LDAP Groups HOWTO (Obsolete)

Last modified 26 Oct 2021 23:50 +02:00
This functionality is obsolete. It is no longer supported or maintained.

This HOWTO applies only to midPoint versions 2.2 and earlier. Version 3.0 will introduced the mechanism of Entitlements which makes handling of groups much easier.

Setup for LDAP Groups are quite difficult to figure out because they are slightly unlinke the groups in most other systems. LDAP groups are (almost) ordinary LDAP objects. But the group membership is an attribute of an group, not an attribute of an account. This makes it quite difficult to manage group membership just by looking at the user attributes. The membership information will not be there.

There is hack in the LDAP connector to make the group management feasible even by looking at LDAP account. The LDAP connector has a hidden attribute ldapGroups that contains a list of groups that the use belongs to. This is compiled by the connector by actually searching for all the groups in LDAP. It can also be used to modify the group membership. Adding or removing an value of this attribute will result in modification of the group membership list.

The ldapGroups attribute is hidden and connector does not even reveal it in resource schema. Therefore the resource schema needs to be manually modified to make this attribute "exist". Open the resource in XML editor, scroll down to <schema> element and find a definition for AccountObjectClass object class. Add a definition of the ldapGroups attribute as follows:

        <xsd:complexType name="AccountObjectClass">
                  <xsd:element minOccurs="0" ref="icfs:uid">
                           <a:displayName>ICF UID</a:displayName>
                  <xsd:element maxOccurs="unbounded" minOccurs="0" name="ldapGroups" type="xsd:string"/>

Note: Due to some glitches in the existing code the system may need a restart to make sure that this schema change is applied. Sorry for the inconvenience, we are working hard on the solution.

Now the ldapGroups attribute may be used as a ordinary account attribute. It is mult-valued attribute that contains DNs of the LDAP groups that the account should be a member of. The LDAP connector assumes that these will be groupOfUniqueName and therefore the membership attribute will be uniqueMember. If other grouping mechanism is used the membership attribute can be changed using groupMemberAttribute connector configuration parameter.

The ldapGroups attribute is not fetched by default by the connector. Therefore it will not appear in the account form even if it has some values. This makes it impractical for manual management of the group membership. But the attribute works as expected when used in a role definition which is also the most common form us usage:

    <name>Full Time Employee</name>
    		<resourceRef oid="12c78a70-76b7-11e2-9cb3-001e8c717e5b" type="c:ResourceType"/>

Also make sure that you have correctly set up the group membership attribute in connector configuration:

Was this page helpful?
Thanks for your feedback