Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 17

changes.mady.by.user Alan Amos

Saved on

compared with

New Version 18

changes.mady.by.user Alan Amos

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor corrections to layout

...

Assigning roles from LDAP Groups

Anchor
grouprolesmapping
grouprolesmapping

The group roles mapping

When assigning the roles from the LDAP Groups the user is a member of the groups the groups will be mapped to the roles that are defined in the shiro.ini configuration file. This will be done with the groupRolesMap

...

Hint: When in your environment the attribute name is not the default "memberOf" you can specify the name of the attribute with groupNameAttribute key.

Anchor
groupsearch
groupsearch

Using group search 

When the memberOf attribute is not available for the user, you can use the group search.

...

To get the correct values for these key a LDAP client like the "Softerra LDAP Browser" is helpful.

Anchor
groupsearchbase
groupsearchbase

Getting the value for the groupSearchBase

...

This search should return the group entries the user is a member. Please identify the attribute that contains the group name that should be used in the user roles mapping.

 

 

Code Block
collapsetrue
# extended LDIF
#
# LDAPv3
# base <ou=Groups,dc=sos> with scope subtree
# filter: uniqueMember=uid=ur,ou=People,dc=sos
# requesting: ALL
#
 
# sos, Groups, sos
dn: cn=sos,ou=Groups,dc=sos
description: Employees of SOS GmbH
objectClass: top
objectClass: groupofuniquenames
cn: sos
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos

# apl, Groups, sos
dn: cn=apl,ou=Groups,dc=sos
objectClass: top
objectClass: groupofuniquenames
cn: apl
uniqueMember: uid=ur,ou=People,dc=sos
uniqueMember: uid=fTester,ou=People,dc=sos
 
# search result
search: 2
result: 0 Success
 
# numResponses: 3
# numEntries: 2
 
Verification with LDAP Browser
...
This search should return the user with the given username. Please identify the attribute that should be used for the substitution in the group search base if it is not the username from the login. 
 Code Block
collapsetrue
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=sos> with scope subtree
# filter: uid=fTester
# requesting: ALL
#

# fTester, People, sos
dn: uid=fTester,ou=People,dc=sos
mail: info@sos-berlin.com
uid: fTester
givenName: Fritz
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Tester
cn: Fritz Tester

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

 
Verification with LDAP Browser
...