Configure LDAP

Example Configurations

An example configuration followed by an explanation:

<ldap refreshIntervalMinutes="120" maximumDeletionPercentage="5">
 <ldap-provider
 url=ldap://server.example.com:389/dc=domain,dc=example,dc=com
 key="username"
 searchFilter="(objectClass=user*)"
 defaultRoles="true"
 adoptUsers="true"
 matchUsersMode="username">

 <ldap-authentication
 type="simple"
 principal="cn=%,ou=example,dc=test,dc=example,dc=com"/>
 <ldap-query-user name="queryuser" credentials="pass"/>
 <ldap-attribute name="username" id="sAMAccountName"/>
 <ldap-attribute name="fullname" id="displayName"/>
 <ldap-attribute name="email" id="mail"/>
 <ldap-ignore id="sAMAccountName" value="XYZ"/>
 </ldap-provider>
 ...
 </ldap>

Explanation:

Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key=“username”). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter=“(objectClass=user*)”). All imported users are assigned to the default role.

Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers=“true”, matchUsersMode=“username”). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute name=“username” id=“sAMAccountName”/>).

A schema defines how the name for the authentication is build (principal=“cn=%,ou=example,dc=test,dc=example,dc=com”). “%“ will be replaced by “username“.

The user for the LDAP-queries is named “queryuser“ and has the password “pass“ (<ldap-query-user name=“queryuser” credentials=“pass”/>).

Further Examples

Example

<ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="5">
<ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com"
ident="ldap_XY_intern"
key="username"
defaultRoles="True"
pageSize="500"
recursiveSearch="True"
generateDn="False"
searchFilter="(&(|(departmentNumber=XY-1)
 (departmentNumber=XY-2))
 (mail=*)(sn=*)(objectClass=XYperson))"
adoptUsers="True"
matchUsersMode="email">
<ldap-authentication
type="simple"
principal="uid=%,ou=people,dc=xyzgroup,dc=com"
url="ldap://defg123.abc:3892/dc=com">
<ldap-query-user
name="uid=pkit1,ou=people,ou=project users,dc=com"
 credentials="pkit1"/>
 </ldap-authentication>
 <ldap-query-user
 name="cn=pkit1,ou=projects,o=XYZ,dc=xyzgroup,dc=com"
 credentials="projk"/>
 <ldap-attribute name="username" id="uid"/>
 <ldap-attribute name="fullname" id="cn"/>
 <ldap-attribute name="email" id="mail"/>
 <ldap-attribute name="_KEY" id="uid"/>
</ldap-provider>
</ldap>

Example

<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50">
 <ldap-provider
url="ldap://nu2c001:389/dc=auto,dc=abc,dc=com"
key="fullname"
defaultRoles="true"
recursiveSearch="true"
searchFilter="(&(|(memberOf=CN=ABC-Stages-User,
OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc,
DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt,
OU=ABC-Common,OU=Groups,OU=Nuernberg,DC=auto,DC=abc,
DC=com)objectClass=person))">
<ldap-authentication
type="simple"
principal="cn=%,ou=ServiceAccounts,ou=Users,ou=XYZ,
 dc=auto,dc=abc,dc=com"/>
<ldap-query-user name="abc-ldap" credentials="12345"/>
<ldap-attribute name="username" id="sAMAccountName"/>
<ldap-attribute name="fullname" id="cn"/>
<ldap-attribute name="email" id="mail"/>
<ldap-attribute name="authenticationUsername"
 id="distinguishedName"/>
 </ldap-provider>
</ldap>

Example

<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="10">
 <ldap-provider ident="abc.def"
 url="ldap:// abc.def:389/dc=abc,dc=def"
key="authenticationUsername"
defaultRoles="true"
recursiveSearch="true"
adoptUsers="true"
searchFilter="(memberOf=CN=ABC-Stages,CN=Users,DC=abc,
 DC=def)">
 <ldap-authentication
type="simple"
principal="%"/>
<ldap-query-user name="CN=XYZ,OU=_pkit_completed,OU=Users,
 OU=AB-DOMAIN,OU=Compelted,DC=abc,DC=def"
 credentials="12345"/>
<ldap-attribute name="username" id="sAMAccountName"/>
<ldap-attribute name="fullname" id="displayName"/>
<ldap-attribute name="email" id="mail"/>
<ldap-attribute name="authenticationUsername"
 id="distinguishedName"/>
 </ldap-provider>
</ldap>

Example for “ondemand” synchronization

    <!-- Configuration for LDAP with Ondemand Account Creation.
         This config works with an MS Active Directory server.
         For other servers, the attribute names might need to be changed. -->
          <!-- Synchronize every Saturday 03:30AM -->
    <ldap synchronizeCronExpression="0 30 3 ? * SAT" maximumDeletionPercentage="5"
          synchronize="ondemand" synchronizeOnStartup="false">
        <ldap-provider
                    url="ldap://LDAPSERVER.com:389/dc=CUSTOMER,dc=com"
                    ident="LDAP Primary Ondemand Server"
                    key="authenticationUsername"
                    defaultRoles="true"
                    defaultRolesUsername="default"
                    defaultLicenseType="FloatingDev"
                    pageSize="500"
                    generateDn="false"
                    ondemandFilter="(&amp;(sAMAccountName=%)(objectClass=user))"
                    recursiveSearch="true">
                    <ldap-authentication type="simple" principal="%"/>

                    <ldap-attribute name="username" id="sAMAccountName"/>
                    <ldap-attribute name="fullname" id="displayName"/>
                    <ldap-attribute name="email" id="mail"/>
                    <ldap-attribute name="authenticationUsername" id="distinguishedName"/>

                    <ldap-query-user name="cn=LDAP Account,ou=Users,dc=CUSTOMER,dc=com" credentials="PASSWORD" />
            </ldap-provider>
    </ldap>