setAttribute before session is initialized?

Support
#1

Hi,

we get the users AD groups in the LdapUserSynchronizationStrategy and need to use them later in the authorization of the user to assign the needed roles.
Because the session is not initialized when getting the AD groups, how to pass the values to the authorization later on.
We could manage that by adding a column to the user entity and use the synchronization mechanism like for FirstName, LastName… and read out from the user table later in the code.

Would there be another way to pass the values?

Regards
Roland

#3

Hi,

Because the session is not initialized when getting the AD groups

could you explain what session do you mean?

There is a mechanism that maps AD group names to Jmix roles. Currently, the mechanism finds AD group names (using the memberOf attribute) and searches for Jmix role with the same name. If found, the role is assigned to Jmix user. This AD role name → Jmix role name mapping may be customized by JmixLdapGrantedAuthoritiesMapper.

Authorities mapping happens here.

#4

the roleSynchronization works fine for resourceRoles… but cannot get it working for row-level roles.
We have i.e. AG group group1.
When I create a resourceRole named group1, it got synchronized.
But a row-level role also with the name group1 does not get mapped.
And I cannot see how to link a row-level group to a resourceRole.

Also tried only having a row-level role with name group1… it does not get mapped to the user based on the AD groups.

resourceRole works
row-level role not

#5

Currently, the roles mapper first tries to find a resource role with LDAP group name, and if it is not found then it tries to find a row-level role with this name. Unfortunately, the case when you want to map resource and row-level roles to the same LDAP group is not supported. We have an issue for this.

#6

Hi Maxim,

got it.
It would be OK, if only resource mapping to AD groups would work,
if we could add a row-level as a child to the resourceRole.