I must be missing something simple but cannot get System Role Mapping to work. We are using LDAP to add people to the Course Creators Role based on membership in an AD security group. The user sync is working and users accounts are being created and able to log in however the instructors are not being added the role...
MEMBER ATTRIBUTE USES DN (AUTH_LDAP | MEMBERATTRIBUTE_ISDN) to Yes.
Any ideas on how to troubleshoot this?
I have that setting set to No for MSAD - I don't use that particular mapping but everything else works as expected and I map other roles across...
Oh and also, how do you have the group referenced - should be like this:
CN="Your Group",OU="Your OU",DC="yourdomain",DC=com
CN="Your Group",OU="Your OU",DC="yourdomain",DC=com
Thank you,
I have tried with MSAD set both yes and no and no love.
We are using the same configuration cn=administrators,ou=groups,ou=organization,dc=mydomain,dc=lan
I have tried with MSAD set both yes and no and no love.
We are using the same configuration cn=administrators,ou=groups,ou=organization,dc=mydomain,dc=lan
Can you share you settings page (with sensitive stuff blacked out..)?
Host URL
auth_ldap | host_url
ldap://192.168.X.X
auth_ldap | ldap_version 3
Use TLS auth_ldap | start_tls No
LDAP encoding auth_ldap | ldapencoding utf-8
Page size auth_ldap | pagesize 600
Bind settings Prevent password caching
auth_ldap | preventpassindb No
Distinguished name auth_ldap | bind_dn CN=,OU= ,DC=mydomain,DC=lan
Password auth_ldap | bind_pw ••••••••••••••••••••
User type auth_ldap | user_type MS ActiveDirectory
Contexts auth_ldap | contexts ou=myou,dc=mydomain,dc=lan
auth_ldap | search_sub Yes
Dereference aliases auth_ldap | opt_deref No
User attribute auth_ldap | user_attribute samaccountname
Suspended attribute auth_ldap | suspended_attribute Default: Empty
Member attribute auth_ldap | memberattribute Default: Empty
Member attribute uses dn auth_ldap | memberattribute_isdn Yes
Object class auth_ldap | objectclass
(|(&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Administrators,OU=Groups,OU=MyOU,DC=MyDomain,DC=lan))(&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Directors,OU=Non-AD Synced groups,OU=Groups,OU=MyOU,DC=MyDomain,DC=lan)) (&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Campus Administrators,OU=Groups,OU=MyOU,DC=MyDomain,DC=lan)))
Force change password auth_ldap | forcechangepassword No
Use standard page for changing password auth_ldap | stdchangepassword YES
Password-change URL auth_ldap | changepasswordurl Default: Empty
LDAP password expiry settings Expiry auth_ldap | expiration No
Expiry warning auth_ldap | expiration_warning 10
Expiry attribute auth_ldap | expireattr Default: Empty
Grace logins auth_ldap | gracelogins Yes
Grace login attribute auth_ldap | graceattr Default: Empty
Enable user creation Create users externally auth_ldap | auth_user_create No
Context for new users auth_ldap | create_context Default: Empty
System role mapping Manager context auth_ldap | managercontext Default: Empty
Course creator context auth_ldap | coursecreatorcontext cn=administrators,ou=groups,ou=MyOU,dc=MyDomain,dc=lan
Teacher context auth_ldap | editingteachercontext Default: Empty
Student context auth_ldap | studentcontext Default: Empty
Campus Administrator context auth_ldap | campusadministratorcontext Default: Empty
Campus Director context auth_ldap | campusdirectorcontext Default: Empty
auth_ldap | host_url
ldap://192.168.X.X
auth_ldap | ldap_version 3
Use TLS auth_ldap | start_tls No
LDAP encoding auth_ldap | ldapencoding utf-8
Page size auth_ldap | pagesize 600
Bind settings Prevent password caching
auth_ldap | preventpassindb No
Distinguished name auth_ldap | bind_dn CN=,OU= ,DC=mydomain,DC=lan
Password auth_ldap | bind_pw ••••••••••••••••••••
User type auth_ldap | user_type MS ActiveDirectory
Contexts auth_ldap | contexts ou=myou,dc=mydomain,dc=lan
auth_ldap | search_sub Yes
Dereference aliases auth_ldap | opt_deref No
User attribute auth_ldap | user_attribute samaccountname
Suspended attribute auth_ldap | suspended_attribute Default: Empty
Member attribute auth_ldap | memberattribute Default: Empty
Member attribute uses dn auth_ldap | memberattribute_isdn Yes
Object class auth_ldap | objectclass
(|(&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Administrators,OU=Groups,OU=MyOU,DC=MyDomain,DC=lan))(&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Directors,OU=Non-AD Synced groups,OU=Groups,OU=MyOU,DC=MyDomain,DC=lan)) (&(objectClass=user)(!(objectClass=computer))(memberOf=CN=Campus Administrators,OU=Groups,OU=MyOU,DC=MyDomain,DC=lan)))
Force change password auth_ldap | forcechangepassword No
Use standard page for changing password auth_ldap | stdchangepassword YES
Password-change URL auth_ldap | changepasswordurl Default: Empty
LDAP password expiry settings Expiry auth_ldap | expiration No
Expiry warning auth_ldap | expiration_warning 10
Expiry attribute auth_ldap | expireattr Default: Empty
Grace logins auth_ldap | gracelogins Yes
Grace login attribute auth_ldap | graceattr Default: Empty
Enable user creation Create users externally auth_ldap | auth_user_create No
Context for new users auth_ldap | create_context Default: Empty
System role mapping Manager context auth_ldap | managercontext Default: Empty
Course creator context auth_ldap | coursecreatorcontext cn=administrators,ou=groups,ou=MyOU,dc=MyDomain,dc=lan
Teacher context auth_ldap | editingteachercontext Default: Empty
Student context auth_ldap | studentcontext Default: Empty
Campus Administrator context auth_ldap | campusadministratorcontext Default: Empty
Campus Director context auth_ldap | campusdirectorcontext Default: Empty
Hi Emma, Any ideas how to resolve this?