...
The groupRolesMap looks like this.
# Mapping of a LDAP group to roles. You can assign more than one role with separator character |
ldapRealm.groupRolesMap = \group1 : list_of_roles, \group2 : list_of_roles
...
Note that the value of the group depends on the result of the group search. It is the value of the attribute that you have specified with the groupNameAttribute. Default for the groupNameAttribute is memberOf. This indicates that if you are retrieving group memberships by use of the memberOf attribute values of an account then you have to specify the complete value of the memberOf attribute value, i.e. the distinguished names of group hits.
Example for
...
Group Mapping with Microsoft Active Directory by memberOf
...
Attribute
A typical mapping when using Microsoft Active Directory with the memberOf attribute for group memberships includes to specify group hts by their distinguished name like this:
# Mapping of a LDAP group to roles. You can assign more than one role with separator sign |ldapRealm.groupRolesMap = \"CN=Group1,OU=SpecialGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com" : all, \"CN=AnotherGroup,OU=SpecialGroups,OU=Groups,OU=CompanyDC=sos-berlin,DC=com" : all, \"CN=Beginners,OU=SecurityGroups,OU=Groups,OU=Company,DC=sos-berlin,DC=com" : business_user
Example for
...
Group Mapping by cn Attribute
A mapping that is based on group search would identify group hits by the value of their common name like this:
ldapRealm.groupRolesMap = \sos : it_operator, \apl : administrator|application_manage
...