Assign user role based on group membership

[nyulawbrian]

In the LDAP configuration, it is possible to use multiple LDAP search bases, however all users are assigned the same role. This feature would allow mapping a role assignment to each search base (or group membership, depending on the external auth service selected). Upon each login, the role would be updated to either the least-privileged or most-privileged role (based on a configurable option), if and when the user is added or moved to a different search base (or group) than when originally created. This would require checking all search bases on each login.

Thanks so much!

[figureone]

This seems reasonable and we do have an issue set up to track creating a UI for custom role mappings, but so far little time to dedicate to it:
#75

That said, it is possible to do this right now via the authorizer_custom_role filter:
https://github.com/uhm-coe/authorizer/blob/master/readme.txt#L501-L518

I would suggest checking $user_data['ldap_attributes'][0]['dn'] to get the DN of the logging in user which should be of the form uid=username,ou=group,dc=example,dc=edu so the search base should be contained in there. Then you can return a different role name based on which base it is.