Roles mapped to individual users from Backend roles

I have a requirement to be able to grant access to a user defined role where that access is defined as an individual user from within an existing LDAP backend role.

So, to give an example:

I have a test role and that is mapped to a backend role called my_LDAP_Group1. Users user1, user2 and user3 are members of that LDAP group.

I want to be able to allow only user1 from within that LDAP group access to the test role.

I am not able to create a second LDAP group with only that user as a member.

I have tried to add the username of user1 as a mapped user, but that does not appear to work, in that the role is not assigned to that user. I saw this line from the console “You can create an internal user in internal user database of the security plugin. An internal user can have its own backend role and host for an external authentication and authorization. External users from your identity provider are also supported.” I thought the last sentence would be applicable to my use case and thought that was what I had implemented.

Can anyone suggest an approach I can take to achieve this configuration?

Many thanks.

In short, you’d like to have individual LDAP user mapped to the specific role?

Yes, that is correct.

@Mr_Hedgehog I’ve mapped ldap user ldapuser1@domain.local using roles_mapping.yml file.

  reserved: false
  - "ldapuser1"

Just to follow up on this - many thanks for the replies and I was able to get this working with the assistance above.

Here are a couple of notes from what I found. When authenticating against AD, I use a username, such as 12345 (from the usersearch) and a first name/last name mapped to CN as the username_attribute.

In the ldap users above, I have to specify the CN as the list of users, so “My Name”, rather than 12345.

Hope this helps someone else.