The LDAP Group condition allows you to assign a role based on whether the authenticating user is a member of a group. The value, an LDAP DN, must be a fully distinguished name of a group.
LDAP Group: Select [Current].
Comparison: Specify how you want the values compared. Select one of the following:
LDAP Group: Is Member of: Specifies that you want the condition to determine whether the user is member of a specified group.
Comparison: Regular Expression: Matches: Specifies that you want the values compared as regular expressions.
Mode: If you selected Regular Expression: Matches as the comparison type, select one or more of the following:
For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.
Value: Specify the second value for the comparison. If you select LDAP Group > Name of Identity Server Configuration > User Store Name, you can browse to the name of the LDAP group.
If you have more than 250 groups in your tree, you are prompted to enter an LDAP query string. In the text box, you need to add only the <strFilter> value for the query.
For example:
|
<strFilter> Value |
Description |
|---|---|
|
admin* |
Returns all groups that begin with admin, such as adminPR, adminBG, and adminWTH. |
|
*test |
Returns all groups that end with test, such as doctest, softtest, and securtest. |
|
*low* |
Returns all groups that have “low” in the name, such as low, yellow, and clowns. |
For more information about the <strFilter> parameter, see RFC 2254 “LDAP Search Filter.”
If you select Data Entry Field as the value, you can specify the DN of the group in the text field. For example:
cn=managers,cn=users,dc=bcf2,dc=provo,dc=novell,dc=com
cn=manager,o=novell
Other values are possible. Your policy requirements determine whether they are useful.
Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.