Mapping LDAP Attribute Values to Roles
Set the property spectrum.ldap.attribute.roles to enable the mapping of attributes to user roles.
Before performing this procedure you must enable LDAP authentication. If you are using the Spatial Module, this also includes modifying the Jackrabbit configuration file. For more information, see Using LDAP or Active Directory for Authentication.
When you configure Spectrum™ Technology Platform to use LDAP or Active Directory for authentication, one of the configuration properties that you configure (the spectrum.ldap.attribute.roles property in the file spectrum-config-ldap.properties) specifies an LDAP attribute whose values determine the role to grant to a user. By default, the attribute values must match the Spectrum™ Technology Platform role names exactly in order for the role to be granted. For example to grant the designer role, the attribute you specify must contain the value designer.
If the LDAP attribute value that you want to use does not match the role name in Spectrum™ Technology Platform, you can map the LDAP attribute value to a role name. You can also map an LDAP attribute value that has the same name as a Spectrum™ Technology Platform role to a different role. For example, one of the built-in roles is designer. If you have an LDAP attribute value named designer but you want it to map to another role, you could create a mapping.
Users who have the LDAP attribute will now be granted the role you specified when they long in to Spectrum™ Technology Platform.
To remove a mapping, enter the LDAP attribute you want to unmap in the ldapValue field in the removeMapping section.
Example
Assume that you want to use a value in the gecos attribute to assign a role in Spectrum™ Technology Platform. If gecos contains the value data-quality-user, you want to grant the user the designer role when logging in to Spectrum™ Technology Platform.
To accomplish this, you would specify the gecos attribute as the attribute to use assign roles by specifying this in the file spectrum-config-ldap.properties:
spectrum.ldap.attribute.roles=gecos
Then, you would map the data-quality-user value to the designer role in the JMX console:
As a result, any user that has the value data-quality-user in the gecos attribute will be granted the role designer.