Details
-
Fix
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
1.11.4
-
None
Description
Current Situation
The group roles mapping searches the groups the user is a member of. For this a user search filter can be defined that finds the user. Then the attribute memberOf for this user is readed. This will return a collection of groups the user is a member of.
This approach does not work when the memberOf attribute is not available for the user.
Desired Behaviour
Additionally to the user search, there should be a group search filter that finds groups the user is a member of. For this it should be possible to first look for the user record and specify the attribute that should be used for the group search filter.
When not the user from the login should be used for the substitution in the groupSearchFilter the userSearchFilter specifies how to get the user entry. The userNameAttributeForSubstitution} attribute then specifies the attribute that should be used for the substitution. The {{groupNameAttribute specifies the attribute that contains the value for the group.
When the user login with user@domain or domain\user the domain should not be used for the search. To achieve this, the user will be separated from the login value.
new Attributes:
- groupSearchFilter
- groupSearchBase
Example
#new item to specify the attribute in the user record that should be used for substitution in groupSearchFilter ldapRealm.userNameAttribute = cn #new item to define the search for the group records ldapRealm.groupSearchFilter=(&(objectCategory=group)(member=CN=%s,OU=myOu,DC=Group,DC=myDC1,DC=myDC2)) #to find the user record. Using userNameAttributeForSubstitution cn for substitution in groupSearchFilter ldapRealm.userSearchFilter=(&(objectCategory=person)(sAMAcountname=%s))