...
How substitutions will be done
In the groupSearchFilter
and the userSearchFilter
you can specify e.g.
...
(uid=%s)
The
...
%s
...
will
...
be
...
substituted
...
with
...
the
...
account from
...
the
...
login.
...
If
...
you
...
login
...
with
...
domain\account
...
oder
...
account@domain
...
the
...
value
...
for
...
the
...
user
...
is
...
account
.
You can specify e.g.
(uid=
...
^s)
The placeholder ^s
will be substituted with the original value from the login e.g. user@domainaccount@domain.
The Group/Roles mapping
...
Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute
. Default for the groupNameAttribute
is memberOf
. That means This indicates that if you are looking for the groups by searching retrieving group memberships by use of the memberOf
Attribute attribute values of an user account then you have to specify the complete value of the whole value of the memberOf
Attribute. memberOf
attribute value, i.e. the distinguished names of group hits.
Example for group mapping with Microsoft Active Directory by memberOf
attribute
A typical mapping when using AD Microsoft Active Directory with memberOf
istthe memberOf
attribute for group memberships includes to specify group hts by their distinguished name like this:
# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |
ldapRealm.groupRolesMap = \
"CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com" : all, \
"CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com" : all, \
"CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com" : business_user
Example for group mapping by cn
attribute
ldapRealm.groupRolesMap = \
sos : it_operator, \
apl : administrator|application_manage
...