Uploaded image for project: 'OpenOLAT'
  1. OpenOLAT
  2. OO-1259

LDAP groups and role sync

    XMLWordPrintable

    Details

      Description

      When connecting an LDAP we can automatically sync users and their attributes/groups. This infrastructure must be extended to also sync user roles and groups based on user attributes/groups:

      Roles

      • LDAP users with a certain LDAP attribute should automatically become authors, groupmanagers, usermanagers etc. (groupType=attribute)
      • LDAP users that are part of an LDAP group should automatically become authors, groupmanagers, usermanagers etc.. (groupType=baseDn)
      • The role configuration can be changed in OpenOLAT, however it will be reverted by the next sync process
      • Synching does not sync the administrator role, this is only possible in the GUI

      The mapping looks something like this:

      <property name="userRoleMapper">
        <map>
          <entry key="userManager">
            <value>
              <map>
                <entry key="groupType" value="attribute" />
                <entry key="attributekey" value="roles" />  
                <entry key="attributeValue" value="ldapusermanager" />  
              </map>
            </value>
          </entry>
          <entry key="groupManager">
            <value>
              <map>
                <entry key="groupType" value="baseDn" />
                <entry key="baseDn" value="ou=groups" />  
                <entry key="baseDnValue" value="Gruppenverwalter" />  
              </map>
            </value>
          </entry>
        </map>
      </property>
      

      Groups

      • LDAP users with a certain LDAP attribute should automatically be added to a managed group. (groupType=attribute). Multiple groups can be supported by configuring a separator
      • LDAP users that are part of a LDAP group should automatically be added to a managed group. (groupType=baseDn)
      • When users are synced to a group, the users role is determined by the coachRoleAttribute. Users that have this role always become coaches, the other users always become participants.
      • The user management in those managed groups is disabled. Groups are generated on the fly if no group with the given ID exists

      The mapping looks something like this:

      <property name="userGroupMapper">
        <list>
          <value>
            <map>
              <entry key="groupType" value="attribute" />
              <entry key="attributekey" value="institute" />  
              <entry key="separator" value="," />  
              <entry key="coachRoleAttribute" value="Role" />  
              <entry key="coachRoleValue" value="group manager" />  
            </map>
          </value>
          <value>
            <map>
              <entry key="groupType" value="baseDn" />
              <entry key="baseDn" value="ou=groups" />  
              <entry key="coachRoleAttribute" value="Role" />  
              <entry key="coachRoleValue" value="group manager" />  
            </map>
          </value>
        </list>
      </property>
      

        Attachments

          Activity

            People

            Assignee:
            srosse Stéphane Rossé
            Reporter:
            gnaegi Florian Gnägi
            Tester:
            Florian Gnägi
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 3 days
                3d
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day, 7 hours Time Not Required
                1d 7h