For setting up a LDAP directory with AD we recommend the following procedure:
First, create a separate Organizational Unit (OU) for the groups of VIMP within the LDAP directory, containing only VIMP LDAP groups. Next, set the value of LDAP base groupĀ (ldap_base_group) to this OU. Thus, the assignment form of LDAP groups to VIMP roles within the backend of VIMP will only show those groups, e.g.:
ou=vimp,dc=subdomain,dc=domain,dc=tld
To avoid that all users of the LDAP directory are able to sign in with VIMP, it is recommended to create a new LDAP group and assign the users to it. By setting the value of LDAP user filter (ldap_user_filter) accordingly, only users of this group will be found, e.g.:
([&](objectClass=user)(memberOf=cn=vimpusers,ou=vimp,dc=subdomain,dc=domain,dc=tld))
Of course you can also assign already existing groups of the OU to VIMP roles. Thus, you save up one additional role, but the value of LDAP user filter (ldap_user_filter) has to be adapted for the groups in this case, e.g.:
([&](objectClass=user)(|(memberOf=cn=vimpadmins,ou=vimp,dc=subdomain,dc=domain,dc=tld)(memberOf=cn=vimpmods,ou=vimp,dc=subdomain,dc=domain,dc=tld)(memberOf=cn=vimpusers,ou=vimp,dc=subdomain,dc=domain,dc=tld)))
