II. C. Derive Authorizations from Entry

Last updated January 22, 2013. Created by johnbarclay on March 25, 2012.
Edited by larsmw. Log in to edit this page.

How "Derive from Entry" Works:

1. Group entries under consideration are listed in the IIC. authorization configuration under "LDAP DNs containing...".
2. each of these groups that has the user DN in question as a member is added to authorizations
3. if nested is selected keep finding child groups recursively. If user is a member of a child group, the ancestor in "LDAP DNs containing..." is added to authorizations.

Which LDAPs should use the "Derive from Entry" approach?

This scenario is most applicable to UNIX LDAP environments. In this scenario, the LDAP groups are stored as objects with their members represented by a mulitvalued attribute. That attribute's name might be: members, memberUid, uniquemember, etc. That attribute's value might be the DN or CN of another group or user. LDAPs that use the memberOf overlay, should use option IIB.

What nested groups mean in "Derive from Entry" approach.

If user is a member of a child group, the ancestor in "LDAP DNs containing..." is added to authorizations. That is if jdoe belongs to the bakers group and the bakers group is member of the "food workers" group, jdoe's authorization will be "food workers" (if "food workers" is listed in "LDAP DNs containing..."

Step by Step walkthrough

Configuration and Sample Data (for further understanding)

The following group entries exist in LDAP

- option II.C. is checked
1. LDAP DNs containing:

Visual Breakown of Configuration

Unit tests in the files at /ldap/ldap_authorization/tests/DeriveFromEntry are also illustrative of this method.

See also http://drupal.org/node/118112 for Drupal 6 LDAP Integration mapping explanations