I would like to manage my application by using the LDAP of my company and set up roles from the Gateway. In User/Roles part (Ignition 8.1), I understand how the default (internal) works. I have been able to use the Active Directory and login with my LDAP credentials.
The problem is that in the lot of "roles" that the test login send me, nothing is relevant (hexadecimal characters that can't help me to know what are my rights). Then, I have seen the AD Hybrid but I was not be able to use it... I can login with my LDAP credentials, the "roles" section in the test login is empty but I don 't know how I assign them. I can add users and roles :
If you're looking to roles set up in ignition for an AD/Internal hybrid, you'd click on that manage users shown in your screenshot. It then brings you to page that has 2 tabs. Users and Roles. On that page there is a Add Roles button. Click that and add the roles you want.
Ok but how the role and the user are linked with the Active Directory ? I am able to create them but what is the link with my LDAP ? My LDAP credential is MrIgnition. Do I have to create a user MrIgnition (as ID or username) ?
If you want to define roles in Ignition but allow users to authenticate via LDAP, yes - you will need to add each user and assign (and create) their respective roles in your "AD_Hybrid" user source.
The hybrid option lets you authenticate with AD and administer roles through Ignition or a database. If you want the roles from AD I believe you would choose the Active Directory user source. The manual says
The Active Directory Authentication profile uses Microsoft's Active Directory over LDAP(Lightweight Directory Access Protocol) to store all the users, roles, and more that make up an Authentication profile. Active Directory Groups are used for Ignition's roles and user-role mappings.
While using an Active Directory User Source, administration of users and roles is through Active Directory itself, and not manageable within Ignition. Thus adding new users to an Active Directory User Source, or modifying pre existing users, requires the modifications be made from Active Directory, usually through an AD Administrator.
