Currently The LDAP connector handles LDAP groups in 2 different ways:
Static groups:
If your ldap server has the MemberOf overlay activated, the ldap connector will automatically look within the memberof or ismemberof fields within your user entries, the value of this ldap field will be automatically mapped to the memberof field within your users in OneLogin.
Having groups within a particular OU is not enough for the connector, the MemberOf overlay must be activated in your ldap server, the group entries must be of class groupOfNames or posixGroup and the user entries must have a field called memberof , ismemberof or memberuid with this value.
- If you're using groupOfNames, the connector expects 2 possible fields: memberof or ismemberof
- If you're using posixGroups we expect the field memberuid
Note: For static groups, the connector never looks directly into the group entry to retrieve its members, it only looks within the user entry and the previously mentioned fields.
Dynamic Groups:
For Dynamic groups, the connector supports entries with the groupOfUrls object class, which is provided within the ldap server's dynlist overlay. In this case, the connector will actually look at the member field of your groupOfUrls entries and match them against the dn field of your users. The group will be added to those users that have a matching dn within the member field of the group.