...
How substitutions will be done
In the groupSearchFilter and the userSearchFilter you can specify e.g.
...
(uid=%s)
The
...
%s
...
will
...
be
...
substituted
...
with
...
the
...
account from
...
the
...
login.
...
If
...
you
...
login
...
with
...
domain\account
...
oder
...
account@domain
...
the
...
value
...
for
...
the
...
user
...
is
...
account.
You can specify e.g.
(uid=
...
^s)
The placeholder ^s will be substituted with the original value from the login e.g. user@domainaccount@domain.
The Group/Roles mapping
...
Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute. Default for the groupNameAttribute is memberOf. That means This indicates that if you are looking for the groups by searching retrieving group memberships by use of the memberOf Attribute attribute values of an user account then you have to specify the complete value of the whole value of the memberOf Attribute. memberOf attribute value, i.e. the distinguished names of group hits.
Example for group mapping with Microsoft Active Directory by memberOf attribute
A typical mapping when using AD Microsoft Active Directory with memberOf istthe memberOf attribute for group memberships includes to specify group hts by their distinguished name like this:
# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |ldapRealm.groupRolesMap = \"CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com" : all, \"CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com" : all, \"CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com" : business_user
Example for group mapping by cn attribute
ldapRealm.groupRolesMap = \sos : it_operator, \apl : administrator|application_manage
...