Hi,
I use LDAP to map users via AD groups to policies. Now I created a policy that grants some list and read permissions that I want to give every user. Unfortunately I don’t have an AD group with every user that I can use for mapping.
Therefore I want to ask if there is anything like a wildcard for groups, so that I have a group file which is called “*.group” with the policy “allusers”?
I haven’t tried it but it looks like you can apply a policy to all tokens from within the LDAP auth method via the token_policies parameter in the auth method config.
Alternatively you could leverage Identity Groups by creating an Internal group called “allusers”, or similar, and creating an External group & alias for all the LDAP groups you create roles for. The External groups would be added as members to the “allusers” group. You can then tie the policy for all users to the “allusers” group.
Hopefully this makes sense. Let me know if you need any more explanation.
3 Likes
I do this, and it works well. It is probably your best choice here.
Your other option is to add additional content to the automatically created default policy, which is automatically added to all tokens unless separately opted out of (using the no_default_policy option on the API or auth method creating the token). This is a good choice for policy you want to apply to literally everything, even across multiple auth methods.
1 Like
I tried the token_policies parameter in my ldap config and it works fine. Thank you for your support 