uhm-coe
Assign user role based on group membership
In the LDAP configuration, it is possible to use multiple LDAP search bases, however all users are assigned the same role. This feature would allow mapping a role assignment to each search base (or group membership, depending on the external auth service selected). Upon each login, the role would be updated to either the least-privileged or most-privileged role (based on a configurable option), if and when the user is added or moved to a different search base (or group) than when originally created. This would require checking all search bases on each login.
Thanks so much!
This seems reasonable and we do have an issue set up to track creating a UI for custom role mappings, but so far little time to dedicate to it: https://github.com/uhm-coe/authorizer/issues/75
That said, it is possible to do this right now via the authorizer_custom_role filter:
https://github.com/uhm-coe/authorizer/blob/master/readme.txt#L501-L518
I would suggest checking $user_data['ldap_attributes'][0]['dn'] to get the DN of the logging in user which should be of the form uid=username,ou=group,dc=example,dc=edu so the search base should be contained in there. Then you can return a different role name based on which base it is.
