Page History
...
Expand | |||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||
Verify by use of LDAP BrowserPossible values for the LDAP User DN Template can be derived from an account's properties. The below screenshot displays such properties from an LDAP Browser: In a first step search with the value from the LDAP User DN Template in the Search DN input field. The query should return only one entry. From the properties of the resulting entry the setting for the account is used and the Verify by use of ldapSearchUsers can check the value of the LDAP User DN Template setting by use of the ldapSearch utility:
Example for use of a public LDAP Directory Service The following example uses a publicly available LDAP Server. To our experience this server provides a good example to make an initial LDAP configuration work.
Note: The option
Verify by use of JOC CockpitTry to login with an LDAP Account/Password combination. Use an Account that you have verified to be correct by executing the ldapSearch command described above. If there are no Role(s) configured for the Account but the authentication works then you will see the following screen that complains about missing authorization after successful authentication: |
Anchor | ||||
---|---|---|---|---|
|
...
An LDAP Browser can be used to identify the suitable values for the searchBase
and the userSearchFilter
. Users can perform a directory search with the value and should find a single resulting entry.
The searchBase
is the value of the base DN (or ParentDN in the screenshot above).
...
groupSearchBase = ou=Groups,dc=sos
groupSearchFilter = (uniqueMember=uid=%s,ou=People,dc=sos)
Anchor | ||||
---|---|---|---|---|
|
...
Looking up the value for the groupSearchBase
Identify the location where the groups are stored . This is your groupSearchBase
.in the LDAP Server, this should identify the groupSearchBase:
...
Anchor | ||||
---|---|---|---|---|
|
Click one group Entry When clicking a group entry (in the screenshot, cn=apl
) and see how the members are stored there.apl
the members included should become visible:
The groupSearchFilter
is configured with attr=val
where attr
is the name of the attribute and val
is the contentvalue. In this example, the attr
is attribute is uniqueMember
and the the value is val
uid=%s,ou=People,dc=sos
, where the userid
is replaced with %s
. This results in:
...
Expand | |||||
---|---|---|---|---|---|
| |||||
Verifing the groupSearchFilter with the ldapSearch command This search should return the group entries the Account is a member of. Identify the attribute containing the group name that is to be used in the user roles mapping. This can be seen in the next listing
Verifing the groupSearchBase and groupSearchFilter with an LDAP Browser
|
Now set the The groupNameAttribute
to is the name of the attribute that contains holds the group name.
groupNameAttribute = cn
Hint: The complete content value of this attribute must has to be used in with the groupRolesMap
attribute. Typical content values of the attribute could be cn=groupname,
ou=Groups,dc=sos,cn=groupname
.
Anchor | ||||
---|---|---|---|---|
|
If the roles are assigned with the by JOC Account Manager Cockpit using the Identity Service Type LDAP-
JOC you JOC
you can skip this chapter.
If the value of the member of the groups contains the Account name from the login then you can skip this chapter
Sometimes the values of the member do not contain the Account Name from the login but, for example, the cn
of the Account. In this case you users have to search for the Account account first and then to specify the name of the attribute that should be used instead of the Account account name from the login .
To achieve this, specify a the searchBase
, a userSearchFilter
and a userNameAttribute
. and userNameAttribute
attributes can be specified:
searchBase = ou=People,dc=sos
userSearchFilter = (uid=%s)
...
Expand | |||||||||
---|---|---|---|---|---|---|---|---|---|
| |||||||||
Verify by use of ldapSearchThis search should return the Account with the given Account name. Identify the attribute that should be used for substitution in the Group Search base if it is not the Account name from the login.
Verification by use of LDAP BrowserPerform Users can perform a directory search with your their LDAP client Browser to check the User Search configuration. You The result should find only present one Account entry with the given Account nameaccount entry only. |
Then identify the name of the attribute that contains the value for substitution. For example:
...
Group Roles Mapping
The mapping is defined in the expert tab configured with the "Expert Mode" of the LDAP Identity Service Manage Settings view.
Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have has been specified with the groupNameAttribute
. Default for the groupNameAttribute
is memberOf. This indicates that if you are retrieving group memberships attribute. This attribute defaults to memberOf. In case that group memberships are looked up by use of the memberOf attribute of an account then you have to specify the complete value of the value of the memberOf attribute valuehas to be specified, i.e. the distinguished names Distinguished Names of group hits.
Example for Group Mapping with Microsoft Active Directory
...
® and memberOf Attribute
A typical mapping when using Microsoft Active Directory with ® and the memberOf attribute for group memberships includes to specify each group hts by their distinguished name by its Distinguished Name like this:
CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> all
CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com ==> adminitrator
CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com ==> business_user
Example for Group Mapping
...
with cn Attribute
A mapping that is based on group search would identify group hits by Group Search would apply resulting groups from the value of their common name Common Name like this:
sos ==> it_operator
apl ==> administrator,application_manage
...
Account Name | Password | LDAP Group | Shiro Role |
---|---|---|---|
gauss | password | mathematicians | all |
newton | password | scientists | it_operator |
...