Re: Mapping ORGs and Space permissions via LDAP

Dieu Cao <dcao@...>

This has been a long requested feature.
We've recently started to have more active conversations about this between
CAPI and UAA teams and we hope to be able to share a proposal addressing
this once an approach has been agreed on in the next month or two.

CF Runtime PMC Lead

On Sun, Feb 19, 2017 at 4:33 AM, Alexander Lomov <
alexander.lomov(a)> wrote:

Hey, Mark.

At the moment there is no way to control access to org or spaces using UAA

You can find list of currently available UAA scopes here [1]. To control
org or spaces access you need something like zone id for org or space, but
I don’t know the way to create such binding right now. I suppose the
feature development is in progress.

Since you added UAA-LDAP integration, you can log in with LDAP user. After
that you can control user access by CF roles [2] and this process does not
involve UAA.

We also use cf-mgmt tool [3] to automate LDAP user binding with org/spaces
on some of our projects. You may find it useful.

Best wishes,
Alex L.


On Feb 18, 2017, at 6:19 PM, Mark Coumounduros <mcoumounduros(a)>

Hey All,

I recently updated a Cloud Foundation to map CC admin permission to LDAP
via this UAAC command:

uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

I now just want to fine tune LDAP permission to specific ORGs and/or
Spaces. Is this possible, if so, how?

Join { to automatically receive all group messages.