LDAP Group Synchronization Strategies

JFrog Platform Administration Documentation

Content Type
Administration / Platform

The JFrog Platform Deployment (JPD) supports the following ways of mapping groups to LDAP schemas:

  • Static: Group objects are aware of their members, however, the users are not aware of the groups they belong to.

    Each group object such as groupOfNames or groupOfUniqueNames holds its respective member attributes, typically member or uniqueMember, which is a user DN.

  • Dynamic: User objects are aware of what groups they belong to, but the group objects are not aware of their members.

    Each user object contains a custom attribute, such as group, that holds the group DNs or group names of which the user is a member.

  • Hierarchy: The user's DN is indicative of the groups the user belongs to by using group names as part of user DN hierarchy.

    Each user DN contains a list of ou's or custom attributes that make up the group association.

    For example,

    uid=user1,ou=developers,ou=uk,dc=jfrog,dc=org indicates that user1 belongs to two groups: uk and developers.

Using OpenLDAP

From Artifactory version 7.37.17, the Dynamic strategy is supported.

Prior to Artifactory version 7.37.17, when using OpenLDAP, you can't apply the Dynamic strategy because the memberOf attribute is not defined by default (memberOf is an overlay), so JPD would not be able to fetch it from the LDAP server.