Managing user groups#

Enabling the display of groups in blitz.conf#

If Blitz Identity Provider is configured to work with user groups, Groups section appears in the admin console.

To enable the ability to view user groups, you must add blitz.prod.local.idp.groups following settings block:

"groups": {
  "profiles": [
    {
      "type": "mirror",
      "id": "orgs",
      "groupStore": "389ds",
      "attrsMap": {
        "name": "displayname",
      },
      "filter": "objectClass=group"
    }
  ],
  "stores": {
    "list": [
      {
        "type": "ldap_based",
        "id": "389ds",
        "desc": "Группы",
        "ldapStore": "389ds",
        "baseDN": "ou=external,ou=groups,dc=test",
        "searchScope": "SUB",
        "idAttrName": "cn",
        "membersAttrName": "uniqueMember",
        "memberOfAttrName": "memberOf",
        "newGroupAttrs": [
          {
            "attr": "objectclass",
            "format": "strings",
            "value": "top,groupOfUniqueNames,group"
          },
          {
            "attr": "dn",
            "format": "string",
            "value": "cn=${id},ou=external,ou=groups,dc=test"
          }
        ]
      }
    ]
  }
}

Specifics of settings:

  • in profiles.groupStore, stores.list.id, stores.ldapStore must be the identifier of the LDAP directory used to store users;

  • in profiles.attrsMap and stores.list.idAttrName must contain group attributes (class groups), e.g. name. Attribute names can be named differently if desired, only LDAP attributes of type String are supported;

  • in stores.list.baseDN you should check (and correct if necessary) the path for storing organizations in LDAP. If the path is corrected, also adjust the "value": "cn=${id},ou=external,ou=groups,dc=test" setting accordingly.

Working with groups#

In the section Groups you can search for groups by one of the configured attributes, edit groups, create and delete groups, and manage user membership in groups.

For each group found, its attributes are displayed. In addition, Group Members block displays all users included in the group. For each user the following is displayed:

  • user identifier;

  • user name - according to the template defined in the Data sources section (Username on console).

:size=80%

You can edit group attributes, delete a group, add users to a group using the link Add user…, remove a user from a group, and create new user groups using the link Create a group….