...
| Group base entry | The location of group entries in the LDAP tree. Specific locations have better performance than global ones. e.g. "ou=groups,dc=example,dc=org" |
| Role query sub-tree | Whether group entries should be queried in the entire sub-tree of the group base entry (usually true). |
| Nested groups | Whether group entries can be nested in each other (usually true). |
| Group search filter | The search filter to use in order to fetch the list of groups a user belongs to once a user has authenticated successfully. Usually the group search filter combines 2 conditions: First filter the entries based on "objectClass" attribute and then filter the entries based on the authenticated user. Usually group entries may be identified by an "objectClass" of "group" or "groupOfUniqueNames". The group entry attribute that contains its members is usually "member" or "uniquemember". e.g. "(&(objectClass=groupOfUniqueNames)(uniqueMember={1}))" |
| Group name attribute name | The attribute name at the group entry that contains the group name. |
Built-in Roles
For security reasons, authenticated users are assigned with built-in roles based on LDAP queries only.
This means, for example, that a user may be granted with Administrator privileges only if it is configured that way in the LDAP user repository.
...