...
Assigning roles from LDAP Groups
Anchor | ||||
---|---|---|---|---|
|
The group roles mapping
When assigning the roles from the LDAP Groups the user is a member of the groups the groups will be mapped to the roles that are defined in the shiro.ini configuration file. This will be done with the groupRolesMap
...
Hint: When in your environment the attribute name is not the default "memberOf" you can specify the name of the attribute with groupNameAttribute
key.
Anchor | ||||
---|---|---|---|---|
|
Using group search
When the memberOf
attribute is not available for the user, you can use the group search.
...
To get the correct values for these key a LDAP client like the "Softerra LDAP Browser" is helpful.
Anchor | ||||
---|---|---|---|---|
|
Getting the value for the groupSearchBase
...
This search should return the group entries the user is a member. Please identify the attribute that contains the group name that should be used in the user roles mapping.
Code Block | ||
---|---|---|
| ||
# extended LDIF # # LDAPv3 # base <ou=Groups,dc=sos> with scope subtree # filter: uniqueMember=uid=ur,ou=People,dc=sos # requesting: ALL # # sos, Groups, sos dn: cn=sos,ou=Groups,dc=sos description: Employees of SOS GmbH objectClass: top objectClass: groupofuniquenames cn: sos uniqueMember: uid=ur,ou=People,dc=sos uniqueMember: uid=fTester,ou=People,dc=sos # apl, Groups, sos dn: cn=apl,ou=Groups,dc=sos objectClass: top objectClass: groupofuniquenames cn: apl uniqueMember: uid=ur,ou=People,dc=sos uniqueMember: uid=fTester,ou=People,dc=sos # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 |
Verification with LDAP Browser
...
This search should return the user with the given username. Please identify the attribute that should be used for the substitution in the group search base if it is not the username from the login.
Code Block | ||
---|---|---|
| ||
# extended LDIF # # LDAPv3 # base <ou=People,dc=sos> with scope subtree # filter: uid=fTester # requesting: ALL # # fTester, People, sos dn: uid=fTester,ou=People,dc=sos mail: info@sos-berlin.com uid: fTester givenName: Fritz objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: Tester cn: Fritz Tester # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 |
Verification with LDAP Browser
...