How "Derive from user DN" Works:
- Query for user's ldap entry. e.g.
cn=verykool, ou=sysadmins, ou=it,dc=ad,dc=myuniversity,dc=edu
- whichever attribute (e.g. ou) listed in "Attribute of the DN which contains the role name", will have its value added to the list of authorizations. E.g. "sysadmins" and "it"
- "Derive from user DN" does not support nested groups. Nested has no meaning in this approach
What an LDAP looks like that can use the "Derive from user DN" approach.
This can be useful in any LDAP and is typically used with one of the other 2 approaches at the same time. While options II.B. and II.C. are designed for two different LDAP group models, "Derive from user DN" simply leverages user DN attributes such as "ou" which may map to authorizations.
Some other examples besides the "ou" attribute would be useful here.