Managing Users : LDAP Authentication Method : Cumulus Roles
   
Cumulus Roles
Optional feature! May not be available with your Cumulus configuration.
If you work with the role-based mode of the User Manager, you can define mappings from LDAP groups to Cumulus roles. By using this mapping you no longer need an entry for this user in the User Manager (a user record in your $Users catalog). All you need is to define Cumulus roles and assign permission to them. Assigning users to these roles is done using the role mapping of the LDAP Authenticator. All role assignments done by the LDAP Authenticator module are added to the roles already assigned to the user through a record in the $Users catalog.
The LDAP Authenticator supports different kinds of role mappings:
Automatic mapping of all LDAP groups to Cumulus roles by matching one of the group's attributes (e.g. the group's name)
This is the easiest way of mapping LDAP groups to Cumulus roles. All you need to do is give your Cumulus roles names that correspond to an attribute of an LDAP group. For example you can name your Cumulus roles so that they match the "cn" attribute of your LDAP groups.
Manual mapping of groups to a Cumulus role
You can define additional mappings of specific LDAP groups to a specific Cumulus role so that a user is assigned that role if he or she is a member of any or each of the given LDAP groups. For example you can define a mapping to assign all users to the "CumulusAdmin" role if they are members of both the "Administrators" and the "Backup Operators" group.
To have LDAP Authenticator supporting role mapping you have to configure the following items of the LDAP.xml file:
<ns:authenticator>
        <ns:search>
        <ns:roles>
                <ns:role-mapping>
The example LDAP.xml files are syntactically correct for ActiveDirectory and OpenDirectory LDAP schemes. However, they contain placeholders for the names of Cumulus roles and LDAP groups. In order to make your version of the LDAP.xml work, you have to replace these placeholders with real values only. If you use any LDAP scheme other than ActiveDirectory and OpenDirectory, you also have to adapt the structure to the structure of your LDAP scheme.
Automatic mapping can be used if the names of your Cumulus roles correspond to attribute values of your LDAP groups. The easiest way is to use the cn attribute of the LDAP group node to match the Cumulus role name.
Manual role mapping is based on rules that define which LDAP group memberships are mapped to a Cumulus role membership. These rules are defined using <ns:role-mapping> elements.
The membership conditions inside a <ns:role-mapping> element are combined by “and”. A user will be assigned to a role only if the user fulfils all conditions. See also the following example:
If you want to use “or” combinations, you simply add new <ns:role-mapping> elements for the same Cumulus role name. All role mapping elements are combined using “or”. A user will be assigned to a role if the user fulfils the conditions of at least one <ns:role-mapping> element. See also the following example: