Stages Documentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
72:ldap_optional_attributes [2018/07/16 13:40] – created bkkr72:ldap_optional_attributes [2024/02/15 00:00] (current) – external edit 127.0.0.1
Line 34: Line 34:
  
 The referrals attribute can be used to configure the handling of LDAP referrals. Possible behavior and values are “follow“ or “ignore“. By default, Stages will follow referrals. The referrals attribute can be used to configure the handling of LDAP referrals. Possible behavior and values are “follow“ or “ignore“. By default, Stages will follow referrals.
 +
 +=== The ignorePartialResultExeption Attribute ===
 +
 +When enabled, this attribute causes the PartialResultException to be ignored if the referrals attribute is set to "ignore".\\
 +The ignorePartialResultException attribute is configured on the ldap-provider.
  
 === The searchFilter Attribute === === The searchFilter Attribute ===
Line 41: Line 46:
 The syntax used to build up the filter expression is specified in RFC 2254. Some examples are provided below: The syntax used to build up the filter expression is specified in RFC 2254. Some examples are provided below:
  
-^Filter Expression ^Meaning | +^Filter Expression^Meaning| | 
-|(objectClass=*) |All objects | +|(objectClass=*)|All objects| | 
-|(sn=sm*) |All entries with a surname that starts with "sm"+|(sn=sm*)|All entries with a surname that starts with "sm"| | 
-|(&(sn=smith)(objectClass=user)(email=*)) |All entries that are users having the surname "smith" and an email address. | +|(&(sn=smith)(objectClass=user)(email=*))|All entries that are users having the surname "smith" and an email address.| | 
-|(&amp;(objectClass=user)(!age<18)(|(sn=smith) (sn=wright))) |All entries that are users having surname set to "smith" or "wright" and are older than 18 |+|(&(objectClass=user)(!age<18) 
 + ( |(sn=smith)(sn=wright)))|All entries that are users having surname set to "smith" or "wright" and are older than 18|
  
-**NOTE**: In the PKitConfig.xml file the character “&“ has to be escaped via “&“. Otherwise errors parsing the configuration file could occur.+**NOTE**: In the 
 + Config.xml  file the character “&“ has to be escaped via “&“. Otherwise errors parsing the configuration file could occur.
  
-There is a special memberOf keyword available on many LDAP directory servers. In the case of Microsoft Active Directory, groups are represented via entries of object class “group“ by default. The distinguished names of the group members are set in the member attributes of the group entry. On the other hand, the distinguished name of every group a user is part of is automatically set in a memberOf attribute of the user entry.+There is a special memberOf keyword available on many LDAP directory servers. In the case of Microsoft Active Directory, groups are represented via entries of object class “group“ by default. The distinguished names of the group members are set in the member attributes of the group entry. On the other hand, the distinguished name of every group a user is part of is automatically set in a 
 + memberOf  attribute of the user entry.
  
 The following search filter example shows how to filter users according to a certain group membership using the memberOf attribute: The following search filter example shows how to filter users according to a certain group membership using the memberOf attribute:
  
-searchFilter="(memberOf=CN=SampleGroup,DC=pkit,DC=methodpark,DC=de)“+'' searchFilter="(memberOf=CN=SampleGroup,DC=pkit,DC=methodpark,DC=de)“  ''
  
 If the memberOf attribute is not available on your LDAP directory server, it is possible to retrieve the members of a certain group by querying the member attribute of a group entry. If the memberOf attribute is not available on your LDAP directory server, it is possible to retrieve the members of a certain group by querying the member attribute of a group entry.
  
-The following search filter example shows how to query the users of a group without using the memberOf attribute:+The following search filter example shows how to query the users of a group without using the 
 + memberOf  attribute:
  
-searchFilter="distinguishedName=CN=SomeGroup,DC=er,DC=methodpark,DC=de"+'' searchFilter="distinguishedName=CN=SomeGroup,DC=er,DC=methodpark,DC=de"  ''
  
-The filter specifies that the distinguished name of the (group) entry has to be “CN=SomeGroup,DC=er,DC=methodpark,DC=de“. In order to state the attribute name, which contains the distinguished name of the group members, the attribute groupMemberAttribute has to be set, e.g. to “member“ in the case of Active Directory.+The filter specifies that the distinguished name of the (group) entry has to be 
 + “CN=SomeGroup,DC=er,DC=methodpark,DC=de“  . In order to state the attribute name, which contains the distinguished name of the group members, the attribute 
 + groupMemberAttribute  has to be set, e.g. to 
 + “member“  in the case of Active Directory.
  
-A complete example for retrieving group members without using the memberOf attribute is listed below.+A complete example for retrieving group members without using the 
 + memberOf  attribute is listed below.
  
-searchFilter="distinguishedName=CN=SomeGroup,DC=er,DC=methodpark,DC=de"\\ +'' searchFilter="distinguishedName=CN=SomeGroup,DC=er,DC=methodpark,DC=de"\\ 
-groupMemberAttribute=member“+groupMemberAttribute="member“  ''
  
 === The ondemandFilter Attribute === === The ondemandFilter Attribute ===
Line 74: Line 87:
 The ondemandFilter must contain the placeholder character “%” that will be replaced by the username when queries on the LDAP repository are made. The ondemandFilter must contain the placeholder character “%” that will be replaced by the username when queries on the LDAP repository are made.
  
-Example: ondemandFilter=“(sAMAccountName=%,cn=Users,dc=methodpark,dc=com)” +Example: ''ondemandFilter=“(&(sAMAccountName=%)(objectClass=user))''''''
 === The matchUsersMode Attribute === === The matchUsersMode Attribute ===
  
Line 100: Line 112:
 The defaultLicenseType attribute specifies which license type shall be granted to a newly created LDAP user. Possible values for that attribute are: The defaultLicenseType attribute specifies which license type shall be granted to a newly created LDAP user. Possible values for that attribute are:
  
-  * QM +  * Stages Process Modeler (floating): **QM** 
-  * PM +  * Stages Process Modeler (named): **PersonalQM** 
-  * Dev +  * Stages Project Manager (floating:) **FloatingPM** 
-  * none+  * Stages Project Manager (named): **PM** 
 +  * Stages Process Participant (floating): **FloatingDev** 
 +  * Stages Process Participant (named): **Dev** 
 +  * Stages Process Contributor (floating): **FloatingADev** 
 +  * Stages Process Contributor (named): **ADev** 
 +  * Stages Process Viewer (floating only): **AuthPsReader** 
 +  * None: **none**
  
-The specified license type is only assigned if the corresponding license limit for that type is not reached. If the defaultLicenseType attribute is not specified then the value of the configuration property license.types.initialType is used for that purpose.+The specified license type is only assigned if the corresponding license limit (named licenses only) for that type is not reached. If the defaultLicenseType attribute is not specified then the value of the configuration property license.types.initialType is used for that purpose. The default value of this property is "Dev".
  
-\\