LDAP group mapping

Hello everybody,

I would like to use the LDAP group mapping and am struggle to get it up and running. The basic LDAP authentication works correctly: Users will be created (if not exist) on login and assigned the default DataGerry group.

The next step is to enable the group mapping. Referring to the official admin guide, I need to map the LDAP group with the DataGerry internal group (Got this part :wink:). The search filter field above this very mapping table confuses me.
DataGerry seems to rely on a ldap backend that searches for groups based on usernames. A quick look into the source code on GitHub strengthens me in my assumption. At the moment I am concerned that this DataGerry feature does not work for my environment and to me it looks like an issue in the application.

In my infrastructure there is an Active Directory that does not have a group object -> username relationship. It’s more a user object <-> group object relationship. I am not sure if this is by-design or just in this particular Active Directory. On every user object there is the memberOf attribute. It can exist multiple times and contains a reference (distinguished name) to a single group. So each group membership is represented by a separate memberOf attribute in a user object. In addition to that a group object has multiple member attributes each containing a reference (distinguished name) to a specific user.

I don’t know any possible way to “convert” the username provided by DataGerry into an actual user inside the search filter defined in DataGerry. This would be necessary for me to find all groups having the users “distinguished name” in a memberOf attribute.

Did I got this whole feature totally wrong? Is there any chance to get this feature up and running in my current environment?

Happy for your feedback.

And just one another question: Is it intended that Firstname, Lastname and Email should also be imported via LDAP? Currently these fields remain empty.

Thank you very much in advance!

Best regards

1 Like

Hey @Jennifer,

were you able to solve this problem? We are trying the exact same approach, but only got it working using the DistinguishedName as Loginuser, which isn’t practicable.
e.g. CN=Full Username,OU=Path03,OU=Path02,OU=Path01,DC=ad,DC=contoso,DC=com"