Scott Roth · Feb 12, 2018

Setting Authentication Roles from LDAP Group

I am working through trying to use ZAUTHENTICATE.mac and LDAP.mac to do Delegated sign on into Ensemble. In reading over the samples and the documentation, I am not clearly finding on how to set the Appropriate Role from the LDAP group I return. Can someone help explain this part to me? If I have a user sign on, and I return a "Group" from the Authentication, how do I get that to transform into the Role I need for Ensemble.


Scott Roth

0 470
Discussion (1)2
Log in or sign up to continue

With delegated logins, you need to return an array from ZAUTHENTICATE with all the properties you want the user to have, including their roles.   This happens during login; you can't change the roles once login is over.  The array used is Properties.  To set the roles in this array, you would do something similar to:

set Properties("Roles")="ACustomRole" 

This would set this user to have the role named ACustomRole.  

Your code gets to decide what that roles are, and can do it based on the group you retrieved.    For example, If you have a group named CacheAdmin and you want all members of that to get the %Manager role, you could do something like

if group="CacheAdmin" {set Properties("Roles")="%Manager"}

(Note that this code makes many assumptions that may not be true for you, such as that you want to overwrite Properties("Roles") instead of adding to it, and the name of the variable you're holding the group name in.)

If you want to add more than one role, you can use a comma separated string, such as "%Manager,ACustomRole"