Creating VISULOX user groups based on an AD/LDAP attribute
Some AD/LDAP setups do not use AD/LDAP groups assigned to users. So policies based on an AD/LDAP attribute are not possible.
VISULOX supports creating up to four internal groups based AD/LDAP attributes.
Therefore a single step with a VISULOX mapping cust file is needed.
For example:
Example employeeType
{
varmapping {
columns {source external internal convert}
rows {
{{MSAD.USER} {employeeType} {vlxuserdata1} {}}
}
}
}Instead of vlxuserdata1, it is also possible to use vlxuserdata2, vlxuserdata3 or vlxuserdata4.
It is also possible to assign multiple tags with ":" as delimiter:
attribute=zone1:zone2:zone3Each user with the LDAP attribute set gets a group assigned with: cn=ATTR$id-$name,dc=internal
- With ID = 1, 2, 3, 4 - based on vlxuserdata
- With name = “Content of the AD/LDAP group”
The example above adds the employeeType to each user: cn=ATTR1-External,dc=internal, cn=ATTR1-Internal,dc=internal
Now it is possible to create a policy bassed on the employeeType by using ATTR1-External as a User/group filter.
Configurable regexp for LDAP attributes
An LDAP attribute, e.g. email can be analyzed, so that only the domain will be returned. Then a group will be created for each domain, that can be used by policies.
If polices should be created on an LDAP attribute, vlxuserdata1 to 4 can be used.
If the attribute is unambiguously (like the email address), then it is needed to extract the ambiguous part (like the domain from the email).
Therefore a custom datasource mapping has to be created with the mapping of the unambiguously attribute to vlxuserdata1 to 4, using the function extractvar. The function extractvar uses the configuration parameter regexp.extractvar.
For example:
{
varmapping {
columns {source external internal convert}
rows {
{{MSAD.USER} {mail} {vlxuserdata2} {extravar}}
}
}
}
Since VISULOX 3.2 always internal groups for the domains are created.