Defining Group Membership
You can use the <GROUPUSERS> attribute to define iProcess group membership in a number of ways:
|
•
|
An entry can contain one or more <GROUPUSERS> values. If multiple <GROUPUSERS> values are used, LDAPCONF includes the usernames from each entry in the group. |
|
•
|
All <GROUPUSERS> attribute values must be specified either: |
|
—
|
as iProcess user names. See <GROUPUSERS> for more information. |
or
Using iProcess User Names to Define Group Membership (MEMBER LIST Format)
A <GROUPUSERS> attribute value can be either a single iProcess user name, or a comma-separated list of iProcess user names. In the following example, the groupusers attribute value defines johnb, roystonh and bobb as members of the reviewers group:
menuname=group
groupname=reviewers
groupusers=johnb,roystonh,bobb
Note that:
|
•
|
Each specified user name must already exist as an iProcess user. (When iProcess user data is synchronized with the LDAP directory, a user that does not already exist will simply not be added to the group.) |
|
•
|
A specified name must not contain an @ or = character, as this will cause the value to be truncated. For example, the value: |
groupusers = johnb,roystonh@acme,bobb
will result in johnb and roystonh being added as group members. bobb will not be added to the group.
|
•
|
You can use wildcard characters to match all or part of a user name. For example, the following value defines all users whose name starts with swusr as group members: |
groupusers = swusr*
Using LDAP Distinguished Names to Define Group Membership (LDAP DN Format)
A <GROUPUSERS> attribute value can contain either a single DN, or a list of DNs. Each DN references another entry in the LDAP directory, that must contain the iProcess user name that is to be added to the group.
When iProcess user data is synchronized with the LDAP directory, LDAPCONF reads the LDAP entry defined by each DN. If it finds:
|
•
|
a <USERNAME> attribute value that maps to an existing iProcess user, it adds that user to the group. |
|
•
|
a <USERNAME> attribute value that is not already an iProcess user, it creates the iProcess user, and then adds it to the group. |
|
Note
|
The value must be a valid iProcess user name.
|
|
•
|
no <USERNAME> attribute value, or an empty <USERNAME> attribute value, it ignores the entry. |
In the example on the next page, the groupusers attribute value contains a list of three DNs. The LDAP attribute that maps to the iProcess user name is uid. When iProcess user data is synchronized with the LDAP directory, LDAPCONF searches the LDAP entry defined by each DN for a uid value. Users johnb, roystonh and bobb are therefore added to the reviewers group.
|
Note
|
In this example, the #character is the delimiter for individual DNs in the groupusers value. The # character is the MS Active Server delimiter; other LDAP Directory servers may use different characters.
|
Note that:
|
•
|
A DN must not contain an @ character, as this will cause the DN to be truncated. For example, the value: |
groupusers = cn=jbloggs,ou=Dev,o=ACME#
cn=rharper@ACME,ou=Tst,o=ACME#
cn=bbaggins,ou=Dev,o=ACME
will result in the second DN being interpreted as cn=rharper. The first and third DNs will be interpreted normally.
|
•
|
If a DN contains the LDAP <USERNAME> attribute, LDAPCONF checks if the value of that attribute is an iProcess user: |
|
—
|
If it is, LDAPCONF adds that user to the group and does not interpret the DN any further. |
|
—
|
If it is not, LDAPCONF continues to interpret the DN as previously described. |
In the following example, we again assume that uid is the LDAP attribute that maps to the iProcess user name.
LDAPCONF reads the DN and, finding that it already contains a uid value, checks if jon_b is an iProcess user:
|
—
|
If jon_b is an iProcess user, jon_b is added to the groupusers group. The entry pointed to by the full DN is not examined. |
|
—
|
If jon_b is not an iProcess user, LDAPCONF searches the entry pointed to by the full DN. It finds the uid value johnb, and so adds user johnb to the groupusers group. |