Last updated March 24, 2012. Created on March 24, 2012.
Edited by johnbarclay. Log in to edit this page.

How "Derive from user DN" Works:

  1. Query for user's ldap entry. e.g. cn=verykool, ou=sysadmins, ou=it,dc=ad,dc=myuniversity,dc=edu
  2. whichever attribute (e.g. ou) listed in "Attribute of the DN which contains the role name", will have its value added to the list of authorizations. E.g. "sysadmins" and "it"
  3. "Derive from user DN" does not support nested groups. Nested has no meaning in this approach

What an LDAP looks like that can use the "Derive from user DN" approach.

This can be useful in any LDAP and is typically used with one of the other 2 approaches at the same time. While options II.B. and II.C. are designed for two different LDAP group models, "Derive from user DN" simply leverages user DN attributes such as "ou" which may map to authorizations.

Some other examples besides the "ou" attribute would be useful here.

Looking for support? Visit the forums, or join #drupal-support in IRC.


Mufanu’s picture

I have dn like this:
cn=verykool, ou=sysadmins, ou=it,dc=ad,dc=myuniversity,dc=edu

And, I want to set user to group sysadmins only.

Now it sets to it.

How I can do this?