Hi Bront,

So beyond just authenticating, you want your Active Directory group to do authorization within LabKey as well?

I'm not certain that the ldapSearch_searchTemplate will work, but it does seem possible to use a group for the objectClass like:

<Environment name="ldapSearch_searchTemplate" value="(&amp;(objectClass=group))" type="java.lang.String" override="false"/>

But I will need to confirm this on our end.

Regards,

Jon

Jon,

I am not sure that we need the AD to do the authorization in LabKey.

I think what we'd like is to create a general user group in AD (i.e., labkeyusers), and then set up LabKey such that only those users could login. From there we would handle permissions within LabKey as usual.

As it stands now, *all* of our AD users can login to LabKey and create accounts, which, even though most won't have any permissions on projects, is not optimal.

Thanks for your help.

cheers,

bront

Hi Bront,

As you've found, when a user successfully authenticates using an external authentication provider (which includes LDAP and any of the Single Sign On providers), the server creates a new user account if one doesn't already exist for that user. A successful authentication doesn't grant any special permissions; that user receives only the permissions assigned to the Site Users group. Our general recommendation is to limit the permissions you assign Site Users.

At the moment, there's no way to turn off the "auto-create user account" behavior. It wouldn't be difficult to add such an option, but it would be helpful to discuss the use case and concerns; I don't think anyone else has asked for this.

Adam

Adam,

Thanks for clarifying. I don't suppose it will be much of an issue for us. I don't think a large number of our general users will just stumble into LabKey and create accounts.

I just wanted to explore the possibilities of setting up LabKey in such a way as to restrict user access by AD groups.

Many thanks,

bront