Mapping to Multiple Organizations

Specify the following information in the ldapExternalTenantProcessor bean to map the RDN of the user to a hierarchy of organizations in JasperReports Server:

excludeRootDn property – Whether the base DN, also called root DN, should be mapped along with the RDN. For example, if the property list for organizationRDNs contains dc and you do not exclude the base DN of dc=example,dc=com, the base DN maps to the following: the organization ID example nested inside the organization ID com nested inside the specified root organization. The base DN is part of the LDAP URL specified in Setting the LDAP Connection Parameters.
organizationRDNs property – A list of attribute names that determines which RDN values should be mapped to organization names. The names in this list determine the RDNs that creates a hierarchy of organizations in JasperReports Server. For example, if you specify the value ou, each RDN with ou=<name> creates a level in the hierarchy of mapped organizations. If this list is blank or none of the attributes match the RDN of the user entry, the defaultOrganization property determines the organization name.
rootOrganizationId property – The ID of an organization under which any mapped organizations are created as sub-organizations. If the root organization ID is absent or blank (""), the server creates the organization(s) mapped in organizationRDNs as children of the default organization shipped with JasperReports Server.
defaultOrganization property (optional) – The ID of an organization assigned to users that would otherwise be mapped to a null organization ID.

If excludeRootDn = true, defaultOrganization = "" or is absent, and no organizationRDNs match in the DN of the user, then the user will have a null organization ID. The null organization ID is usually reserved for special users such as the system administrator and allows access the repository folder of all other organizations. To avoid this mapping, specify a value for defaultOrganization or ensure that every user has one of the organizationRDNs.

The following example shows the syntax of the ldapExternalTenantProcessor bean and its properties:

<bean id="ldapExternalTenantProcessor" class="
      externalAuth.processors.ldap.LdapExternalTenantProcessor" parent="abstractExternalProcessor"> 
  <property name="ldapContextSource" ref="ldapContextSource" />
  <property name="multiTenancyService">
    <ref bean="internalMultiTenancyService"/></property>
  <property name="excludeRootDn" value="false"/>
  <!-- only following RDNs matter in creating the organization hierarchy -->
  <property name="organizationRDNs">
  <property name="rootOrganizationId" value=""/>
  <property name="defaultOrganization" value="unassigned"/>

For example, given the ldapExternalTenantProcessor bean configuration above, an LDAP user with the DN uid=jack,ou=audit,ou=finance, dc=example,dc=com is placed in a organization named audit which is a child of an organization named finance, which in turn is a child of organization_1. This example illustrates that it is not possible to map only one of the two RDN components if they have the same attribute. In other words, the mapping mechanism does not let you choose to create only the audit or the finance organization; both are created if you specify ou in the list of organizationRDNs.

By default, the sample-applicationContext-externalAuth-LDAP-mt.xml file maps users to multiple organizations. If you wish to map all users to a single organization, see Mapping to a Single Organization