So far, the records for user account matching are identified as follows.
- Query the configured user group(s).
1a. Query the group members (as List<String> = DNs).
- Query the individual user records for these DNs.
2a. A configurable query is also included in this query as a filter to exclude individual group member records from the user account comparison.
There are occasional discussions regarding step 1: Either the query of the user group(s) is not possible / not allowed, or not purposeful, because the identification of the user accounts should not be solved via a group assignment but otherwise.
Therefore the following extension:
Up to now, the explicit configuration of at least one user group is mandatory - it is evaluated as described above. If no user group is configured, this is considered up to now as ConfigurationError.
Instead with this extension is introduced, that in this case (no user group configured) the already configurable LDAPQuery is used alone for the determination of the relevant data records. In this case it is expected that this query identifies all data records for the user account comparison completely and unambiguously.
Group memberships can be coded in this query as well as other characteristics (attribute values, object classes, etc.).
This makes it possible to perform automatic user account matching without explicitly querying the user group(s), and it also makes it possible to identify the data records for user account matching using characteristics other than a group assignment.
This function is an add-on in the following sense:
- Previous configurations remain valid and this add-on does not affect their functionality.
- A previously invalid configuration "Specifying an LDAP query without specifying a user group" is now valid and leads to the sole evaluation of the specified query.
Test
No test