Configuring Authentication
Every user is authenticated against the LDAP directory server where it was synchronized from. For the synchronization it may be necessary to specify a certain LDAP user who will be used to connect to the LDAP directory server and to query that server. This user can be specified using the ldap-query-user tag.
Specifying a Query User
A query user can be specified using the optional ldap-query-user tag. This tag has to be nested inside an ldap-provider tag as shown below:
<ldap-provider url="SERVER_URL" key="AUTHENTICATION_KEY"> … <ldap-query-user name="USERNAME" credentials="PASSWORD"/> … </ldap-provider>
The ldap-query-user tag has two required attributes:
- name: the DN (DN = Distinguished Name) of a user with read access to the LDAP directory
- credentials: the password of the above user
NOTE: If no query user is specified then an anonymous bind is used to connect to the LDAP directory.
Name Attribute
The name attribute specifies the name of the LDAP user used for synchronization. There are two possibilities to build up and set the distinguished name of the user, respectively:
The distinguished name can be set directly to the name attribute as shown in the example below:
<ldap-query-user name=“cn=pkit1,o=XYZ,dc=xyzgroup,dc=com” credentials=“somepw”/>
If the name attribute does not contain an equal sign (‘=’) or a comma (‘,’), then this value is set to the authentication schema in order to build up the distinguished name of the special query user.
In the example below “id123“ would be set to the schema to build up the user’s distinguished name.
<ldap-query-user name=“id123” credentials=“SOME_CREDENTIALS”/>
The credentials Attribute
The credentials attribute holds the password of the query user.
The authentication Schema
The authentication schema is used to build up the distinguished name of a synchronized user for authentication purposes. The schema can be specified using the optional ldap-authentication tag, which has to be nested inside an ldap-provider tag if used.
<ldap-provider url="SERVER_URL" key="AUTHENTICATION_KEY"> … <ldap-authentication type="simple" principal="SOME_PRINCIPAL"/> … </ldap-provider>
The ldap-authentication tag has two required attributes:
- type
- principal
The type Attribute
The type attribute specifies the authentication mode to synchronize a user. Currently only the mode “simple“ is supported.
The principle Attribute
The principalattribute holds a schema to build up the distinguished name for user authentication. The special character “%“ is used to specify where to set in the user’s fullname or username to build the corresponding distinguished name.
Example: principal=“cn=%,cn=Users,dc=company,dc=com“
NOTE: It depends on the value of the key attribute of the ldap-provider tag whether the user’s fullname or username will be set into the schema.
The optional URL Attribute
The ldap-authentication tag comes with the optional url attribute. The attribute can be used to set the URL of the authentication server if synchronization and authentication is done on different machines. An exemplary url attribute value is given below: url=“ldap://authsrv.methodpark.de:389/cn=Users,dc=company,dc=com“
NOTE: To allow authentication via SSL, set the prefix “ldap“ to “ldaps“.