EXAMPLES.md

Plugin Role Configuration Examples

The test data used for the examples in this page are as follows:

User data

cn	sAMAccountName	distinguishedName	memberOf	homeOffice
Bob Ford	bford	CN=Bob Ford,OU=Employees,DC=example,DC=com	CN=admins,OU=Groups,DC=example,DC=com	New York
Alice Poirot	apoirot	CN=Alice Poirot,OU=Employees,DC=example,DC=com	CN=devs-1,OU=Groups,DC=example,DC=com	Chicago
Sarah Banks	sbanks	CN=Sarah Banks,OU=Employees,DC=example,DC=com	CN=devs-2,OU=Groups,DC=example,DC=com	New York
Phillip Banks	pbanks	CN=Phillip Banks,OU=Employees,DC=example,DC=com	CN=devs-1,OU=Groups,DC=example,DC=com	Boston
Service Account	svc_acc	CN=Service Account,OU=infra,DC=example,DC=com	CN=infra,OU=infra,DC=example,DC=com

Group data

cn	distinguishedName	member
admins	CN=admins,OU=Groups,DC=example,DC=com	CN=Bob Ford,OU=Employees,DC=example,DC=com
all-devs	CN=all-devs,OU=Groups,DC=example,DC=com	CN=devs-1,OU=Groups,DC=example,DC=com CN=devs-2,OU=Groups,DC=example,DC=com
devs-1	CN=devs-1,OU=Groups,DC=example,DC=com	CN=Alice Poirot,OU=Employees,DC=example,DC=com CN=Phillip Banks,OU=Employees,DC=example,DC=com
devs-2	CN=devs-2,OU=Groups,DC=example,DC=com	CN=Sarah Banks,OU=Employees,DC=example,DC=com
infra	CN=infra,OU=infra,DC=example,DC=com	CN=Service Account,OU=infra,DC=example,DC=com

Map users to a role using the UserGroupMembershipAttribute and GroupIdentifiers

Scenario 1: Map a role to user using memberOf attribute on user

With the following plugin role configuration, users Alice Poirot and Phillip Banks will get go-devs role as both have memberOf attribute with value CN=devs-1,OU=Groups,DC=example,DC=com.

---

Scenario 2: Map a role to user using memberOf attribute on user with multiple group identifiers

With the following plugin role configuration, users Alice Poirot, Sarah Banks and Phillip Banks will get all-devs role. Alice Poirot and Phillip Banks are memberOf CN=devs-1,OU=Groups,DC=example,DC=com while Sarah Banks is a memberOf CN=devs-2,OU=Groups,DC=example,DC=com

---

Scenario 3: Map a role to user using custom attribute on user

With the following plugin role configuration, users Sarah Banks and Bob Ford will get pipeline-viewers role since both the user have attibute homeOffice with value New York.

Map users to a role using the GroupMembershipFilter and GroupSearchBases

Scenario 4: Map a role to user using group membership filter

With the following plugin role configuration, users Alice Poirot and Phillip Banks will get view_user role since both the users are members of CN=devs-1,OU=Groups,DC=example,DC=com group.

---

Scenario 5: Map a role to user using groups from different OU

With the following plugin role configuration, users Bob Ford and Service Account will get go-admins role since group admins has a member Bob Ford and infra has member Service Account.

---

Scenario 6: Map a role to user using nested group membership filter

With the following plugin role configuration, users Alice Poirot, Phillip Banks and Sarah Banks will get all-devs role since the users are members of one of the child group of all-devs. Here, filter contains a number :1.2.840.113556.1.4.1941: which is OID of ldap rule LDAP_MATCHING_RULE_IN_CHAIN. Documentation for LDAP_MATCHING_RULE_IN_CHAIN is available here.

---

Scenario 7: Map a role using group membership attribute or group membership filter

With the following plugin role configuration, plugin will assign a role using group membership attribute first if it fails to do so, it will check for group membership filter to assign a role to user. Users Service Account and Phillip Banks will get Operators role since the Service Account is member of CN=infra,OU=infra,DC=example,DC=com group and Phillip's home office is Boston.