From a6bf2e8247271a5a25ea6cb548e29b90976be746 Mon Sep 17 00:00:00 2001 From: Art Lukyanchyk <artiom.lukyanchyk@hs-hannover.de> Date: Thu, 18 Jan 2018 16:35:54 +0100 Subject: [PATCH] Add a note about generating group mapping --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 50efd44..518d26e 100644 --- a/README.md +++ b/README.md @@ -73,10 +73,12 @@ If you have `nginx` serving pages to users, you might need to configure `x-frame #### Groups and Permissions -To receive groups over SSO you need a group mapping (and of course a properly configured IdP). You can manage group mapping with `group_mapping` management command. Example: +To receive groups over SSO you need a group mapping (and of course a properly configured IdP). You can manage group mapping with `group_mapping` management command: group_mapping add myproject_superusers "CN=MyProjectSuperusers,OU=Foo,OU=Bar,DC=fh-h,DC=de" +To generate a working mapping for `hshinfo` groups, use `ssoauth_group_mapping` management command in `syncds` (you can find one on the `sync` server). + *Groups are not mapped automatically. The reason is that automatic mapping can pose security risks. Imagine auto-mapping that expects group with name "Superusers"; an intruder could create new group with this name under any path they own and/or create an alias/reference and receive superuser permissions in your project.* -- GitLab