Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-1259

LDAP groups and role sync

    XMLWordPrintable

    Details

      Description

      When connecting an LDAP we can automatically sync users and their attributes/groups. This infrastructure must be extended to also sync user roles and groups based on user attributes/groups:

      Roles

      • LDAP users with a certain LDAP attribute should automatically become authors, groupmanagers, usermanagers etc. (groupType=attribute)
      • LDAP users that are part of an LDAP group should automatically become authors, groupmanagers, usermanagers etc.. (groupType=baseDn)
      • The role configuration can be changed in OpenOLAT, however it will be reverted by the next sync process
      • Synching does not sync the administrator role, this is only possible in the GUI

      The mapping looks something like this:

      <property name="userRoleMapper">
        <map>
          <entry key="userManager">
            <value>
              <map>
                <entry key="groupType" value="attribute" />
                <entry key="attributekey" value="roles" />  
                <entry key="attributeValue" value="ldapusermanager" />  
              </map>
            </value>
          </entry>
          <entry key="groupManager">
            <value>
              <map>
                <entry key="groupType" value="baseDn" />
                <entry key="baseDn" value="ou=groups" />  
                <entry key="baseDnValue" value="Gruppenverwalter" />  
              </map>
            </value>
          </entry>
        </map>
      </property>
      

      Groups

      • LDAP users with a certain LDAP attribute should automatically be added to a managed group. (groupType=attribute). Multiple groups can be supported by configuring a separator
      • LDAP users that are part of a LDAP group should automatically be added to a managed group. (groupType=baseDn)
      • When users are synced to a group, the users role is determined by the coachRoleAttribute. Users that have this role always become coaches, the other users always become participants.
      • The user management in those managed groups is disabled. Groups are generated on the fly if no group with the given ID exists

      The mapping looks something like this:

      <property name="userGroupMapper">
        <list>
          <value>
            <map>
              <entry key="groupType" value="attribute" />
              <entry key="attributekey" value="institute" />  
              <entry key="separator" value="," />  
              <entry key="coachRoleAttribute" value="Role" />  
              <entry key="coachRoleValue" value="group manager" />  
            </map>
          </value>
          <value>
            <map>
              <entry key="groupType" value="baseDn" />
              <entry key="baseDn" value="ou=groups" />  
              <entry key="coachRoleAttribute" value="Role" />  
              <entry key="coachRoleValue" value="group manager" />  
            </map>
          </value>
        </list>
      </property>
      

        Attachments

          Activity

            People

            • Assignee:
              srosse Stéphane Rossé
              Reporter:
              gnaegi Florian Gnägi
              Tester:
              Florian Gnägi
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 days
                3d
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 7 hours Time Not Required
                1d 7h