LDAP Integration
LDAP Integration
Overview
For user authentication could be used a company LDAP. In this case user authentication will be performed via LDAP, but authorization still be on the platform. Administrator creates user with username matches from the LDAP.
The platform installation asks for the LDAP configuration during the procedure. It could be skipped during installation and changed after it.
Use LDAP configuration parameters in Control Server configuration to change the integration settings.
Configuration
| Parameter | Description | Examples |
|---|---|---|
| cs.ldap_url | LDAP connection URL with port and protocol. If this key is defined the LDAP Integration is on. | ldap://ad-ldap.org ldaps://domino-ldap.org:636 |
| cs.ldap_root_dn | Search base for user searches. The tree path, where persons are located. | CN=Users,DC=my,DC=org o=org |
| cs.ldap_user_dn_patterns | Sets the pattern which will be used to supply a DN for the user. The pattern should be the name relative to the root DN. The pattern argument {0} will contain the username. | cn={0} uid={0} mail={0} |
| cs.ldap_user_search_filter | Optional search object which can be used to locate a user when a simple DN match isn't sufficient. The pattern should be the name relative to the root DN. The pattern argument {0} will contain the username. The filter expression used in the user search. This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. See the documentation for the search methods in DirContext for more information. In this case, the username is the only parameter. | uid={0} - this would search for a username match on the uid attribute mail={0} sAMAccountName={0} (&(objectClass=person)(sAMAccountName={0})) (&(objectClass=person)(sn={0})) |
| cs.ldap_manager_dn | LDAP technical access user account. | domain paplatform-bind-user rpaplatform@rplaplatform.org |
| cs.ldap_manager_password | LDAP technical access user account password. | AnnddReww!234 |
| cs.ldap_mail_attr | An LDAP person email attribute, to use in user email during platform user record creation. | userPrincipalName |
| cs.ldap_sn_attr | An LDAP person surname attribute, to use in user last name during platform user record creation. | sn |
| cs.ldap_fn_attr | An LDAP person name, to use in user name during platform user record creation. | givenName givenname |
| cs.ldap_user_attr | An LDAP person attribute, to use in user username during platform user record creation. | sAMAccountName |
SSL
If LDAP connection require SSL and self-signed certificate is used on LDAP server side. CA public certificate has to be added into control server trust store. It is automatically done during installation, but should be done manually after it.
Authentication flow
- If ldap_user_dn_patterns is defined, try to authenticate user directly.
- If ldap_user_search_filter is defined, search using manager credential if found, try to authenticate located cn with given password.
Those two parameters (ldap_user_dn_patterns and ldap_user_search_filter) are mutually exclusive.
Switch on/off LDAP authentication
The LDAP authentication is on if the If the cs.ldap_url parameter is exist in the configuration. All user created without LDAP will be authenticated via platform passwords, ever if the user with the same account exist in LDAP (f.e. admin).
The user created with LDAP enabled do not have passwords in platform and can not be authenticated when LDAP is switched off, but if the password ones set if switched on platform authentication.