Role Search filter for LDAP Authentification

I try to configure Ignition to use LDAP Authentification.

Ignition v7.5.5
The LDAP is openDS version 2.2
Users and Roles are configured as follows :

in openDS :

in Ignition :

Username Prefix : uid=
Username Suffix : ,ou=utilisateurs,dc=itinisere,dc=fr
User Search Base : dc=itinisere,dc=fr
ser Search Filter : (&(objectClass=utilisateur)(uid={0}))
User Name Attribute : uid
User Name Attribute :
Role Name Attribute : cn
Role Search Base :
Role Search Filter : (&(objectClass=groupOfUniqueNames)(uniqueMember=uid={0},ou=utilisateurs,dc=itinisere,dc=fr))

I’ve actived the log for SimpleLDAPAuthentificator :

Connection to the LDAP is OK
Serching user is OK
Listing Roles is BAD

When I try the LDAP Filter in openDS to list the roles of the user, i get the right data :

Is {0} supported in the Role Search Filter ???
How to get the user’s roles in my case?

No, we don’t support the {0} in the role filter. We expect the user has an attribute (user role attribute) that contains the roles and is an array. When I have configured OpenDS I had to use a specific attribute and manually put the roles in for each user.

Yes, it works in this case, but I have a problem. :frowning:

In my case, OpenDS administrator doesn’t want to add an attribut on the user class with the link to the roles class.
So I can’t configure the “User Role Attribute” on the authentification profile !

In fact, in his configuration, the roles class contains attributes “uniqueMenber” with the user reference (uid=loperateur,ou=utilisateurs,dc=itinisere,dc=fr)

Is there a way to configure the authentification Profile or to upgrade it, so that the roles check could be directly based on the Roles class
instead of looking for an atributes for the roles on the user class ?

In this case, for example, by leaving blank “User Role Attribute” or set to a special value,
and setting the field “Role Search Filter” : (&(objectClass=groupOfUniqueNames)(uniqueMember=uid={0},ou=utilisateurs,dc=itinisere,dc=fr))
where {0} is the login

It would be possible for you to create your own module (in the Module SDK) that exposes a new authentication profile. I don’t think we are going to modify ours to work in that situation since most of them the roles are part of the user.

Maybe the Hybrid model is the way to go.
Keep the roles in ignition and user authentication in OpenDS

[quote=“Robert”]Maybe the Hybrid model is the way to go.
Keep the roles in ignition and user authentication in OpenDS[/quote]

yes, and the best way to handle an IT person that doesnt want to play ball.

Thanks !
AD/hybrid is a good compromise