-
The first possible mistake is in selecting the mapping strategy in the LDAP group settings
Static: Group objects are aware of their members, however, the users are not aware of the groups they belong to. This means, we define the group members while creating the groups. The groups will be having a multi-value attribute called “member” or “uniquemember” in the Group definition, which contains user DNs of the group members.
Dynamic: User objects are aware of what groups they belong to, but the group objects are not aware of their members. This means, when we create the user, we define, which groups it belongs to. The user will have a multi-value attribute called "memberOf" in its definition, which contains group DNs of the groups the user is a member of.
Active Directory groups can be imported using either a Static mapping strategy or a Dynamic one (Active Directory works for both). However, some of the LDAP servers support only static groups.
-
The second reason is selecting wrong attributes while configuring the LDAP group settings
For example, we have following attributes need to be selected for an LDAP Group settings,
- Group Member Attribute - For static, the common values are uniqueMember, member, etc. However, for dynamic, the value may be memberOf.
- Group Name attribute - cn
- Filter - Here, it defines the objectclass attribute of the particular group. Commonly, it can be (objectClass=groupOfNames), (objectClass=group), or (objectClass=posixGroup), (objectClass=groupOfUniqueNames)etc.
Please note that, when the GroupMember attribute is not correct, the member won’t be added automatically to the Group. If the objectClass or “Group Name attribute” defined is wrong, you will not be able to search and sync the LDAP Group as well in the Artifactory.