldfusion
- Authentication System using Coldfusion
- Cannot authenticate against Windows domain using ColdFusion 10, IIS 7.5, LDAP
- Connect to LDAP via ColdFusion
- Ldap query in coldfusion isnt working
- Coldfusion request never timeout for ldap requests !
- Coldfusion LDAP Authentication issue / domain prefix