locked
Custom Claim Rule for Group DN RRS feed

  • Question

  • The LDAP Attributes template allows for the selection of qualified/unqualified Groups but I don't see a way to provide the distinguishedName of the group instead of just the name.  Can someone more familiar with writing custom claim rules show me how this can be done?

    For example, the default claim is just MYGroupName, but I want to actually return CN=MyGroupName,OU=Groups,DC=Domain,DC=local

    Thanks!

    Sunday, February 5, 2017 5:34 AM

Answers

  • Here you go:

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"]
     => issue(store = "Active Directory", types = ("http://group/DN"), query = "(&(objectClass=group)(objectSID={1}));distinguishedName;{0}", param = c1.Value, param = c2.Value);
    


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 6, 2017 3:06 AM

All replies

  • It is usually not a good approach since the DN changes when the group is moved or renamed. The qualified and unqualified name change too but only if they are renamed and not moved to another container. The SID being the ideal because they do not change and you cannot easily create a group with the same name.

    You can simply do a query of the distinguishedName based on its SID you would have got thanks to the default rules set in the Active Directory claim provider. You can give it a try. I don't have access to my labs today, when I will I'll post an example.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Sunday, February 5, 2017 5:10 PM
  • Here you go:

    c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
     && c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"]
     => issue(store = "Active Directory", types = ("http://group/DN"), query = "(&(objectClass=group)(objectSID={1}));distinguishedName;{0}", param = c1.Value, param = c2.Value);
    


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 6, 2017 3:06 AM
  • Awesome, thank you!

    Just to clarify, I need to add the group SIDs before this rule correct?

    Monday, February 6, 2017 3:21 AM
  • It is already in the pipeline as long as your users are authenticated against the AD claim provider.

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 6, 2017 3:47 AM
  • Let us know if that works!

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, February 6, 2017 5:11 PM