If you are unable to map all of the roles to LDAP groups, you can always augment the role information by adding a specific user-role mapping for an external LDAP user in the repository manager. In other words, if you need to make sure that a specific user in LDAP gets a specific role and you don’t want to model this as a group membership, you can add a role mapping for an external user in the repository manager.
The repository manager keeps track of this association independent of your LDAP server. It continues to delegate authentication to the LDAP server for this user. The repository manager will continue to map the user to roles based on the group element mapping you have configured, but it will also add any roles specified in the User panel. You are augmenting the role information that the repository manager gathers from the group element mapping.
Once the user and group mapping has been configured, click on the Users link under Security in the main
menu. The Users tab is going to contain all of the configured users for this repository manager instance as
shown in Figure 8.9, “Viewing All Configured Users”. A configured user is a user in a repository manager realm or
an External User that has an explicit mapping to a role. In Figure 8.9, “Viewing All Configured Users”, you can
see the three default users in the default realm plus the
brian user from LDAP. The
brian user appears because
this user has been mapped to an internal role.
The list of users in Figure 8.9, “Viewing All Configured Users” is a combination of all of the users in the default realm and all of the External Users with role mappings. To explore these two sets of users, click on the All Configured Users drop-down and choose Default Realm Users. Once you select this, click in the search field and press Enter. Searching with a blank string in the Users panel will return all of the users of the selected type. In Figure 8.10, “All Default Realm Users” you see a dialog containing all three default users from the default realm.
If you wanted to see a list of all LDAP users, select LDAP from the All Configured Users drop-down shown in Figure 8.9, “Viewing All Configured Users” and click on the search button (magnifying glass) with an empty search field. Clicking search with an empty search field will return all of the LDAP users as shown in Figure 8.11, “All LDAP Users”.
Note that the user
To add a mapping for an external LDAP user, you would click on the All Configured Users drop-down and select LDAP. Once you’ve selected LDAP, type in the user ID you are searching for and click the search button (magnifying glass icon to right of the search field). In Figure 8.12, “Search LDAP Users”, a search for "brian" yields one user from the LDAP server.
To add a role mapping for the external user
brian shown in Figure 8.12, “Search LDAP Users”, click on the user in
the results table and drag a role from Available Roles to Selected Roles as shown in
Figure 8.13, “Mapping the Deployment Role to an External User”. In this case, the user "brian" is mapped to the Administrative group by virtue of his
membership in an "admin" group in the LDAP server. In this use case, an administrator would like to grant Brian
the Deployment Role without having to create a LDAP group for this role and modifying his group memberships in
The end result of this operation is to augment the Group-Role mapping that is provided by the LDAP integration. You can use LDAP groups to manage coarse-grained permissions to grant people administrative privileges and developer roles, and if you need to perform more targeted privilege assignments in the repository manager you can Map LDAP users to roles with the techniques shown in this section.