When an LDAP/LDAPS authentication is successful, the Dominion KSX determines the permissions for a given user based on the permissions of the user's group. Your remote LDAP server can provide these user group names by returning an attribute named as follows:
rciusergroup |
attribute type: string |
This may require a schema extension on your LDAP/LDAPS server. Consult your authentication server administrator to enable this attribute.
In addition, for Microsoft Active Directory, the standard LDAP memberOf is used.