The first time an LDAP user accesses (logs into) a station, a User component is created in the station, named as that user’s “user login name” on the LDAP server. Other user properties “Full Name”, “Email”, and “Language” are also sourced directly from the LDAP server.

Other properties of that User are supplied by a local “user prototype” in the station—that is, a User under the user service’s UserPrototypes container. Permissions are the most critical of these items, which also include properties Nav File, Language, Facets, Default Web Profile, and Mobile Web Profile. For related details, see Configure User Prototypes.

Selection of which user prototype “to use as source” employs a “top-to-bottom” priority scan of all available Users under UserPrototypes. See Figure 11 below.

Mapping (selection) is to the first User Prototype with a name that matches a value returned from the LDAP server for a specifc LDAP attribute (as specified in the “Attr Prototype” property, as in the user service’s “LdapConfig” or “ActiveDirectoryConfig” container). For Active Directory, this is the “memberOf” attribute.

Note an LDAP user may be a member of multiple groups. In the example above, user CCross (Chris Cross) is a member of AD groups GEngineers, GOperations, and GMgmtIT. Because the User Prototype GMgmtIT is ordered at the top, when his User component is created in the station it uses that User Prototype for permissions, Nav file, and so on.

If no matching-named user prototype is found, the frozen “Default Prototype” User is the source for permissions and other User properties locally sourced in the station. In the example above, this is the case for user VLynn (Viola Lynn).