Page History
...
- The Account has a memberOf attribute. Then you can retrieve the list of groups with the User Search. Then proceed Proceed with Using memberOf with User Search.
- The Account does not have a memberOf attribute. The group contains the Accounts that are members of the group, Then proceed with Using Group Search.
...
With the founded groups a map is defined in the LDAP Settings, that maps the groups to roles.
Substitution of the account value
In both searches the account can be substituted
How substitutions will be done
In the groupSearchFilter
and the userSearchFilter
you can specify %s e.g.
...
The %s will be substituted with the account from the login. If you login with domain\account
oder or account@domain
the value for the user
is account
.
...
Name | Value | Description |
---|---|---|
LDAP Search Base |
| The search base for the ldap search |
LDAP User Search Filter | Example: (uid=%s) |
Groupsearch
Microsoft Active Directory® that supports memberOff attribute
General
Group Roles Mapping
The mapping is defined in the expert tab of the LDAP Identity Service Manage Settings view.
Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute
. Default for the groupNameAttribute
is memberOf. This indicates that if you are retrieving group memberships by use of the memberOf attribute of an account then you have to specify the complete value of the memberOf attribute value, i.e. the distinguished names of group hits.
Example for Group Mapping with Microsoft Active Directory by memberOf Attribute
A typical mapping when using Microsoft Active Directory with the memberOf attribute for group memberships includes to specify group hts by their distinguished name like this:
CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> all
CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com ==> adminitrator
CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> business_user
Example for Group Mapping by cn Attribute
A mapping that is based on group search would identify group hits by the value of their common name like this:
...
An LDAP Browser can be used to get the correct values for the searchBase
and the userSearchFilter
. Perform a directory search with the values. You should find only one entry.
The searchBase
is the value of the base DN (or ParentDN in the screenshot above).
Hint: if the attribute name in your environment is not the default memberOf then you can specify the name of the attribute with the groupNameAttribute
key as described in the next section.
...
If the Account entries have the memberOf attribute then you can skip this section and proceed with Using memberOf with User Search. Settings:
ldapRealm.groupSearchBase
ldapRealm.groupNameAttribute
ldapRealm.groupSearchFilter
When the memberOf attribute is not available for the Account then you can use the Group Search.
Define the groupSearchBase
and the groupSearchFilter
. For example:
...
An LDAP Browser can be used to get the correct values for the searchBase
and the userSearchFilter
. Perform a directory search with the values. You should find only one entry.
The searchBase
is the value of the base DN (or ParentDN in the screenshot above).
Hint: if the attribute name in your environment is not the default memberOf then you can specify the name of the attribute with the groupNameAttribute
key as described in the next section.
Groupsearch
If the Account entries have the memberOf attribute then you can skip this section and proceed with Using memberOf with User Search.
To specify the group search the following settings have to be specified
- LDAP Group Search Base
- LDAP Group Search Filter
- LDAP Group Name Attribute
Define the groupSearchBase
and the groupSearchFilter
. For example:
groupSearchBase = ou=Groups,dc=sos
groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
Anchor | ||||
---|---|---|---|---|
|
Getting the value for the groupSearchBase
Identify the location where the groups are stored. This is your groupSearchBase
.
Getting the value for the groupSearchFilter
Click one group Entry (in the screenshot, cn=apl
) and see how the members are stored there.
The groupSearchFilter is configured with attr=val
where attr
is name of the attribute and val
is the content. In this example, the attr
is uniqueMember
and the val
uid=%s,ou=People,dc=sos
, where the userid
is replaced with %s
. This results in:
groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
Expand | ||
---|---|---|
| ||
Verifing the groupSearchFilter with the ldapSearch command |
...
|
...
This search should return the group entries the Account is a member of. Identify the attribute containing the group name that is to be used in the user roles mapping. This can be seen in the next listing
|
...
Getting the value for the groupSearchBase
Identify the location where the groups are stored. This is your groupSearchBase
.
Getting the value for the groupSearchFilter
Click one group Entry (in the screenshot, cn=apl
) and see how the members are stored there.
The groupSearchFilter is configured with attr=val
where attr
is name of the attribute and val
is the content. In this example, the attr
is uniqueMember
and the val
uid=%s,ou=People,dc=sos
, where the userid
is replaced with %s
. This results in:
...
|
...
Verifing the groupSearchFilter with the ldapSearch command
...
|
...
This search should return the group entries the Account is a member of. Identify the attribute containing the group name that is to be used in the user roles mapping. This can be seen in the next listing
...
collapse | true |
---|
...
|
...
|
...
|
...
Verifing the groupSearchBase and groupSearchFilter with an LDAP Browser
|
Now set the groupNameAttribute
to the name of the attribute that contains the group name.
ldapRealm.groupNameAttribute = cn
Hint: The complete content of this attribute must be used in the groupRolesMap
attribute. Typical content of the attribute could be ou=Groups,dc=sos,cn=groupname
.
...
To achieve this, specify a searchBase
, a userSearchFilter
and a userNameAttribute
.
ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
Verify by use of ldapSearchThis search should return the Account with the given Account name. Identify the attribute that should be used for substitution in the Group Search base if it is not the Account name from the login.
Verification by use of LDAP BrowserPerform a directory search with your LDAP client to check the User Search configuration. You should find only one Account entry with the given |
...
Account name. |
Then identify the name of the attribute that contains the value for substitution. For example:
userNameAttribute = cn
Group Roles Mapping
The mapping is defined in the expert tab of the LDAP Identity Service Manage Settings view.
Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute
. Default for the groupNameAttribute
is memberOf. This indicates that if you are retrieving group memberships by use of the memberOf attribute of an account then you have to specify the complete value of the memberOf attribute value, i.e. the distinguished names of group hits.
Example for Group Mapping with Microsoft Active Directory by memberOf Attribute
A typical mapping when using Microsoft Active Directory with the memberOf attribute for group memberships includes to specify group hts by their distinguished name like this:
CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> all
CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com ==> adminitrator
CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> business_user
Example for Group Mapping by cn Attribute
A mapping that is based on group search would identify group hits by the value of their common name like this:
sos ==> it_operator
apl ==> administrator,application_manage
Anchor | ||||
---|---|---|---|---|
|
Then identify the name of the attribute that contains the value for substitution. For example:
...
Examples and special configurations
...