...

• The Account has a memberOf attribute. Then you can retrieve the list of groups with the User Search. Then proceed Proceed with Using memberOf with User Search.
• The Account does not have a memberOf attribute. The group contains the Accounts that are members of the group, Then proceed with Using Group Search.

...

With the founded groups a map is defined in the LDAP Settings, that maps the groups to roles.

Substitution of the account value

In both searches the account can be substituted

How substitutions will be done

In the groupSearchFilter and the userSearchFilter you can specify %s e.g. 

...

The %s will be substituted with the account from the login. If you login with domain\account oder or account@domain the value for the user is account.

...

Groupsearch

Microsoft Active Directory^® that supports memberOff attribute

General

Group Roles Mapping

The mapping is defined in the expert tab of the LDAP Identity Service Manage Settings view.

Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute. Default for the groupNameAttribute is memberOf. This indicates that if you are retrieving group memberships by use of the memberOf attribute of an account then you have to specify the complete value of the memberOf attribute value, i.e. the distinguished names of group hits.

Example for Group Mapping with Microsoft Active Directory by memberOf Attribute

A typical mapping when using Microsoft Active Directory with the memberOf attribute for group memberships includes to specify group hts by their distinguished name like this:

• CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==>  all
• CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com ==>  adminitrator
• CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> business_user

Example for Group Mapping by cn Attribute

A mapping that is based on group search would identify group hits by the value of their common name like this:

...

An LDAP Browser can be used to get the correct values for the searchBase and the userSearchFilter. Perform a directory search with the values. You should find only one entry. 

Image Removed

The searchBase is the value of the base DN (or ParentDN in the screenshot above).

Hint: if the attribute name in your environment is not the default memberOf then you can specify the name of the attribute with the groupNameAttribute key as described in the next section.

...

If the Account entries have the memberOf attribute then you can skip this section and proceed with Using memberOf with User Search. Settings: 

• ldapRealm.groupSearchBase 
• ldapRealm.groupNameAttribute
• ldapRealm.groupSearchFilter

When the memberOf attribute is not available for the Account then you can use the Group Search.

Define the groupSearchBase and the groupSearchFilter. For example:

...

An LDAP Browser can be used to get the correct values for the searchBase and the userSearchFilter. Perform a directory search with the values. You should find only one entry. 

Image Added

The searchBase is the value of the base DN (or ParentDN in the screenshot above).

Hint: if the attribute name in your environment is not the default memberOf then you can specify the name of the attribute with the groupNameAttribute key as described in the next section.

Groupsearch

If the Account entries have the memberOf attribute then you can skip this section and proceed with Using memberOf with User Search.

To specify the group search the following settings have to be specified

• LDAP Group Search Base
• LDAP Group Search Filter
• LDAP Group Name Attribute

Define the groupSearchBase and the groupSearchFilter. For example:

• groupSearchBase = ou=Groups,dc=sos
• groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

Getting the value for the groupSearchBase

Identify the location where the groups are stored. This is your groupSearchBase.

Image Added

Image Added

Getting the value for the groupSearchFilter

Click one group Entry (in the screenshot, cn=apl) and see how the members are stored there.

Image Added

The groupSearchFilter is configured with attr=val where attr is name of the attribute and val is the content. In this example, the attr is uniqueMember and the val uid=%s,ou=People,dc=sos, where the userid is replaced with %s. This results in:

• groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)

...

...

# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=sos> with scope subtree
# filter: uniqueMember=uid=ur,ou=People,dc=sos
# requesting: ALL
#
 
# sos, Groups, sos
dn: cn=sos,ou=Groups,dc=sos
description: Employees of SOS GmbH
objectClass: top
objectClass: groupofuniquenames
cn: sos
uniqueMember: uid=ur

...

Getting the value for the groupSearchBase

Identify the location where the groups are stored. This is your groupSearchBase.

Image Removed

Image Removed

Getting the value for the groupSearchFilter

Click one group Entry (in the screenshot, cn=apl) and see how the members are stored there.

Image Removed

The groupSearchFilter is configured with attr=val where attr is name of the attribute and val is the content. In this example, the attr is uniqueMember and the val uid=%s,ou=People,dc=sos, where the userid is replaced with %s. This results in:

...

,ou=People,dc=sos

...

Verifing the groupSearchFilter with the ldapSearch command

...

uniqueMember: uid=fTester,ou=People,dc=sos

...

This search should return the group entries the Account is a member of. Identify the attribute containing the group name that is to be used in the user roles mapping. This can be seen in the next listing

...

...

# apl, Groups, sos
dn: cn=apl,ou=Groups,dc=sos

...

objectClass: top
objectClass: groupofuniquenames
cn: 

...

apl
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos
 
# 

...

search result
search: 2
result: 0 Success
 
# numResponses: 3
# numEntries: 2

Now set the groupNameAttribute to the name of the attribute that contains the group name.

• ldapRealm.groupNameAttribute = cn

Hint: The complete content of this attribute must be used in the groupRolesMap attribute. Typical content of the attribute could be ou=Groups,dc=sos,cn=groupname .

...

To achieve this, specify a searchBase, a userSearchFilter and a userNameAttribute.

ldapRealm.searchBase = ou=People,dc=sos
ldapRealm.userSearchFilter = (uid=%s)

ldapsearch -h localhost -p 389 -b "ou=People,dc=sos" -s sub "uid=fTester" -x

# This should return the following result

# extended LDIF
#
# LDAPv3
# base <ou=People,dc=sos> with scope subtree
# filter: uid=fTester
# requesting: ALL
#

# fTester, People, sos
dn: uid=fTester,ou=People,dc=sos
mail: info@sos-berlin.com
uid: fTester
givenName: Fritz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Tester
cn: Fritz Tester

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

...

Then identify the name of the attribute that contains the value for substitution. For example:

• userNameAttribute = cn

Group Roles Mapping

The mapping is defined in the expert tab of the LDAP Identity Service Manage Settings view.

Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute. Default for the groupNameAttribute is memberOf. This indicates that if you are retrieving group memberships by use of the memberOf attribute of an account then you have to specify the complete value of the memberOf attribute value, i.e. the distinguished names of group hits.

Example for Group Mapping with Microsoft Active Directory by memberOf Attribute

A typical mapping when using Microsoft Active Directory with the memberOf attribute for group memberships includes to specify group hts by their distinguished name like this:

• CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==>  all
• CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com ==>  adminitrator
• CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> business_user

Example for Group Mapping by cn Attribute

A mapping that is based on group search would identify group hits by the value of their common name like this:

• sos ==> it_operator
• apl ==> administrator,application_manage

Image Removed

Then identify the name of the attribute that contains the value for substitution. For example:

...