Filtering LDAP Groups

Overview

There are two main concepts when dealing with LDAP groups:

  • Ensuring group membership when importing remote Users
  • Controlling the groups which will be imported and used by Datameer

Enforcing Group Membership

To enforce that users are a direct member of specific group (or groups) you can configure this under the Query Options section of the Authentication configuration page:

Enter fully qualified Distinguished Names (DN) for each group, one per line. After correctly configuring this, Datameer only accepts users with direct group membership in any of these groups. Using this query option doesn't limit the global groups coming in to Datameer but only enforces membership. That means for each qualifying user Datameer still imports all of its remote groups into Datameer.

As an example, given the following remote User/Group setup and assuming the group names are actually full DNs such as CN=Finance,OU=EMEA,DC=example,DC=com:

User

Groups

adam

DasUsers,IT,Finance,SomeOtherGroup

bob

DasUsers,IT,Finance,Executives

chris

DasUsers,SomeOtherGroup

david

DasUsers,Finance,SomeOtherGroup

eric

BusinessAnalysts,SomeOtherGroup

frank

IT,Finance,SomeOtherGroup

Configuring the Groups section of Query Options with the DN of DasUsers results in the following users being available for import:

  • adam
  • bob
  • chris
  • david

If all available users are imported, the following groups are imported into Datameer:

  • DasUsers
  • IT
  • Finance
  • SomeOtherGroup
  • Executives

Note that only members of DasUsers are available to import.

Controlling Available Groups

In addition to enforcing group membership, Datameer also provides the ability to control what groups from the remote system are imported when users are added to the system. This gives the administrator the ability to exclude extraneous groups which might be pulled into the system. In addition to excluding groups, Datameer supports only including certain groups. This allows the administrator to control what groups are available to use for the sharing features of Datameer. This can be especially important when using /wiki/spaces/DAS21/pages/4157768195, for example.

This group filtering is setup using the Group Filtering section of the Authentication administration page:

The rules for this configuration are as follows:

  • Filter expression are Java regular expression patterns which are applied to the group's name.
  • In either the Include These Groups or Exclude These Groups fields, enter one filter expression per line.
  • If a group matches an exclude filter expression, that group is explicitly excluded from Datameer.
  • When there are no include filters, then all groups are included, except those explicitly excluded.
  • With any include patterns specified, only groups matching one of the patterns and not explicitly excluded are available.
  • Selecting Ignore Case enables a case insensitive matching.

By way of example, given the same user set as above, you could specify the following filters

Include These Groups

<EMPTY>

Exclude These Groups

SomeOtherGroup

After importing all available users, the Datameer User/Group setup is:

User

Groups

adam

DasUsers,IT,Finance

bob

DasUsers,IT,Finance,Executives

chris

DasUsers

david

DasUsers,Finance

eric

BusinessAnalysts

frank

IT,Finance

If You want to include a specific set of groups and pull in remote groups you don't care about, you could set it up as follows:

Include These Groups

IT

Finance

BusinessAnalyst

Exclude These Groups

<EMPTY>

The following results occur after importing all users:

User

Groups

adam

IT,Finance

bob

IT,Finance

david

Finance

eric

BusinessAnalysts

frank

IT,Finance

Notice chris hasn't been imported. This is to demonstrate that after performing the filtering, if a user has NO groups, then this user isn't available for Datameer. To avoid this, you can set a configuration variable which adds these users to a default group.

Combining the Above Methods

These two group filtering mechanisms can be combined to support the following requirements:

  • You have a group that defines the set of users you want to access Datameer.
  • You don't actually want to import that group into Datameer, since it is really only a meta-group.
  • You have a few groups that you want to include in Datameer for sharing purposes.

To achieve this, you can set up the DasUsers group membership filter in Groups under Query Options.

And under Group Filters you configure the following:

Include These Group

<EMPTY>

Exclude These Groups

SomeOtherGroup

This way, you can enforce membership in the group DasUsers, but not import that group into Datameer. You also exclude SomeOtherGroup for demonstration purposes. The results from importing all available users using this configuration:

User

Groups

adam

IT,Finance

bob

IT,Finance,Executives

david

Finance

eric

BusinessAnalysts

frank

IT,Finance