Environment Security Question

Lets say I have three environments (dev, staging, prod) that I will be deploying my project on, and I want certain users to have access to the dev/staging versions.

I am defining who has that access by an AD group, and I need to limit project access to an authenticated user containing that group. No problem

However I am managing the project with git and dont want to have to manually change the project security requirement when it goes from Staging to production, so I think that I need to define the security at the gateway level and not the project level.

My question is, is the best way to do this by limiting the AD search filter on the dev/staging gateways to only look for users within that group, and then require the dev/staging projects to require authentication in general? That way they can only authenticate if they are in that group?

Keith G.

I actually cant even seem to do this with an LDAP search filter set for User Search Filter

I set the following, which works if I use it for the User List Filter, but it still successfully authenticates users outside of the EXAMPLE-GROUP group


Not sure if you ended up solving this, but I have seen a couple of similar questions come up recently, with this forum post referenced, and so I’ll put my two cents here for posterity even though it is probably (unfortunately) not much use to the OP at this point (at least for their original project).

Ideally, you should have one AD server per each environment so that:

ignition-dev → ad-dev
ignition-staging → ad-staging
ignition-prod → ad-prod

Each environment should have a DNS entry mapping the AD server hostname to the AD server for that environment. The AD server hostname should be the same in each environment, so that the AD user source connection hostname setting may remain unchanged no matter which environment your Gateway is deployed to.

If this is not possible for some reason, you could narrow down the full DN of which sub-tree the user logs into using the username prefix and username suffix settings, though if this DN needs to change in each environment, you will inevitably need to change these settings each time you deploy to a different environment.

The filter settings in the user source profile narrow down the list of users returned whenever Ignition needs to fetch the list of users or search for a specific user in the AD server, but it does not narrow down who is allowed to authenticate (that is done using the username prefix / suffix that is applied to the user’s provided username before sending an LDAP bind request to the AD server).

Hope that helps (wish I saw this earlier).

1 Like