Differences

This shows you the differences between two versions of the page.

--- 72:ldap_ex_config [2018/07/16 15:37] – bkkr
+++ 72:ldap_ex_config [2018/07/16 15:44] – [Example Configurations] bkkr
@@ Line 13: / Line 13: @@
  defaultRoles="true"
  adoptUsers="true"
- matchUsersMode="username"
+ matchUsersMode="username">
->
  <ldap-authentication
  type="simple"
@@ Line 32: / Line 32: @@
 Stages synchronizes every 120 minutes with the LDAP-provider. Of all Stages users that should have been synchronized, but could not, none is deleted. The Stages username is used for authentication with the LDAP-provider at the login (key="username"). Every LDAP-object where the attribute “objectClass“ starts with the word “user“ is a candidate for synchronization (searchFilter="(objectClass=user*)"). All imported users are assigned to the default role.
-Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute
+Existing Stages accounts that have not been synchronized with LDAP yet are adapted so that future authentications/synchronizations will be done via the LDAP-provider. These accounts are adapted, if the value of the attribute sAMAccountName matches the Stages username (adoptUsers="true", matchUsersMode="username"). Further on the mapping between the LDAP sAMAccountName and the Stages username is defined (<ldap-attribute name="username" id="sAMAccountName"/>).
-name="username" id="sAMAccountName"/>).
+A schema defines how the name for the authentication is build (principal="cn=%,ou=example,dc=test,dc=example,dc=com"). “%“ will be replaced by “username“.
+The user for the LDAP-queries is named “queryuser“ and has the password "pass“ (<ldap-query-user name="queryuser" credentials="pass"/>).
+**Further Examples **
+//Example//
+<code>
+<ldap refreshIntervalMinutes="1440" maximumDeletionPercentage="0">
+<ldap-provider url="ldap://ldap.abc:389/dc=xyzgroup,dc=com"
+ident="ldap_XY_intern"
+key="username"
+defaultRoles="True"
+pageSize="500"
+recursiveSearch="True"
+generateDn="False"
+searchFilter="(&(|(departmentNumber=XY-1)
+ (departmentNumber=XY-2))
+ (mail=*)(sn=*)(objectClass=XYperson))"
+adoptUsers="True"
+matchUsersMode="email">
+<ldap-authentication
+type="simple"
+principal="uid=%,ou=people,dc=xyzgroup,dc=com"
+url="ldap://defg123.abc:3892/dc=com">
+<ldap-query-user
+name="uid=pkit1,ou=people,ou=project users,dc=com"
+ credentials="pkit1"/>
+ </ldap-authentication>
+ <ldap-query-user
+ name="cn=pkit1,ou=projects,o=XYZ,dc=xyzgroup,dc=com"
+ credentials="projk"/>
+ <ldap-attribute name="username" id="uid"/>
+ <ldap-attribute name="fullname" id="cn"/>
+ <ldap-attribute name="email" id="mail"/>
+ <ldap-attribute name="_KEY" id="uid"/>
+</ldap-provider>
+</ldap>
+</code>
+//Example//
+<code>
+<ldap refreshIntervalMinutes="60" maximumDeletionPercentage="50">
+ <ldap-provider
+url="ldap://nu2c001:389/dc=auto,dc=abc,dc=com"
+key="fullname"
+defaultRoles="true"
+recursiveSearch="true"
+searchFilter="(&(|(memberOf=CN=ABC-Stages-User,
+OU=Groups Development,OU=Groups,OU=XYZ,DC=auto, DC=abc,
+DC=com)(memberOf=CN=ABCD-Stages-W, OU=XYZ_Projekt,
+OU=ABC-Common,OU=Groups,OU=Nuernberg,DC=auto,DC=abc,
+DC=com)objectClass=person))">
+<ldap-authentication
+type="simple"
+principal="cn=%,ou=ServiceAccounts,ou=Users,ou=XYZ,
+ dc=auto,dc=abc,dc=com"/>
+<ldap-query-user name="abc-ldap" credentials="12345"/>
+<ldap-attribute name="username" id="sAMAccountName"/>
+<ldap-attribute name="fullname" id="cn"/>
+<ldap-attribute name="email" id="mail"/>
+<ldap-attribute name="authenticationUsername"
+ id="distinguishedName"/>
+ </ldap-provider>
+</ldap>
+</code>
+//Example//
+<code>
+ <ldap-provider ident="abc.def"
+ url="ldap:// abc.def:389/dc=abc,dc=def"
+key="authenticationUsername"
+defaultRoles="true"
+recursiveSearch="true"
+adoptUsers="true"
+searchFilter="(memberOf=CN=ABC-Stages,CN=Users,DC=abc,
+ DC=def)">
+ <ldap-authentication
+type="simple"
+principal="%"/>
+<ldap-query-user name="CN=XYZ,OU=_pkit_completed,OU=Users,
+ OU=AB-DOMAIN,OU=Compelted,DC=abc,DC=def"
+ credentials="12345"/>
+<ldap-attribute name="username" id="sAMAccountName"/>
+<ldap-attribute name="fullname" id="displayName"/>
+<ldap-attribute name="email" id="mail"/>
+<ldap-attribute name="authenticationUsername"
+ id="distinguishedName"/>
+ </ldap-provider>
+</ldap>
+</code>
+//Example for "ondemand" synchronization//
+<code>
+<ldap synchronize="ondemand" synchronizeCronExpression="0 */10 * * *
+?" maximumDeletionPercentage="90">
+ <ldap-provider
+ url="ldap://abc.def:389/dc=abc,dc=def"
+ ident="abc"
+ key="fullname"
+ defaultRoles="true"
+ pageSize="0"
+ generateDn="true"
+ searchFilter=""
+ ondemandFilter="(sAMAccountName=%)"
+ recursiveSearch="true"
+ adoptUsers="true">
+ <ldap-authentication
+ type="simple"
+ principal="%">
+ </ldap-authentication>
+ <ldap-attribute name="username" id="sAMAccountName"/>
+ <ldap-attribute name="fullname" id="cn"/>
+ <ldap-attribute name="email" id="mail"/>
+ <ldap-attribute name="_id" id="mail"/>
+ </ldap-provider>
+</ldap>
+</code>