LDAP group mapping

Hello everybody,

I would like to use the LDAP group mapping and am struggle to get it up and running. The basic LDAP authentication works correctly: Users will be created (if not exist) on login and assigned the default DataGerry group.

The next step is to enable the group mapping. Referring to the official admin guide, I need to map the LDAP group with the DataGerry internal group (Got this part :wink:). The search filter field above this very mapping table confuses me.
DataGerry seems to rely on a ldap backend that searches for groups based on usernames. A quick look into the source code on GitHub strengthens me in my assumption. At the moment I am concerned that this DataGerry feature does not work for my environment and to me it looks like an issue in the application.

In my infrastructure there is an Active Directory that does not have a group object -> username relationship. Itā€™s more a user object <-> group object relationship. I am not sure if this is by-design or just in this particular Active Directory. On every user object there is the memberOf attribute. It can exist multiple times and contains a reference (distinguished name) to a single group. So each group membership is represented by a separate memberOf attribute in a user object. In addition to that a group object has multiple member attributes each containing a reference (distinguished name) to a specific user.

I donā€™t know any possible way to ā€œconvertā€ the username provided by DataGerry into an actual user inside the search filter defined in DataGerry. This would be necessary for me to find all groups having the users ā€œdistinguished nameā€ in a memberOf attribute.

Did I got this whole feature totally wrong? Is there any chance to get this feature up and running in my current environment?

Happy for your feedback.

And just one another question: Is it intended that Firstname, Lastname and Email should also be imported via LDAP? Currently these fields remain empty.

Thank you very much in advance!

Best regards

2 Likes

Hey @anon60115798,

were you able to solve this problem? We are trying the exact same approach, but only got it working using the DistinguishedName as Loginuser, which isnā€™t practicable.
e.g. CN=Full Username,OU=Path03,OU=Path02,OU=Path01,DC=ad,DC=contoso,DC=com"

Thanks,
Ruben

I have changed the Searchfilter for the users to (SamAccountName=%username%).
With that my ad-users can login.
At the moment i try to get the group assignment right.
Im stuck with ā€œMemberOfā€ seams not to work.
I will inform you if i find a solution.

We limit the users to one AD group - Searchfilter: (&(sAMAccountName=%username%)(memberOf=CN=ā€¦DC=com)) and then we manually assign the user to the role as the AD memberOf does not contain the username in our case, so it could not be mapped to the group.