Skip to content
Snippets Groups Projects
Commit a6bf2e82 authored by Art's avatar Art :lizard:
Browse files

Add a note about generating group mapping

parent c2a6f704
Branches
No related tags found
No related merge requests found
...@@ -73,10 +73,12 @@ If you have `nginx` serving pages to users, you might need to configure `x-frame ...@@ -73,10 +73,12 @@ If you have `nginx` serving pages to users, you might need to configure `x-frame
#### Groups and Permissions #### Groups and Permissions
To receive groups over SSO you need a group mapping (and of course a properly configured IdP). You can manage group mapping with `group_mapping` management command. Example: To receive groups over SSO you need a group mapping (and of course a properly configured IdP). You can manage group mapping with `group_mapping` management command:
group_mapping add myproject_superusers "CN=MyProjectSuperusers,OU=Foo,OU=Bar,DC=fh-h,DC=de" group_mapping add myproject_superusers "CN=MyProjectSuperusers,OU=Foo,OU=Bar,DC=fh-h,DC=de"
To generate a working mapping for `hshinfo` groups, use `ssoauth_group_mapping` management command in `syncds` (you can find one on the `sync` server).
*Groups are not mapped automatically. The reason is that automatic mapping can pose security risks. Imagine auto-mapping that expects group with name "Superusers"; an intruder could create new group with this name under any path they own and/or create an alias/reference and receive superuser permissions in your project.* *Groups are not mapped automatically. The reason is that automatic mapping can pose security risks. Imagine auto-mapping that expects group with name "Superusers"; an intruder could create new group with this name under any path they own and/or create an alias/reference and receive superuser permissions in your project.*
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment