Configuration of Group Assignment by the LDAP system
With connection of an LDAP system, you can define rules for the assignment of LDAP users to a Cadenza user group:
-
Fixed rules: You specify a condition for a DN attribute as well as a Cadenza user group.
-
Dynamic rules (if the group names in the LDAP system and in Cadenza are identical): You specify a condition for a DN attribute. If it applies, the user is assigned to all Cadenza user groups to which he also belongs in the LDAP system. If the rule cannot be resolved, for example because a corresponding user group does not exist in Cadenza, a warning is logged, but the logon process is not interrupted. *Please note: This functionality has only been tested with OpenLDAP with
groupOfUniqueNamesand is therefore not guaranteed for other LDAP implementations.
Placeholder for User Name and DN; Compatibility Issues with Special Characters
The placeholders ${UserDn} and ${LoginName} can be used in both <context> and <filter>. These are replaced by the LDAP DN or the user name of the currently logged in user at the time of the LDAP search.
Depending on the LDAP implementation, there may be compatibility problems with special characters in DNs or user names. Two alternative placeholders are therefore available for ${UserDn}, which can be used depending on the application. There is no alternative for ${LoginName}.
-
${UserDnEscaped}: Replaces all special characters with a backslash and their two-character UTF8 hex value
Example: Comma is being replaced with \2C
Before: member=uid=Ich,Bins,ou=people,DC=example,DC=com
After: member=uid=Ich\2CBins,ou=people,DC=example,DC=com
-
${UserDnQuoted}: Sets all values whose special characters are escaped in quotation marks
Example:
Before: member=uid=Ich\,Bins\2C,ou=people,DC=example,DC=com
After: member=uid="Ich\,Bins\2C",ou=people,DC=example,DC=com
Definition of the Rules
The corresponding configuration file accessmanagerldap-config.xml must be adapted. See the accessmanagerldap config file reference for details.
The following applies to the consideration of cross-references (concatenations):
-
It is only possible for DNs.
-
This can increase the execution time of the query.
-
The matching rule OID
1.2.840.113556.1.4.1941must be specified in the filter (see LDAP search filter syntax). -
Example:
<filter>member:1.2.840.113556.1.4.1941:=${UserDnEscaped}</filter>
The following applies to complex filters:
-
Filters over several attributes can be entered directly in the rule in LDAP notation (exception: the character
&must be specified as&!). -
Examples:
-
AND link:
&(attribute1=value1)(attribute2=value2) -
OR operation:
|(attribute1=value1)(attribute2=value2) -
NEGATION:
!(attribute1=value1)
-
Examples of Fixed Rules
Checking the Attributes of an LDAP User
It is checked whether a certain attribute of the LDAP DN belonging to the user corresponds to certain specifications.
<rule>
<group-name>Example-Group</group-name>
<context>$\{UserDn}</context>
<filter>mail=*@example.com</filter>
</rule>If the LDAP DN belonging to the user uid=my_username,dc=env,dc=example,dc=com has an attribute mail that ends with @example.com, the user should be assigned to the Cadenza group Example-Group.
Check if LDAP User Belongs to an LDAP Group:
An LDAP group is checked to see whether it has a specific user as a member.
<rule>
<group-name>Public</group-name>
<context>cn=team-a,ou=groups</context>
<filter>member=$\{UserDn}</filter>
</rule>If the LDAP object with the LDAP DN cn=team-a,ou=groups,dc=env,dc=example,dc=com has an attribute member that is assigned with the LDAP DN of the user, the user should be assigned to the Cadenza group Public.
Checking the LDAP-uid
Checks whether a specific attribute with the user’s login name is assigned to a specific LDAP object.
</rule>
<group-name>water</group-name>
<context>ou=people</context>
<filter>uid=$\{LoginName}</filter>
</rule>If an LDAP object below the LDAP object with the LDAP DN ou=people,dc=env,dc=example,dc=com has the attribute uid, which is assigned the login name of the user, this user should be assigned to the Cadenza group water.