When a user logs in to Viewpoint and auto-provisioning is enabled, Viewpoint checks to see if the username already exists in the system. If the username does not exist, Viewpoint will try to authenticate the user against the configured LDAP server. If the user is authenticated successfully, the user is added to Viewpoint. Also, the user is automatically added to all of the roles specified in the "Automatically assign these roles" section of the LDAP admin portlet.
When the authentication is successful, Viewpoint will set the user's first name, last name, and email address based upon the values of the LDAP attributes configured in the LDAP admin portlet. These are typically attributes such as "givenName", "sn", and "mail".
Also, Viewpoint will perform any role mapping that is configured in the LDAP admin portlet. This will identify any of the specified LDAP groups of which the user is a member, and then assign the Viewpoint user to the mapped role. This can be done one of two ways:
If your company's LDAP is configured where each user has a list of "memberOf" values on his LDAP record, then use the "Attribute" type.
If your company's LDAP is configured where there are separate group entries in the LDAP, then use the "Group" type.
That's an overview of the LDAP authentication and authorization in Viewpoint. Hopefully that answers your question.
↧