Hints for Specific LDAP Server Products
Microsoft Active Directory Server (ADS)
When the standard ADS layout is used by the ADS administrator, user entries can be found in the “CN=Users“ part of the directory. For larger organizations, this section is normally divided into different subsections to increase scalability and manageability.
If the standard ADS attributes are used, the following mapping can be used.
Stages Attribute Name | ADS Attribute Name |
---|---|
username | sAMAccountName |
fullname | displayName |
authenicationUsername | distinguishedName |
No standard attribute name exists for the e-mail address. Please use the LDAP browser to find out the attribute name valid for your installation.
ADS provides the LDAP distinguished name via the “distinguishedName“ attribute. Therefore, if the above mapping of the attribute is used, the key attribute of the ldap-provider statement can be set to “authenticationUsername“ and the principal attribute of the ldap-authentication statement can be set to “%“.
By default, ADS does not allow anonymous bindings. Therefore a user with readonly access to the directory is required. The account name and password of this user must be configured with the ldap-query-user statement. The login times for this user should not be limited.
ADS per default allows the retrieval of 1000 entries per query. To fully explore this potential, set the pageSize attribute of the ldap-provider statement to “1000“.
A sample configuration for a Microsoft Active Directory Server is as follows (italic: customer specific data):
<ldap-provider url="ldap://ADSSERVER:389/cn=Users,dc=YOURDC,dc=COMPANY,dc=com" ident="Your Microsoft ADS Server Number 1" key="authenticationUsername" defaultRoles="true" pageSize="1000"> <ldap-query-user name="LDAP_DN_OF_USER" credentials="PASSWORD"/> <ldap-authentication type="simple" principal="%" /> <ldap-attribute name=„username“ id=„sAMAccountName“ /> <ldap-attribute name=„fullname“ id=„displayName“ /> <ldap-attribute name=„email“ id=„YOUR_EMAIL_ATTRIBUTE“ /> <ldap-attribute name=„authenticationUsername“ id=„distinguishedName“ /> </ldap-provider>
OpenLDAP
If the standard OpenLDAP attributes are used, the following mapping can be used.
Stages Attribute Name | Schema Attribute Name |
---|---|
username | uid |
fullname | cd |
No standard attribute names exists for the e-mail address. Please use the LDAP browser to find out the e-mail attribute name valid for your installation.
Per default, OpenLDAP does not provide the LDAP distinguished name in each entry. To enable authentication via the distinguished name
- set the generateDn attribute of the ldap-provider statement to “true“
- set the key attribute of the ldap-provider statement to “authenticationUsername“
- set the principal attribute of the ldap-authentication statement to “%“