Role mapping – HP IO Accelerator for BladeSystem c-Class User Manual
Page 28
Adding and editing LDAP providers 28
Role mapping
Connection and User Mapping configure the way a username is mapped to an LDAP entry. Role Mapping
configures the ways in which users are granted roles.
Role Mapping Rules are used to place a user into one or more roles in the HP IO Accelerator Management
Tool: User, Device Admin, or Server Admin.
Each role mapping is essentially an LDAP search specification along with a Role. When the search
specification is true (returns one or more entries) for a user, then that user is granted the Role.
To create a new role mapping:
1.
Click Add Role Mapping.
2.
Enter a name for this mapping in the Name field. This name lets you identify the role mapping later if
you decide to edit it. For example: Administrators.
3.
Enter a DN in the Search Base DN field.
This could be the DN of some container, or a specific DN such as that of a group, for example,
CN=administrators,OU=groups,DC=example,DC=com. The special value ${dn can be used
to set the search base DN to the user's LDAP entry. This is useful when creating a role mapping based
of the user's attributes, such as memberOf.
4.
Enter an LDAP search filter in the Search Filter field.
The search filter can contain the special values ${username,}which is replaced by the name the user
logged in with, or ${dn}, which is replaced by the DN of the logged-in user's LDAP entry). For
example, a search filter of (member=${dn}) matches true for entries where there is a member
attribute that has the logged-in user's DN as a value (common in group entries).
5.
Set the Scope.
If the Search Base DN names a specific entry in the LDAP tree, the scope should be Base level; otherwise
it should be either Subtree or One level.
6.
Choose the Role to be granted to users meeting the search criteria. For example, if the search criteria
matches true for users who are listed in and LDAP group entry full of administrators, set the role to Server
Admin.
7.
Click Add Role Mapping.
Example Role Mappings
Following are some examples of role mappings that might be configured for different LDAP directory
deployments:
Members of the Administrator group are in role Server Admin
1.
Set the Search Base DN field to the Administrators group entry. For example:
CN=administrators,OU=groups,DC=example,DC=com.
2.
Set the Search Filter: (member=${dn})" (typical for AD) or (uniqueMember=${dn}) (typical for
non-AD). If you are unsure which attribute holds the members of the group, you can use the search filter
(|(member=${dn})(uniqueMember=${dn})).
3.
Set the Scope to Base level.
4.
Set the Role to Server Admin.
Members of the Administrator group are in role Server Admin (alternate AD config)