Differences

This shows you the differences between two versions of the page.

--- technical:ldap-integration-rba [2025/06/08 05:10] – [Required Packages] system
+++ technical:ldap-integration-rba [2025/06/08 06:35] (current) – [Adjusting the rights of a role] system
@@ Line 25: / Line 25: @@
 -----------------
-====== LDAP Authentication Process ======
+====== LDAP group to RBA mapping ======
-===== Bind (Initial Connection) =====
+===== Common Settings =====
-  - **Client connects:** The LDAP client (e.g., a user authentication script) connects to the LDAP server.
+<panel type="primary">
-  - **Bind request:** The client sends a bind request to the server, which includes the username (or DN) and password.
+{{:technical:ldap:ldap_rba_common.png|}}
-  - **Server authenticates:** The server checks the username and password against its stored credentials.
+</panel>
-  - **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful connection.
+  * The LDAP group to RBA mapping is optional functionality available as a complement to the standard LDAP integration.
+  * To ensure that the LDAP user has a pleasant experience the first time they log in, we pre-define the default Cloud and Realm they will be assigned to.
+  * As stated earlier, we also give the option to specify the attribute that will contain the groups the user belongs to.
+  * The recommended value is //memberof//, all in lowercase.
-===== Search =====
+-----------------
-  - **Search request:** The client sends a search request to the server, specifying the search base, scope, filter, and attributes to retrieve.
+===== Admin =====
-  - **Server searches:** The server searches its directory based on the client's request.
+<panel type="primary">
-  - **Search response:** The server responds with a search response, containing the matching entries and their attributes.
+{{:technical:ldap:ldap_rba_admin.png|}}
+</panel>
+   * The Admin role will typically include the most components to include.
-===== Bind on Search Result with Password =====
+-----------------
-  - **Client selects entry:** The client selects an entry from the search results.
+===== Operator =====
-  - **Client extracts DN:** The client extracts the DN (distinguished name) from the selected entry.
-  - **Bind request with DN and password:** The client sends a new bind request to the server, using the extracted DN and the user-provided password.
-  - **Server authenticates:** The server checks the DN and password against its stored credentials.
-  - **Bind response:** If the credentials are valid, the server responds with a bind response, indicating a successful authentication.
-----------
-----------
-====== Configure LDAP ======
-  * LDAP Integration is configured under the settings tab.
-  * One item that needs a bit more explanation is Filter.
-  * The filter contains a special character (**%s**) which will be substituted with the username that the user provide to log in.
-  * For active directory it will typically be **(&(objectClass=user)(samaccountname=%s))**.
-  * This filter will be applied when searching to find the DN of the user who needs to be authenticated.
 <panel type="primary">
-{{:technical:ldap:ldap_settings.png|}}
+{{:technical:ldap:ldap_rba_operator.png|}}
 </panel>
+  * The Operator role will typically have less components selected compared to the Admin role, but more components then the View role.
----------
+-----------------
+===== View =====
-====== Test LDAP Settings ======
-  * There is also a **Test LDAP Settings** Button that helps you to test the LDAP settings to ensure they work as intended.
-  * The tests that will be done will be matching the **LDAP Authentication Process** described earlier on this page.
 <panel type="primary">
-{{:technical:ldap:ldap_settings_test.png|}}
+{{:technical:ldap:ldap_rba_view.png|}}
 </panel>
+  * The View role will typically have the least components selected of the available three roles.
+---------
+====== Adjusting the rights of a role ======
+  * Should you need to adjust the rights for one of the roles, there is a dedicated section in the Wiki which covers that topic.