Example Configurations
An example configuration followed by an explanation:
<ldap refreshIntervalMinutes="120" maximumDeletionPercentage="5"> <ldap-provider url=ldap://server.example.com:389/dc=domain,dc=example,dc=com key="username" searchFilter="(objectClass=user*)" defaultRoles="true" adoptUsers="true" matchUsersMode="username"> <ldap-authentication type="simple" principal="cn=%,ou=example,dc=test,dc=example,dc=com"/> <ldap-query-user name="queryuser" credentials="pass"/> <ldap-attribute name="username" id="sAMAccountName"/> <ldap-attribute name="fullname" id="displayName"/> <ldap-attribute name="email" id="mail"/> <ldap-ignore id="sAMAccountName" value="XYZ"/> </ldap-provider> ... </ldap>
Explanation:
Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key=“username”). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter=“(objectClass=user*)”). All imported users are assigned to the default role.
Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers=“true”, matchUsersMode=“username”). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute name=“username” id=“sAMAccountName”/>).
A schema defines how the name for the authentication is build (principal=“cn=%,ou=example,dc=test,dc=example,dc=com”). “%“ will be replaced by “username“.
The user for the LDAP-queries is named “queryuser“ and has the password “pass“ (<ldap-query-user name=“queryuser” credentials=“pass”/>).
Further Examples
Example
<ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="5"> <ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com" ident="ldap_XY_intern" key="username" defaultRoles="True" pageSize="500" recursiveSearch="True" generateDn="False" searchFilter="(&(|(departmentNumber=XY-1) (departmentNumber=XY-2)) (mail=*)(sn=*)(objectClass=XYperson))" adoptUsers="True" matchUsersMode="email"> <ldap-authentication type="simple" principal="uid=%,ou=people,dc=xyzgroup,dc=com" url="ldap://defg123.abc:3892/dc=com"> <ldap-query-user name="uid=pkit1,ou=people,ou=project users,dc=com" credentials="pkit1"/> </ldap-authentication> <ldap-query-user name="cn=pkit1,ou=projects,o=XYZ,dc=xyzgroup,dc=com" credentials="projk"/> <ldap-attribute name="username" id="uid"/> <ldap-attribute name="fullname" id="cn"/> <ldap-attribute name="email" id="mail"/> <ldap-attribute name="_KEY" id="uid"/> </ldap-provider> </ldap>
Example
<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50"> <ldap-provider url="ldap://nu2c001:389/dc=auto,dc=abc,dc=com" key="fullname" defaultRoles="true" recursiveSearch="true" searchFilter="(&(|(memberOf=CN=ABC-Stages-User, OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc, DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt, OU=ABC-Common,OU=Groups,OU=Nuernberg,DC=auto,DC=abc, DC=com)objectClass=person))"> <ldap-authentication type="simple" principal="cn=%,ou=ServiceAccounts,ou=Users,ou=XYZ, dc=auto,dc=abc,dc=com"/> <ldap-query-user name="abc-ldap" credentials="12345"/> <ldap-attribute name="username" id="sAMAccountName"/> <ldap-attribute name="fullname" id="cn"/> <ldap-attribute name="email" id="mail"/> <ldap-attribute name="authenticationUsername" id="distinguishedName"/> </ldap-provider> </ldap>
Example
<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="10"> <ldap-provider ident="abc.def" url="ldap:// abc.def:389/dc=abc,dc=def" key="authenticationUsername" defaultRoles="true" recursiveSearch="true" adoptUsers="true" searchFilter="(memberOf=CN=ABC-Stages,CN=Users,DC=abc, DC=def)"> <ldap-authentication type="simple" principal="%"/> <ldap-query-user name="CN=XYZ,OU=_pkit_completed,OU=Users, OU=AB-DOMAIN,OU=Compelted,DC=abc,DC=def" credentials="12345"/> <ldap-attribute name="username" id="sAMAccountName"/> <ldap-attribute name="fullname" id="displayName"/> <ldap-attribute name="email" id="mail"/> <ldap-attribute name="authenticationUsername" id="distinguishedName"/> </ldap-provider> </ldap>
Example for “ondemand” synchronization
<!-- Configuration for LDAP with Ondemand Account Creation. This config works with an MS Active Directory server. For other servers, the attribute names might need to be changed. --> <!-- Synchronize every Saturday 03:30AM --> <ldap synchronizeCronExpression="0 30 3 ? * SAT" maximumDeletionPercentage="5" synchronize="ondemand" synchronizeOnStartup="false"> <ldap-provider url="ldap://LDAPSERVER.com:389/dc=CUSTOMER,dc=com" ident="LDAP Primary Ondemand Server" key="authenticationUsername" defaultRoles="true" defaultRolesUsername="default" defaultLicenseType="FloatingDev" pageSize="500" generateDn="false" ondemandFilter="(&(sAMAccountName=%)(objectClass=user))" recursiveSearch="true"> <ldap-authentication type="simple" principal="%"/> <ldap-attribute name="username" id="sAMAccountName"/> <ldap-attribute name="fullname" id="displayName"/> <ldap-attribute name="email" id="mail"/> <ldap-attribute name="authenticationUsername" id="distinguishedName"/> <ldap-query-user name="cn=LDAP Account,ou=Users,dc=CUSTOMER,dc=com" credentials="PASSWORD" /> </ldap-provider> </ldap>