Active Directory not filtering by with User List Filter?

I am working with Ignition 7.9.

Setting up an active directory-internal hybrid User source.

Right now it seems like anyone from the Active Directory is able to login but really we just want certain members of the AD to be able to login.

The User Listing Base is the default blank.

The User List Filter was modified to include certain OU units.

the User Search Filter is the default (&(objectClass=user)(sAMAAccountName={0}))

People from other groups not listed in the User List filter OU are able to login though. Is this expected behavior or is the user source configuration incorrect?

Pretty sure that is expected behavior. The user list functionality is optional.

Ok so there is no way to say "only users in this OU" can login, its all or nothing and I will have to rely on the roles I set to determine permissions correct?

Yes. For authentication, we're just asking AD "are these credentials correct"?
Then it's up to the user source to decide authorization beyond that.

1 Like

Then it's up to the user source to decide authorization beyond that.

Wait so after the User Source confirms that the person exists in the AD with the correct user/password, there is the ability to say reject the authorization for not being in the right OU? Or no?

You can require some role in the project, so that anyone without it can't even log in?

Oh ok that was my plan in case it could not be done inside gateway user source configuration. So that is how I have to do it - that's fine with me, I just wanted to check as I am by no means an Active Directory guy, I don't know much about LDAP queries.