LDAP/Active Directory Group membership check, to regulate access to Teampass

Roru69 7 years ago updated by Steve Shipway 6 years ago 4

A function in Teampass to check LDAP/Active Directory Group membership before granting access to Teampass.

In larger organizations you (probably) don't want the whole Active Directory/LDAP User container to have access to Teampass. This could be managed by creating a Active Directory Group where it's members have access to Teampass and let Teampass check this group membership.

Functional features

(need to have):

  • When logging in for the first time with an Active Directory account, the account should be a member of the AD group specified in de settings section. If not, no account should be created in Teampass. An email should be sent to the administrator and a line written in the Log.(User "X" which isn't a member of group [teampass] tried to access Teampass.)
  • When logging in normally (after the account has been created), the user should always be checked if he/she is a member of the group specified in de settings section, if not, the account should be locked. an email should be sent to the administrator telling that user x is no longer a group member and the teampass account is locked. Probably some logging should also be made... for auditing purposes.

(Nice to have)

Further implementation of LDAP/|Active Directory in Teampass. Assigning LDAP/AD groups to Roles, this way when a Role is created in Teampass you can assign a AD group to it. Management can be done by adding or removing users from the specific LDAP/AD group.

We discussed the (need to have) feature by Email, but i never posted an official feature request.

Regards, Roru69

Implemented!! Thanks Nils

The ldap filter used to find the user object appears to be

     $filter = "(&(".$SETTINGS['ldap_user_attribute']."=$username)(objectClass=".$SETTINGS['ldap_object_class']."))";

however it would be good to be able to provide your own filter, so that you could (for example) restrict to just certain groups, or by other attributes.


is the feature to Assigning LDAP/AD groups to Roles implemented? This feature would be very interesting to us. Or should I vote for this feature in another feature request? Thank you for response

Lukas, take a look at this request, which sounds more like you are asking for: https://teampass.userecho.com/communities/1/topics/17-manage-users-and-groups