inactive
369
edits
User Management: Difference between revisions
Jump to navigation
Jump to search
m
→LDAP users
(→Roles) |
m (→LDAP users) |
||
| Line 41: | Line 41: | ||
=== LDAP users === | === LDAP users === | ||
In the LDAP | In the LDAP user tab, it is possible to define an LDAP or Active Directory source for user management. LDAP users are only an addition to the locally defined users. Locally defined users take precedence over LDAP users. | ||
The values required depend on the setup of the LDAP server. | The values required depend on the setup of the LDAP server. | ||
| Line 49: | Line 49: | ||
The group filter requires either '''%s''' as a placeholder for the username, or any '''${value}''' attribute of the user. The special value '''${DN}''' references the distinguished name of the user. | The group filter requires either '''%s''' as a placeholder for the username, or any '''${value}''' attribute of the user. The special value '''${DN}''' references the distinguished name of the user. | ||
In the '''Allegro MM users group''' and '''Allegro MM admins group''', a comma-separated list of the common name of the groups is given. If the user is in any of the groups, | In the '''Allegro MM users group''' and '''Allegro MM admins group''', a comma-separated list of the common name of the groups is given. If the user is in any of the groups, they are allowed to log in. If the user is in one of the admins group, they are treated as an administrator. | ||
At the moment, only the roles '''admin''' and '''user''' can be used for LDAP | At the moment, only the roles '''admin''' and '''user''' can be used for LDAP access. | ||
Example for a simple LDAP setup involving only the username: | Example for a simple LDAP setup involving only the username: | ||
| Line 57: | Line 57: | ||
User filter : (uid=%s) | User filter : (uid=%s) | ||
Group filter : (memberUid=%s) | Group filter : (memberUid=%s) | ||
User group : allegro-mm-users | |||
Admin group : allegro-mm-admins | |||
Example for a more complex setup using the distinguished name of the user for filtering the groups and Active Directory-style user-filtering: | Example; for a more complex setup using the distinguished name of the user for filtering the groups and Active Directory-style user-filtering: | ||
User filter : (&(sAMAccountName=%s)(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2)) | User filter : (&(sAMAccountName=%s)(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2)) | ||
Group filter : (&(member=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins))) | Group filter : (&(member=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins))) | ||
User group : allegro-mm-users | |||
Admin group : allegro-mm-admins | |||
For recursive group membership resolution, the following group filter can be used for Active Directory: | For recursive group membership resolution, the following group filter can be used for the Active Directory: | ||
Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins))) | Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins))) | ||
This recursive group filter might be slower | This recursive group filter might be slower depending on the size of the directory. | ||
Depending on the setup, it is also possible to filter groups by distinguished name: | Depending on the setup, it is also possible to filter groups by distinguished name: | ||
Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(distinguishedName:=CN=allegro-mm-users,OU=Groups,DC=example,DC=com)(distinguishedName:=CN=allegro-mm-admins,OU=Groups,DC=example,DC=com))) | Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(distinguishedName:=CN=allegro-mm-users,OU=Groups,DC=example,DC=com)(distinguishedName:=CN=allegro-mm-admins,OU=Groups,DC=example,DC=com))) | ||