Username Prefix : uid=
Username Suffix : ,ou=utilisateurs,dc=itinisere,dc=fr
User Search Base : dc=itinisere,dc=fr
ser Search Filter : (&(objectClass=utilisateur)(uid={0}))
User Name Attribute : uid
User Name Attribute :
Role Name Attribute : cn
Role Search Base :
Role Search Filter : (&(objectClass=groupOfUniqueNames)(uniqueMember=uid={0},ou=utilisateurs,dc=itinisere,dc=fr))
I’ve actived the log for SimpleLDAPAuthentificator :
Connection to the LDAP is OK
Serching user is OK
Listing Roles is BAD
No, we don’t support the {0} in the role filter. We expect the user has an attribute (user role attribute) that contains the roles and is an array. When I have configured OpenDS I had to use a specific attribute and manually put the roles in for each user.
In my case, OpenDS administrator doesn’t want to add an attribut on the user class with the link to the roles class.
So I can’t configure the “User Role Attribute” on the authentification profile !
In fact, in his configuration, the roles class contains attributes “uniqueMenber” with the user reference (uid=loperateur,ou=utilisateurs,dc=itinisere,dc=fr)
Is there a way to configure the authentification Profile or to upgrade it, so that the roles check could be directly based on the Roles class
instead of looking for an atributes for the roles on the user class ?
In this case, for example, by leaving blank “User Role Attribute” or set to a special value,
and setting the field “Role Search Filter” : (&(objectClass=groupOfUniqueNames)(uniqueMember=uid={0},ou=utilisateurs,dc=itinisere,dc=fr))
where {0} is the login
It would be possible for you to create your own module (in the Module SDK) that exposes a new authentication profile. I don’t think we are going to modify ours to work in that situation since most of them the roles are part of the user.
