Re: Assigning Role to Group

Daniel Mikusa

On Wed, Jul 22, 2015 at 3:27 AM, Zakharov Alexey <
alexey.zakharov(a)> wrote:

>* Hi guys!
*>* Sorry if my question is newbie or it was discussed before.
*>* I want to use LDAP for users authentication/authorisation. And I’ve
*>* successfully bound CF to LDAP, and managed to configure uaac group mappings.
*>* But then I realised, that there are no way to assign a Role to that group.
*>* 'cf set-org-role’ accepts only usernames as parameter, but not groups. I
*>* think assigning Developer role to group is more flexible than assigning is
*>* to every particular user.
*>* Are you going to add this feature later? Or maybe there is an another way
*>* to do group binding?
Have you looked at the `uaac` tool? I'm not quite sure I understand what
you're trying to do, but you can map an LDAP group DN to a UAA group with
`uaac`. Then if a user in that LDAP group logs in, they'll have that uaa
group. Is that what you're looking to do?


uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

Or are you asking about mapping LDAP groups to CF org & space roles? i.e.
user in ldap group X is automatically given the OrgManager role in org Y.


Hi Dan!

Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’.

And now I want to bind group members to Organizations and Spaces. Is it possible to do?

Sorry, missed that in your original post. Last I heard no you couldn't do
this mapping, but that was a while ago though. Maybe someone on the
Identity team could confirm.


Join to automatically receive all group messages.