Allegro Network Multimeter Manual

User Management: Difference between revisions

Page Discussion

User Management (view source)

Revision as of 08:31, 11 September 2024

138 bytes added ,  11 September 2024
no edit summary
(mention update limitations for the role permission system)
No edit summary
Line 191: Line 191:
The group filter requires either '''%s''' as a placeholder for the username, or any '''${value}''' attribute of the user. The special value '''${DN}''' references the distinguished name of the user.
The group filter requires either '''%s''' as a placeholder for the username, or any '''${value}''' attribute of the user. The special value '''${DN}''' references the distinguished name of the user.


In the '''Allegro MM users group''' and '''Allegro MM admins group''', a comma-separated list of the common name of the groups is given. If the user is in any of the groups, they are allowed to log in. If the user is in one of the admins group, they are treated as an administrator.
In the '''group mapping''' section, LDAP groups can be mapped to roles.


At the moment, only the roles '''admin''' and '''user''' can be used for LDAP access.
For any of the roles, a comma-separated list of the common name of the groups can be defined. If the user is in any of the groups, they are allowed to log in and will have the permissions of the given role.


Example for a simple LDAP setup involving only the username:
Example for a simple LDAP setup involving only the username:
Line 199: Line 199:
  User filter : (uid=%s)
  User filter : (uid=%s)
  Group filter : (memberUid=%s)
  Group filter : (memberUid=%s)
  User group : allegro-mm-users
   
Admin group allegro-mm-admins
Group mapping:
  admin  : allegro-mm-admins
  user  : allegro-mm-users
  capture:
In this example, the user can log in if he is in LDAP group allegro-mm-admins or allegro-mm-users. No group mapping is given for the capture role, so no LDAP user will be assigned to this role.


==== '''Active Directory''' ====
==== '''Active Directory''' ====
Line 206: Line 210:
  User filter : (&(sAMAccountName=%s)(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2))
  User filter : (&(sAMAccountName=%s)(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2))
  Group filter : (&(member=${DN})(objectClass=group))
  Group filter : (&(member=${DN})(objectClass=group))
  User group : allegro-mm-users
   
Admin group : allegro-mm-admins
Group mapping:
  admin: allegro-mm-admins
  user : allegro-mm-users
A more complex group filter, using pre-filtering groups for performance reasons in large directories with lots of groups:
A more complex group filter, using pre-filtering groups for performance reasons in large directories with lots of groups:


Georg
28

edits

Retrieved from "https://allegro-packets.com/wiki/Special:MobileDiff/4853"