NAV Navbar
Logo
Switch version:

PluginRole Configuration

The Plugin Role Config is used to define roles in GoCD and configure them to map to LDAP/AD groups. LDAP/AD groups can be mapped to GoCD roles using either the combination of UserGroupMembershipAttribute & GroupIdentifiers or GroupMembershipFilter & GroupSearchBases. In order to create a plugin role user have to create an authorization configuration first.

  1. Login to GoCD server as admin and navigate to Admin > Security > Role Configuration.
  2. Click on Add Role to create new role configuration.
  3. For a role type, select Plugin Role
  4. Specify a role name,
  5. For Auth Config Id, select the authorization config you created earlier. For instance, it might sho up as my-ldap(LDAP Authorization Plugin for GoCD) if the ID you provided was my-ldap

Map Roles Using Group Membership Attribute On User

This allows you to define a role which will be assigned to the logged in user, only if logged in user is has the given attribute and matching value in their LDAP/AD records.

Map Roles Using Group Membership Filter

Miscellaneous

You can user create a plugin role by configuring GroupMembershipAttribute and GroupMembershipFilter both. - In such case - * The plugin make a role assignment based on GroupMembershipAttribute first. * If role is not assigned to user using GroupMembershipAttribute, then plugin check for GroupMembershipFilter to assign a role.

See Scenario 7 in examples section for more information.

Example role configuration

Plugin role configuration

Alternatively, the configuration can be added directly to the GoCD config XML using the <pluginRole>. It should be added in <security> under <roles/> tag as described in following example -

<security>
  <authConfigs>
    <authConfig id="my-ldap" pluginId="com.thoughtworks.gocd.authorization.ldap">
      ...
    </authConfig>
  </authConfigs>
  <roles>
    <pluginRole name="go-admins" authConfigId="ldap">
      <property>
        <key>UserGroupMembershipAttribute</key>
        <value>memberOf</value>
      </property>
      <property>
        <key>GroupIdentifiers</key>
        <value>CN=GoAdmins,OU=Groups,OU=Enterprise,OU=Principal,DC=corporate,DC=example,DC=com</value>
      </property>
    </pluginRole>
    <pluginRole name="view_user" authConfigId="tw-ldap">
      <property>
        <key>GroupSearchBases</key>
        <value>
          OU=Group-1,OU=Enterprise,OU=Principal,DC=corporate,DC=example,DC=com
          OU=Group-2,OU=Enterprise,OU=Principal,DC=corporate,DC=example,DC=com
        </value>
      </property>
      <property>
        <key>GroupMembershipFilter</key>
        <value>(|(member={dn}) (uniqueMember=name={name}) (memberUid=uid={uid}))</value>
      </property>
    </pluginRole>
  </roles>
</security>