8.9. Mapping Internal Roles for External Users

If you are unable to map all of the roles to LDAP groups, you can always augment the role information by adding a specific user-role mapping for an external LDAP user in the repository manager. In other words, if you need to make sure that a specific user in LDAP gets a specific role and you don’t want to model this as a group membership, you can add a role mapping for an external user in the repository manager.

The repository manager keeps track of this association independent of your LDAP server. It continues to delegate authentication to the LDAP server for this user. The repository manager will continue to map the user to roles based on the group element mapping you have configured, but it will also add any roles specified in the User panel. You are augmenting the role information that the repository manager gathers from the group element mapping.

Once the user and group mapping has been configured, click on the Users link under Security in the main menu. The Users tab is going to contain all of the configured users for this repository manager instance as shown in Figure 8.9, “Viewing All Configured Users”. A configured user is a user in a repository manager realm or an External User that has an explicit mapping to a role. In Figure 8.9, “Viewing All Configured Users”, you can see the three default users in the default realm plus the brian user from LDAP. The brian user appears because this user has been mapped to an internal role.


Figure 8.9. Viewing All Configured Users

The list of users in Figure 8.9, “Viewing All Configured Users” is a combination of all of the users in the default realm and all of the External Users with role mappings. To explore these two sets of users, click on the All Configured Users drop-down and choose Default Realm Users. Once you select this, click in the search field and press Enter. Searching with a blank string in the Users panel will return all of the users of the selected type. In Figure 8.10, “All Default Realm Users” you see a dialog containing all three default users from the default realm.


Figure 8.10. All Default Realm Users

If you wanted to see a list of all LDAP users, select LDAP from the All Configured Users drop-down shown in Figure 8.9, “Viewing All Configured Users” and click on the search button (magnifying glass) with an empty search field. Clicking search with an empty search field will return all of the LDAP users as shown in Figure 8.11, “All LDAP Users”.


Note that the user tobrien does not show up in the All Configured Users list. This is by design. The repository manager is only going to show you information about users with external role mappings. If an organization has an LDAP directory with thousands of developers, the repository manager doesn’t need to retain any configuration information for users that don’t have custom role mappings.


Figure 8.11. All LDAP Users

To add a mapping for an external LDAP user, you would click on the All Configured Users drop-down and select LDAP. Once you’ve selected LDAP, type in the user ID you are searching for and click the search button (magnifying glass icon to right of the search field). In Figure 8.12, “Search LDAP Users”, a search for "brian" yields one user from the LDAP server.


Figure 8.12. Search LDAP Users

To add a role mapping for the external user brian shown in Figure 8.12, “Search LDAP Users”, click on the user in the results table and drag a role from Available Roles to Selected Roles as shown in Figure 8.13, “Mapping the Deployment Role to an External User”. In this case, the user "brian" is mapped to the Administrative group by virtue of his membership in an "admin" group in the LDAP server. In this use case, an administrator would like to grant Brian the Deployment Role without having to create a LDAP group for this role and modifying his group memberships in LDAP


Figure 8.13. Mapping the Deployment Role to an External User

The end result of this operation is to augment the Group-Role mapping that is provided by the LDAP integration. You can use LDAP groups to manage coarse-grained permissions to grant people administrative privileges and developer roles, and if you need to perform more targeted privilege assignments in the repository manager you can Map LDAP users to roles with the techniques shown in this section.