From 7475906218213d6e69890f9f5b7be5eaa164ea3b Mon Sep 17 00:00:00 2001
From: Luke Taylor It obtains roles by
- *
- *
+ * performing a search for "groups" the user is a member of.
*
If the userRolesAttributes property is set, any matching attributes amongst those retrieved for the - * user will have their values added to the list of roles. If userRolesAttributes is null, no attributes will - * be mapped to roles.
*A typical group search scenario would be where each group/role is specified using the groupOfNames * (or groupOfUniqueNames) LDAP objectClass and the user's DN is listed in the member (or * uniqueMember) attribute to indicate that they should be assigned that role. The following LDIF sample has * the groups stored under the DN ou=groups,dc=acegisecurity,dc=org and a group called "developers" with - * "ben" and "marissa" as members:
dn: ou=groups,dc=acegisecurity,dc=orgobjectClass: top + * "ben" and "marissa" as members: + *+ * *dn: ou=groups,dc=acegisecurity,dc=orgobjectClass: top * objectClass: organizationalUnitou: groupsdn: cn=developers,ou=groups,dc=acegisecurity,dc=org * objectClass: groupOfNamesobjectClass: topcn: developersdescription: Acegi Security Developers * member: uid=ben,ou=people,dc=acegisecurity,dc=orgmember: uid=marissa,ou=people,dc=acegisecurity,dc=orgou: developer - *+ *
The group search is performed within a DN specified by the groupSearchBase property, which should * be relative to the root DN of its InitialDirContextFactory. If the search base is null, group searching is * disabled. The filter used in the search is defined by the groupSearchFilter property, with the filter