Re: Assigning Role to Group


Zakharov Alexey <alexey.zakharov@...>
 

Is there any plans to implement ORGs to LDAP groups binding later?
When I list group mappings, I can see a default mapping, which forces me to think you are planning to do something like that:

$ uaac group mappings
resources:
-
organizations.acme: cn=test_org,ou=people,o=springsource,o=org

---
Alexey Zakharov | CloudFoundry Team | Altoros
Tel: (617) 841-2121 ext. 5704 | Toll free: 855-ALTOROS
Fax: (866) 201-3646 | Skype: alexey.zakharov.a
www.altoros.com<http://www.altoros.com> | blog.altoros.com<http://blog.altoros.com> | twitter.com/altoros<http://twitter.com/altoros>

On Jul 22, 2015, at 18:05, Filip Hanik <fhanik(a)pivotal.io<mailto:fhanik(a)pivotal.io>> wrote:

To elaborate a bit more, at this time the cloud controller maintains its own roles and ACLs in the CC database.

Filip

On Wednesday, July 22, 2015, Sree Tummidi <stummidi(a)pivotal.io<mailto:stummidi(a)pivotal.io>> wrote:
This support is not yet available

Thanks,
Sree

Sent from my iPad

On Jul 22, 2015, at 4:35 AM, Daniel Mikusa <dmikusa(a)pivotal.io<javascript:_e(%7B%7D,'cvml','dmikusa(a)pivotal.io');>> wrote:

On Wed, Jul 22, 2015 at 3:27 AM, Zakharov Alexey <alexey.zakharov(a)altoros.com<javascript:_e(%7B%7D,'cvml','alexey.zakharov(a)altoros.com');>> wrote:

Hi guys!
Sorry if my question is newbie or it was discussed before.
I want to use LDAP for users authentication/authorisation. And I’ve
successfully bound CF to LDAP, and managed to configure uaac group mappings.
But then I realised, that there are no way to assign a Role to that group.
'cf set-org-role’ accepts only usernames as parameter, but not groups. I
think assigning Developer role to group is more flexible than assigning is
to every particular user.
Are you going to add this feature later? Or maybe there is an another way
to do group binding?
Have you looked at the `uaac` tool? I'm not quite sure I understand what
you're trying to do, but you can map an LDAP group DN to a UAA group with
`uaac`. Then if a user in that LDAP group logs in, they'll have that uaa
group. Is that what you're looking to do?

Ex:

uaac group map --name cloud_controller.admin "GROUP-DISTINGUISHED-NAME"

Or are you asking about mapping LDAP groups to CF org & space roles? i.e.
user in ldap group X is automatically given the OrgManager role in org Y.

Dan


Hi Dan!

Yes, as I’ve stated before, I’ve already managed to configure group mappings using ‘uaac group map’.

And now I want to bind group members to Organizations and Spaces. Is it possible to do?

Sorry, missed that in your original post. Last I heard no you couldn't do this mapping, but that was a while ago though. Maybe someone on the Identity team could confirm.

Dan

_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org<javascript:_e(%7B%7D,'cvml','cf-dev(a)lists.cloudfoundry.org');>
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev
_______________________________________________
cf-dev mailing list
cf-dev(a)lists.cloudfoundry.org<mailto:cf-dev(a)lists.cloudfoundry.org>
https://lists.cloudfoundry.org/mailman/listinfo/cf-dev

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.