Filtering LDAP Groups
Overview
There are two main concepts when dealing with LDAP groups:
- Ensuring group membership when importing remote Users
- Controlling the groups which will be imported and used by Datameer
Enforcing Group Membership
To enforce that users are a direct member of specific group (or groups) you can configure this under the Query Options section of the Authentication configuration page:
Enter fully qualified Distinguished Names (DN) for each group, one per line. After correctly configuring this, Datameer X only accepts users with direct group membership in any of these groups. Using this query option doesn't limit the global groups coming in to Datameer X but only enforces membership. That means for each qualifying user Datameer X still imports all of its remote groups into Datameer.
As an example, given the following remote User/Group setup and assuming the group names are actually full DNs such as CN=Finance,OU=EMEA,DC=example,DC=com:
User | Groups |
---|---|
adam | DasUsers,IT,Finance,SomeOtherGroup |
bob | DasUsers,IT,Finance,Executives |
chris | DasUsers,SomeOtherGroup |
david | DasUsers,Finance,SomeOtherGroup |
eric | BusinessAnalysts,SomeOtherGroup |
frank | IT,Finance,SomeOtherGroup |
Configuring the Groups section of Query Options with the DN of DasUsers results in the following users being available for import:
- adam
- bob
- chris
- david
If all available users are imported, the following groups are imported into Datameer X
- DasUsers
- IT
- Finance
- SomeOtherGroup
- Executives
Note that only members of DasUsers are available to import.
Controlling Available Groups
In addition to enforcing group membership, Datameer X also provides the ability to control what groups from the remote system are imported when users are added to the system. This gives the administrator the ability to exclude extraneous groups which might be pulled into the system. In addition to excluding groups, Datameer X supports only including certain groups. This allows the administrator to control what groups are available to use for the sharing features of Datameer. This can be especially important when using Secure Impersonation, for example.
This group filtering is setup using the Group Filtering section of the Authentication administration page:
The rules for this configuration are as follows:
- Filter expression are Java regular expression patterns which are applied to the group's name.
- In either the Include These Groups or Exclude These Groups fields, enter one filter expression per line.
- If a group matches an exclude filter expression, that group is explicitly excluded from Datameer.
- When there are no include filters, then all groups are included, except those explicitly excluded.
- With any include patterns specified, only groups matching one of the patterns and not explicitly excluded are available.
- Selecting Ignore Case enables a case insensitive matching.
By way of example, given the same user set as above, you could specify the following filters
Include These Groups | <EMPTY> |
Exclude These Groups | SomeOtherGroup |
After importing all available users, the Datameer X User/Group setup is:
User | Groups |
---|---|
adam | DasUsers,IT,Finance |
bob | DasUsers,IT,Finance,Executives |
chris | DasUsers |
david | DasUsers,Finance |
eric | BusinessAnalysts |
frank | IT,Finance |
If You want to include a specific set of groups and pull in remote groups you don't care about, you could set it up as follows:
Include These Groups | IT Finance BusinessAnalyst |
Exclude These Groups | <EMPTY> |
The following results occur after importing all users:
User | Groups |
---|---|
adam | IT,Finance |
bob | IT,Finance |
david | Finance |
eric | BusinessAnalysts |
frank | IT,Finance |
Notice chris hasn't been imported. This is to demonstrate that after performing the filtering, if a user has NO groups, then this user isn't available for Datameer. To avoid this, you can set a configuration variable which adds these users to a default group.
Combining the Above Methods
These two group filtering mechanisms can be combined to support the following requirements:
- You have a group that defines the set of users you want to access Datameer.
- You don't actually want to import that group into Datameer X since it is really only a meta-group.
- You have a few groups that you want to include in Datameer X for sharing purposes.
To achieve this, you can set up the DasUsers group membership filter in Groups under Query Options.
And under Group Filters you configure the following:
Include These Group | <EMPTY> |
Exclude These Groups | SomeOtherGroup |
This way, you can enforce membership in the group DasUsers, but not import that group into Datameer. You also exclude SomeOtherGroup for demonstration purposes. The results from importing all available users using this configuration:
User | Groups |
---|---|
adam | IT,Finance |
bob | IT,Finance,Executives |
david | Finance |
eric | BusinessAnalysts |
frank | IT,Finance |