Mapping LDAP Attribute Values to Roles
Set the property spectrum.ldap.attribute.roles to enable the mapping of attributes to user roles.
Before performing this procedure you must enable LDAP authentication. If you are using Spectrum Spatial, this also includes modifying the Jackrabbit configuration file. For more information, see Using LDAP or Active Directory for Authentication.
When you configure Spectrum Technology Platform to use LDAP or Active Directory for authentication, one of the configuration properties that you configure (the spectrum.ldap.attribute.roles property in the file spectrum-config-ldap.properties) specifies an LDAP attribute whose values determine the role to grant to a user. By default, the attribute values must match the Spectrum Technology Platform role names exactly in order for the role to be granted. For example to grant the designer role, the attribute you specify must contain the value designer.
If the LDAP attribute value that you want to use does not match the role name in Spectrum Technology Platform, you can map the LDAP attribute value to a role name. You can also map an LDAP attribute value that has the same name as a Spectrum Technology Platform role to a different role. For example, one of the built-in roles is designer. If you have an LDAP attribute value named designer but you want it to map to another role, you could create a mapping.
-
Open a web browser and go to
http://server:port/jmx-console
Where:
server is the IP address or host name of your Spectrum Technology Platform server.
port is the HTTP port used by Spectrum Technology Platform. The default is 8080.
-
Click this property:
com.pb.spectrum.platform.common.security.role:mappings=RoleMappings
Note: This property is only visible after you enable LDAP authentication and the server is fully started. If you have not enabled LDAP authentication, see Using LDAP or Active Directory for Authentication. - In the addMapping section, in the ldapValue field, enter the LDAP attribute value that you want to map to a Spectrum Technology Platform role.
- In the roleName field, enter the Spectrum Technology Platform role that you want to map to the LDAP attribute value.
- Click Invoke.
Users who have the LDAP attribute will now be granted the role you specified when they long in to Spectrum Technology Platform.
To remove a mapping, enter the LDAP attribute you want to unmap in the ldapValue field in the removeMapping section.
Example
Assume that you want to use a value in the gecos attribute to assign a role in Spectrum Technology Platform. If gecos contains the value data-quality-user, you want to grant the user the designer role when logging in to Spectrum Technology Platform.
To accomplish this, you would specify the gecos attribute as the attribute to use assign roles by specifying this in the file spectrum-config-ldap.properties:
spectrum.ldap.attribute.roles=gecos
Then, you would map the data-quality-user value to the designer role in the Spectrum JMX console:
As a result, any user that has the value data-quality-user in the gecos attribute will be granted the role designer.