Trick points while configuring LDAP in SUP
After i struggle all one day for configuration ldap to sybase unwired platform, here are few things what i have noticed about ldap structure and want to share my expreince.
If you have configured LDAP to any platform before you may realize the LDAP structure a little. In various companies we may face different LDAP structures. Therefore, before start to configuring we must know some fundemantals of LDAP attributes such as objectClass,groupType,objectCategory… etc.
In this tutorial i will not explain how to configure LDAP, i will just give a few tips on retriving LDAP roles and assigning to SUP Roles.
Below picture shows successfuly retrieved roles.
Lets see roles in LDAP
Main idea what i want to explain lie here. In SUP, number 1 and 2 seem as a role but they have different properties and the point that we should be careful is which one should assign.
Lets investigate number 1 :
The OU role includes CN’s. Those CN’s can be a user or a group. In above picture we see there are four as a group and there is one as user. I am using Apache Directory Studio just be able to see LDAP structure and attributes. One benefit of this studio it shows if CN is a group or user as icon on left. But we should be aware of their properties as well. For CN as a group has a property objectClass:group so you can notice difference. For CN as a user may have property objectClass:contact, objectClass:user, objectClass:person.
If your user is inside OU group and if you assing that group in SUP then you will fail in authentication. This is the tricky part. Because , it doesn’t include “member” attribute.
Lets investigate number 2 role attributes :
CN group has a “member ” attribute. The member attributes includes LDAP users. On SUP side, once you assigned a role it checks member attribute whether it has your user or not. If yes then you will be authenticate successfuly.
Finally , OU groups doesn’t include member attribute since SUP check the member attribute while authentication. Your assignable role must be CN as a group ones.
I hope this post will be helpful to you.